Thought that the CSSA would have an interest in the development of these 
university policies and procedures.

-------- Original Message --------
Subject: 	Information Security Policy & Procedures; Privacy Policy and 
Date: 	Tue, 13 Sep 2011 08:07:12 -0400
From: 	David Todd <[log in to unmask]>
Reply-To: 	Technology Discussion at UVM <[log in to unmask]>
Organization: 	University of Vermont
To: 	[log in to unmask]

Dear Colleagues,

     As you know, we've been developing an information security and 
privacy policy for several years, and you'd reviewed earlier drafts.  
With the designation of UVM's Chief Privacy Officer, it made more sense 
to separate the two policies, and over the summer, we completed that 
work.  We also standardized terminology, eliminated duplicated text, and 
clarified language.  The contents of the two policies/procedures are 
very much like what you've already reviewed, but they're now separated 
as two brief policies and two detailed procedure documents.  The 
procedures are explicitly "included by reference" and so have the full 
weight of the policies themselves, but they separate implementation 
details from policy intention.

     With the increasing risks of exposed information and resources in 
this Internet age, it's clear that the University needed to address 
information and privacy issues through formal policy and procedure 
declarations.  But you're probably also aware that we were strongly 
motivated by repeated annual recommendations from external audit reports 
to the Board and by the requirement by PCI DSS (Payment Card standards)  
to have such a policy to satisfy credit-card companies.  The posting of 
these as interim policies will permit us to comply with PCI DSS and 
respond to auditors' recommendations, but they'll also give us all a 
firm starting point for evolving information policies and procedures as 
we gain experience in their use.

     These have been posted as Interim Policies, approved by the 
President, and they have been circulated to University governance groups 
for further comment (earlier versions had already been reviewed). I 
encourage you to browse through them (well, read the policies; browse 
the procedures) and make notes or comments as suggestions for improving 
future versions of the policies.  You may direct your comments and 
suggestions to me or to Gary Derr.