Thought that the CSSA would have an interest in the development of these university policies and procedures.

-------- Original Message --------
Subject: Information Security Policy & Procedures; Privacy Policy and Procedures
Date: Tue, 13 Sep 2011 08:07:12 -0400
From: David Todd <[log in to unmask]>
Reply-To: Technology Discussion at UVM <[log in to unmask]>
Organization: University of Vermont
To: [log in to unmask]

Dear Colleagues,

    As you know, we've been developing an information security and privacy policy for several years, and you'd reviewed earlier drafts.  With the designation of UVM's Chief Privacy Officer, it made more sense to separate the two policies, and over the summer, we completed that work.  We also standardized terminology, eliminated duplicated text, and clarified language.  The contents of the two policies/procedures are very much like what you've already reviewed, but they're now separated as two brief policies and two detailed procedure documents.  The procedures are explicitly "included by reference" and so have the full weight of the policies themselves, but they separate implementation details from policy intention.

    With the increasing risks of exposed information and resources in this Internet age, it's clear that the University needed to address information and privacy issues through formal policy and procedure declarations.  But you're probably also aware that we were strongly motivated by repeated annual recommendations from external audit reports to the Board and by the requirement by PCI DSS (Payment Card standards)  to have such a policy to satisfy credit-card companies.  The posting of these as interim policies will permit us to comply with PCI DSS and respond to auditors' recommendations, but they'll also give us all a firm starting point for evolving information policies and procedures as we gain experience in their use.

    These have been posted as Interim Policies, approved by the President, and they have been circulated to University governance groups for further comment (earlier versions had already been reviewed). 
I encourage you to browse through them (well, read the policies; browse the procedures) and make notes or comments as suggestions for improving future versions of the policies.  You may direct your comments and suggestions to me or to Gary Derr.