The Information Assurance (IA) team at the University of Chicago is responsible for supporting the University’s governance, enterprise risk management, and regulatory compliance objectives when they relate to IT risk.
We collaborate with:
- Security Operations
- the Office of Legal Counsel
- the Office of Risk Management, Compliance, and Internal Audit
- Researchers, Unit IT, and other organizations
to ensure that University Information Security policies are developed, revised, and complied with. We partner with University Research Administration to enable critical research in compliance with lending institutions requirements and federal regulations.
The IA team’s charge is data protection. IA advocates for the secure use, storage, and disposal of research and administrative data. IA strives to meet regulatory requirements in a flexible and responsive manner, so that research is not disrupted and administrative work is efficient. IA preemptively surfaces risk to leadership so that leadership can make conscious and informed business decisions about the risks implicit in their existing and new systems.
This work can be divided into the following key responsibilities:
- Developing federated Information Security Training – targeted cybersecurity training for administrative, research, and privileged users
- Developing assurance measurement and certification strategies using the NIST Cybersecurity Framework,
800-53, 800-171, HIPAA Security and Privacy, etc. as required
- Strengthening University research security through reviewing Data Usage Agreements (DUAs), grant security requirements, and contracts.
- Providing internal and external audit support
- Conducting third-party risk assessments, negotiating vendor contracts, and conducting vendor, plugin, and add-on risk reviews
- Conducting governance and risk consultations to ensure that existing systems do not accrue unacceptable levels of risk
- Ensuring University compliance with the Digital Millennium Copyright Act (DMCA)
- Assisting the Bursar’s Office with Payment Card Industry Data Security Standard (PC-DSS) compliance management