Information Security and Privacy Program
Information Assets and Information Technology (IT) Resources are valuable and essential to furthering the mission of Purdue University. Administrative, technological, and physical safeguards are required to protect these assets to support our mission, to meet our legal and regulatory obligations, and to preserve privacy.
Support Purdue’s mission by protecting the confidentiality, integrity and availability of Information Assets and Information Technology (IT) Resources.
- Align the information security organization’s efforts to advance the University mission of discovery, learning and engagement while supporting privacy, legal and regulatory obligations
- Partner with stakeholders as trusted advisors and enablers in the acquisition or development and configuration of technologies to further protect the security and resilience of IT Resources and Information Assets consistent with related policies, procedures, and guidelines
- Approach security from a risk management perspective
- Promote organizational awareness of information security responsibilities and affect behavior through awareness and training
- Collaborate with community organizations and other educational institutions to increase awareness of the threat landscape and protections with increased insight, outreach, and sharing of cybersecurity information
- Promote proactive and adaptive processes with a commitment to continuous improvement
- Evolve security strategies, standards and procedures to maintain relevance to changes in business processes, technologies, laws and regulations, or identified risks
The Information Security and Privacy Program Components
The Information Security and Privacy Program components are based upon safeguards provided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework and are aligned with strategies to advance Purdue University’s mission and support privacy, legal and regulatory obligations. The Framework guides Purdue’s information security program through incorporating the Framework’s core functions of Identify, Protect, Detect, Respond and Recover to address current strategic priorities with the understanding that there is room to mature those and strengthen others as risks evolve.
The NIST Cybersecurity Framework maps to supporting controls identified in NIST SP 800-171 Protecting Unclassified Information in Nonfederal Information Systems and Organizations. Additional guidance for IT Resource Owners for secure configuration of systems is supported by the Center for Internet Security (CIS) resources.
What You Need to Know
All individuals who use, have access to, or provide technical support of University Information Assets and IT Resources have responsibilities maintaining the confidentiality, integrity, and availability of these assets. The Secure Purdue website provides you the following information and resources to help you:
- understand your responsibilities as a data user, or as an IT Resource Owner, in supporting security through Purdue IT Policies and Standards;
- when securing University IT Resources as an IT Resource Owner, use the NIST Cybersecurity Framework and associated controls resources found in NIST SP 800-171, as well as Center for Internet Security CIS Controls;
- understand University compliance programs such as HIPAA, GLBA, copyright laws, SSN handling;
- know security tips and best practices to protect your computer, data and personal information;
- appropriately handle University data based on classification;
- protect University IT Resources and Information Assets with vulnerability management services and software downloads;
- report a security incident;
- set up authentication services, Purdue Career Account, two-factor authentication through tokens, or InCommon Federation services;
- request a security risk review of new IT solutions or services prior to purchase or upon a renewal of an existing solution;
- request a security policy exception only when complying with policy affects business objectives and the cost to comply offsets the risk of non-compliance.