About Information Security Office

Mission Statement: The mission of the Information Security Office is to safeguard the confidentiality, integrity and availability of information systems, identity and data assets by providing proactive security expertise, creating and maintaining a resilient and secure infrastructure and fostering a culture of security awareness and compliance throughout the organization.  


Core Functions


Security Governance
:
 The Information Security Office (ISO) works in cooperation with many committees throughout the University to ensure the appropriate security actions are taken to protect the institution without undermining the ability of the institution to function effectively and efficiently.  Some of the committees the ISO leads or regularly collaborates with include the Faculty Senate, Clinical Research Electronic Data Committee, HIPAA Steering Committee, Health Information Integrity Committee, Information Technology Leadership Council, Compliance and Risk Managers Council, PCI Steering Committee and the Academic Computing Advisory Committee.  The ISO is responsible for annually publishing a Strategic Security Plan that serves as an input into the strategic planning and budgeting process for UMIT and the institution about UM's security priorities based upon risk.


Policy Management:  The Information Security Office (ISO) works with a broad range of stakeholders throughout the organization to define, document, approve, publish, and create awareness about UM's information technology policies, procedures and work practices.  ISO also facilitates the process of policy exception management, compliance verification, and adherence to the policy on policies for update cycles and approval workflow.  


Awareness and Education:  The Information Security Office (ISO) is responsible for delivering relevant information security knowledge to defined, targeted audiences throughout UM to raise awareness of risks and influence behavior so that the likelihood of those risks is minimized.  The methods used to create this awareness include computer-based learning modules, institution-wide "Messages From the CISO", IT newsletter articles, the annual Cybersecurity Conference in October, departmental and one-on-one in-service training, webinars, and videos.


Identity and Access Management:  Technical and operational responsibility for the systems that manage UM's user identity data, and authentication belongs to the UMIT Infrastructure team, but the  governance, exception process, and project prioritization of identity initiatives is the responsibility of the Information Security Office. The CISO serves as the University of Miami's InCommon Executive Sponsor and TIER representative.  


Vulnerability Management:  The Information Security Office (ISO) identifies, assesses and tracks resolution of security weaknesses throughout the institution.  The responsibility for actually remediating vulnerabilities rests with the UMIT Infrastructure and Applications units.  The vulnerability assessment process is a function of regular vulnerability scanning, penetration testing, Security Incident Event Management (SIEM) log analysis, risk assessments and targeted IT security assurance audits. 


Risk Assessment:  The Information Security Office is responsible for conducting security reviews and risk assessments of IT-related purchases, projects, vendors, and contracts.  The ISO works within the procurement approval cycle to assess and approve exceptions to UMIT supported products and services.  The primary instrument used to initiate these security reviews is the IT Security Questionnaire (include url for IT Security Assessment Questionnaire).  The ISO also coordinates risk assessments involving some aspect of the UMIT environment including HIPAA/MU risk assessments, year-end financial audits and incident-specifc third-party security investigations and consulting engagements as the need arises. The ISO produces an annual security assurance audit plan for UMIT Executive Team approval to evaluate the adequacy and effectiveness of of controls and procedures designed to protect critical, high-value IT systems and assets.  


Regulatory Compliance:  The ISO works closely with various operating units at UM meet their regulatory compliance and attestation obligations related to FERPA, GLBA, PCI-DSS, FISMA, HIPAA, FDA CFR 21 Part 11, and Red Flag.  The ISO collaborates with departments in developing system security plans, quality control guidance, and system validation for FDA 21 CFR Part 11 and monitors adherence to established policies and procedures. 


Incident Response:  The Information Security Office oversees the UMIT incident response program and orchestrates each incident response declaration from inception through resolution and post incident review. When an incident is detected, the ISO identifies the appropriate incident handler(s) and coordinates the resources needed, external or internal, to address the threat.  The ISO guides each incident response from a best practice perspective and ensures post incident reviews are conducted to examine root causes, evaluate the quality of the response, and determine if remedial action is necessary. In terms of the overall incident response program, the ISO coordinates incident response training to develop the appropriate skill sets throughout all the UMIT disciplines to respond to various threats as they arise.  


Business Continuity and Disaster Recovery Management:  The Information Security Office ensures that all BC/DR plans are documented and periodically tested.  During these tests, the ISO monitors all failures are ensures they are remediated and any deficiencies are formally addressed in a timely fashion.  In the case of an actual declaration, responsibility for executing the BC/DR plan(s) belong to the respective operating units within UMIT and the institution.    The ISO also is responsible for regularly updating the Business Impact Analysis report that ranks the criticality of all UMIT applications and services along with an RPO (recovery point objective) and RTO (recovery time objective).