Information Security Program Charter
August 2020
Purpose
Northeastern University is committed to maintaining the integrity and security of records and information created, received, maintained and/or stored by the university in the course of carrying out its academic and research missions. The information encompassed by Northeastern’s information security program includes, but is not limited to, student education records, employment records, financial information, research data, alumni and donor information, operational data, university intellectual property, and other data relating to Northeastern’s infrastructure, technology resources and information security.
The university recognizes that such data constitute valuable information assets which it has an obligation to use and protect in a way that respects individual privacy, safeguards the confidentiality, integrity, and availability of these information resources and complies with applicable laws, government regulations, and contractual obligations. The improper use of such information; the unauthorized or inadvertent disclosure, alteration, or destruction of information assets; or a significant interruption in the availability of records, can disrupt Northeastern’s ability to fulfill its mission. Such actions can also result in regulatory, legal, financial and/or reputational risk to Northeastern and to the individuals and organizations whose data Northeastern maintains.
This Charter is intended to establish the foundation for the university’s security program and its strategic goals. It sets forth the principles underlying the university’s and members of the Northeastern community’s responsible use of information; broadly outlines the roles and responsibilities related to overseeing university programs designed to manage and safeguard university information assets while protecting individual privacy; and summarizes the governance structure.
Underlying Principles
Information security and privacy protection serve as the cornerstones by which the university demonstrates its appropriate stewardship of the data entrusted to it. The hallmark of a successful information security program involves not only the protection of university data and systems but also the appropriate safeguarding of personal privacy.
Information security program efforts should consistently evidence a commitment to and support of the core mission and principles of the University.
Roles and Responsibilities
All members of the Northeastern community have a responsibility to help see that Northeastern’s information assets are used only in the proper pursuit of the University’s mission and that the confidentiality, integrity and availability of Northeastern’s information is maintained, regardless of where it is processed or stored.
Colleges and departments are responsible for establishing local security and privacy mechanisms in compliance with university policies and guidelines to protect data, systems, and networks, and implement security- and privacy-related controls, and to cooperate with the Office of Information Security in responding to incidents.
Information security and data privacy officials are charged with assisting and supporting members of the Northeastern community in meeting these responsibilities and strengthening accountability, through the information security program, as follows:
- The vice president of information technology and chief information officer (CIO) is responsible for identifying and delegating the responsibility for information security and selection and implementation of suitable technology to safeguard university data assets. In addition, the CIO provides input and oversight of security policies, standards and guidelines; oversees incident response as necessary, and reports periodically to the University President and Provost as well as the Board of Trustees on matters of Information security.
- The chief information security officer (CISO) is charged with overseeing the Northeastern information security program and university efforts to preserve the confidentiality, integrity, and availability of Northeastern’s digital assets, and the University network, systems, and data. This includes coordinating university security-related activities; developing and implementing proactive technical and non-technical measures to help detect and prevent security risks; establishing policy, standards and guidance; and providing or coordinating effective incident response when necessary.
- The CISO, in coordination with the Office of General Counsel, is charged with overseeing the Northeastern privacy program and is responsible for developing an overall privacy framework to: 1) establish governance, implementation, and accountability structures across the university with respect to privacy; 2) promote compliance with applicable privacy laws and regulations as well as Northeastern’s privacy-related policies and procedures; 3) raise awareness about privacy risks and how to mitigate those risks; and 4) provide effective incident response when necessary.
Security and Privacy Steering and Governance
The Data Governance Council (DGC) has been established to provide input, support, and guidance to the information security program and the Privacy program. The Data Governance Council reports to the Information Technology Council. The Security Operations Council will provide a forum for university IT leaders and practitioners to collaborate on information security and privacy issues and practices, providing strategic direction and guidance to the university information security program and ensuring that its practices are aligned with the University’s agreed upon security framework and responsive to the needs of the research, teaching, and administrative communities.
Information security and privacy operating principles and program requirements will be implemented in part through university and local policies that may be recommended or developed by the Data Governance Council and the Security Operations Council to address data stewardship, governance, legal requirements and best practices.