Security consultations are helpful to understand the risks of data management, how security controls should be implemented to adhere to compliance and risk requirements, and to assist choosing the appropriate IT infrastructure for a project.
Electronically stored academic, administrative, and research information is a critical University resource. All University units are required to use enterprise email, web services, and network firewalls. These Enterprise Security Controls help protect University data and significantly reduce security vulnerabilities. See the Enterprise Security Controls Policy for additional information about these requirements.
Developed in response to compliance requirements, the Vulnerability Management program helps University units implement robust vulnerability management processes and procedures. It enables units to quickly identify and mitigate risks to University data and system, and it ensures Pitt remains in compliance with applicable laws and regulations.
An individual, school, department, or business unit that wishes to engage with a vendor should complete the onboarding questionnaire. After the onboarding questionnaire is received, the Pitt IT Security team will contact the vendor to obtain details about their information security program.
A security consultation is a discussion between your team and Pitt IT Security with the goal of helping your team understand the risks of processing, storing, and transmitting University data. During a consultation, Pitt IT Security will ask questions to develop a risk profile, such as:
The questionnaire provides Pitt IT Information Security with the information to understand the product or services that the vendor will provide to the University. It also defines the assessment scope, identifies the University’s potential risk, and collects the vendor’s contact information.
A system security plan is a formal document that provides an overview of a system's security requirements and describes the security controls in place (or planned) for meeting those requirements. System security plans are helpful because they are a documented guide for implementing adequate security controls based on compliance requirements, such as the HIPAA security rule or any risk associated with the data.
The University of Pittsburgh takes seriously its commitment to protecting the privacy of its students, alumni, faculty, and staff and protecting the confidentiality, integrity, and availability of information essential to the University's academic and research mission. For that reason, we classify our information assets into risk categories to determine who may access the information and what minimum security precautions must be taken to protect it against unauthorized access.
The primary function of security architecture is to design, document, and communicate the components of a security program in a consistent manner. As such, the primary outcome of security architecture is a well-defined strategy that connects business drivers with technical implementation guidance.
Any University unit that collects credit card information must have security controls in place that comply with the Payment Card Industry Data Security Standard ("PCI").
Electronically stored academic, administrative, and research information is a critical University resource. Threats from computer hackers, malicious software, and attempts to steal sensitive information jeopardize the confidentiality and integrity of this resource. The consequences to the University from a compromise of our electronic data could be widespread and damaging.
The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions.
The University's information security policies and procedures