PURPOSE
Pacific University has adopted this Security Evaluation Policy and the accompanying procedures to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and regulations.
University colleges, schools, and departments should follow these procedures to comply with the Information System Security Evaluation Policy, Policy Number POL-UIS4515.
PROCEDURE
Evaluations will include reasonable and appropriate activities, such as:
- A review of Pacific University’s security policies and procedures to evaluate their appropriateness and effectiveness at protecting against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of Protected Data.
- A gap analysis to compare Pacific University’s security policies and procedures against actual practices.
- An identification of threats and risks to Protected Data and systems containing Protected Data.
- An assessment of Pacific University’s security controls and processes as reasonable and appropriate protections against the risks identified for systems containing Protected Data.
- Testing and evaluation of Pacific University’s security controls and processes to determine whether they have been implemented properly and whether those controls and processes appropriately secure Protected Data. An authorized workforce member or external third party may be designated to conduct the testing.
The evaluation process and results will be documented in a report that is provided to the Chief Information Security Officer or designee and, as requested, to Pacific University’s Privacy Officer or designee.
Pacific University’s Chief Information Security Officer shall retain Pacific University’s documentation, including the risk assessment tools and work plans, for a six-year term from the date of creation or the date last in effect, whichever is later.
Pacific University has adopted this evaluation policy to safeguard Pacific University’s data. To the extent technically possible, Pacific will ensure evaluations of all applicable policies and their implementations conform to federal regulations.