Risk/Controls Assessment
Documents for Developing an Effective Information Security Program
Operations at Hopkins are decentralized, and therefore security is also decentralized. Certain components of information security are centrally managed, -- most notably network security, JHED/Siteminder, telecommunications, central data center operations and internal audit. Yet in almost every other respect, departments and entities manage their own IT operations and security. This has the advantage of integrating security in overall management, yet it may come at the cost of consistent institutional security standards and procedures. The ICSC and CISO have therefore made available several IT resources:
- Johns Hopkins Information Technology Policies – it all begins here. The ICSC has made every effort to distill information technology use and security policies into one relatively short and readable document. These policies cover many kinds of information and systems with specific emphasis those that are sensitive -- what the policies call "Restricted." Johns Hopkins HIPAA Security Policies are somewhat longer than the overall IT policies, these respond specifically to provisions in the HIPAA Security Rule.
- Johns Hopkins Risk/Controls Questionnaire for Restricted Systems – This Questionnaire distills security issues facing application owners and is not meant to be a comprehensive controls assessment. We recommend that application and systems owners consult appropriate standards (e.g. Encryption, Database, Project Management) to ensure that detailed security controls are in place. This document is also appropriate for researchers evaluating complex research systems with Restricted information.
- Information Technology Standards – the ICSC drafts and approves standards for many areas of technology. IT professionals should use approved and draft standards as guidance for systems deployments.
- Johns Hopkins Vendor Security Checklist – this document provides an overview of security features to look for when purchasing a third party product or negotiating a contract. It can be used in tandem with the Application Questionnaire for guidance on implementation issues. For applications hosted by third parties, you may want to the Vendor Hosted Application Checklist that follow the structure of the Vendor Security checklist but also includes question related to managed data security.
For questions and comments, itpolicy@jhu.edu.
![[Johns Hopkins University]](/sebin/i/p/johns-hopkins-university-logo.gif){kind=logo}
![[Johns Hopkins Medicine]](/sebin/k/q/johns-hopkins-medicine-logo.gif){kind=logo}
