Operations at Hopkins are decentralized, and therefore security is also decentralized. Certain components of information security are centrally managed, -- most notably network security, JHED/Siteminder, telecommunications, central data center operations and internal audit. Yet in almost every other respect, departments and entities manage their own IT operations and security. This has the advantage of integrating security in overall management, yet it may come at the cost of consistent institutional security standards and procedures. The ICSC and CISO have therefore made available several IT resources:

1.      Johns Hopkins Information Technology Policies –  it all begins here. The ICSC has made every effort to distill information technology use and security policies into one relatively short and readable document. These policies cover many kinds of information and systems with specific emphasis those that are sensitive -- what the policies call "Restricted."

2.      Johns Hopkins HIPAA Security Policies – somewhat longer than the overall IT policies, these respond specifically to provisions in the HIPAA Security Rule. Until 2007, these policies were principally addressed in the HIPAA Workbook. If a Covered Entity completes the instruments below, it is unnecessary to complete a HIPAA Workbook.

3.      Johns Hopkins Institutional Risk/Controls Assessment –  this document is designed for full service IT organizations or those providing a variety of services (e.g. server hosting, database maintenance, client administration, etc.). The Assessment comes directly from NIST’s primary controls document, Special Publication 800-53 (Annex 3)  http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-annex3-sz.pdf. NIST prepared this for use by civilian government organizations, and it provides a thorough account of general information security controls. Any department or entity that supports several dozen or more users, Restricted systems, network or server closets or a data center should complete this instrument. We strongly recommend that the NIST SP 800-53 Standard be used as a guide when completing the Assessment.

4.      Johns Hopkins Risk/Controls Questionnaire for Restricted Systems –  this is a much shorter version of the risk assessment above and is geared to application owners and managers. A department or entity may have one 800-53 Assessment accompanying as many of these questionnaires as there are at-risk applications or Restricted systems. This Questionnaire distills security issues facing application owners and is not meant to be a comprehensive controls assessment. We recommend that application and systems owners consult appropriate standards (e.g. Encryption, Database, Project Management) to ensure that detailed security controls are in place. This document is also appropriate for researchers evaluating complex research systems with Restricted information.

5.      Information Technology Standards –  the ICSC drafts and approves standards for many areas of technology. IT professionals should use approved and draft standards as guidance for systems deployments. They should also look to NIST(http://csrc.nist.gov/publications/nistpubs/index.html) , NSA (http://www.nsa.gov/snac/) and other academic institutions for guidance on specific security matters.

6.      Johns Hopkins Vendor Security Checklist –  this document provides an overview of security features to look for when purchasing a third party product or negotiating a contract. It can be used in tandem with the Application Questionnaire for guidance on implementation issues.

7.      User Awareness Materials – user security awareness materials have been developed in written form and for use in an on-line presentation for release in the summer of 2007. NIH maintains a number of resources that might also be useful. http://irm.cit.nih.gov/security/security-communicating.htm

8.      Technical Training – a Power Point presentation with supporting materials has been created for general use. The presentation is a brief course on technical security. A Power Point version can be requested at the e-mail address below  NIH has some useful materials also.

9.      Project Management Guidance - IT@JH has set forth a high level project management methodology for use by any departments. In the summer of 2007, a project management Web page will be published with associated templates, guidance and revisions.

For questions and comments, itpolicy@jhu.edu.