The UNLV Information Security Office is structured to follow the International Organization for Standarization ISO 17799/27001 security standard. This standard contains best practices in policy and procedures for the following areas of information security management:
- Risk Assessment and Treatment
- Security Policy
- Asset and Acceptable Use Management
- Student and Personnel Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
The following services are offered by the Information Security Office:
- Security Organization Liaison with: Law enforcement, other universities, and other external groups.
- Policy Development & Initiatives:
- Formal InfoSec Rules: Policy research, preparation, and periodic review.
- InfoSec Training & Awareness: research, preparation, assistance, delivering and evaluation of security awareness programs.
- University Liability or Risk Protection:
- Contextual Misuse & Liability: address issues of trademarks and copyrights (Digital Rights Management), defamation, privacy, libel, slander, and misuse.
- Cyber crime: address issues of incidental computer use and use of computers to commit a crime.
- Digital/Cyber Investigations & Digital Forensics.
- Regulatory Compliance: address the issues of State, Federal and local regulations, statutes, and codes for digital information protection and use.
- Security Auditing: auditing of organizational compliance of policies, procedures and practices including effectiveness.
- Alerts & Advisories:
- Monitoring and evaluation of external alerts.
- Issue internal security alerts for systems, networks, and applications.
- Incident Handling: monitoring, performing and assisting in response to security incidents.
- Security Advisory/Consulting: service or assistance to other University organizations.
The Office also works with other units on aspects of:
- Risk Management:
- Risk Analysis: examining all of the potential threats and risks against an asset, assigning a severity factor, and determining a method, level and cost of protection
- Physical Security: examining the physical security requirements for IT facilities and personnel work areas.
- Asset Management: examining IT assets for types of information, assigning a classification, and criticality of the information.
- Computer Security Operation (SOC services):
- Access Security: monitoring online, remote and wireless access to systems and networks.
- Incident Response: monitoring and providing first response to security incidents.
- Intrusion Protection: monitoring technology and effectiveness.
- Perimeter Security: monitoring technology and effectiveness.
- Security Planning: systems, networks, and applications.
- Security Technology & IT Procurement: application of security requirements and evaluations.
- System Security: monitoring technology and effectiveness.