38 OFFICE OF THE CIO: CYBERSECURITY, DATA PRIVACY, & POLICY Information Technology Services IT Enterprise Security is a shared responsibility by the University’s faculty, staff, and students. All members of the University are responsible for the protection and integrity of the University’s data and network. All members of the University’s community are tasked with understanding and adhering to the University’s policies, and complying with best practices as established by the University’s Enterprise Security Office. The Enterprise Security Office maintains a list of policies and practices designed to protect the confidentiality and integrity of the University’s data while maintaining the availability of that data. Cybersecurity The Information Technology Services Enterprise Security team is responsible for overseeing the University of Kentucky’s network security; establishing required minimum security standards for handling the University’s data and information; overseeing technology policy; managing information security training and awareness; handling information security incidents. Data Privacy & Policy In collaboration with other units, ITS develops enterprise level IT policies that support the efforts of the University’s students, faculty, staff, and strategic plan while upholding the mission of the University of Kentucky. ITS will also provide IT policy consultation to any unit, as requested. ITS has launched a new IT Security & Policy Advisory Committee to review and form appropriate IT Security practices. Disaster Recovery & Risk Management Disaster Recovery is something that should be considered by everyone who administers any shared systems at the University of Kentucky. It is essential to have plans in place to ensure our businessviabilityisnotatriskfromacriticalincident. ADRplanis designed to mitigate the risk of system and service unavailability by providing written and cost-effective contingency solutions. Defining the criticality and timeliness of recovering our services is imperative to building an effective long-range Business Continuity strategy. The end goal is to be prepared for any incident that may prevent continuous use/operation of our data resources. Backups are very important, but not the entire solution. We should be able to execute prompt and effective continuation of services in the event of a disaster today, by evaluating our recoverability options, preparation and execution of a test plan. INFORMATION TECHNOLOGY SERVICES | OFFICE OF THE CIO We try to provide a feeling of confidence and professionalism when dealing with the emergencies. To do this we have to be honest, trustworthy, and discreet. - Michael Sheron ITS Division: Office of the CIO Service Area: Data Privacy & IT Policy “ “