Action Item 7:1 The CIO should engage an external party to conduct an IT security review and then develop an implementation plan to address any points of concern raised. A central figure within the Office of the Chief Information Officer (OCIO), currently designated as the Chief Information Security Officer (CISO), should be given the authority to assume control, leadership, and responsibility of developing an implementation plan for actions resulting from an IT security review. Likely, this will include authority to create responses to unauthorized access to the University’s IT infrastructure, unauthorized disclosure of electronic information, and security breaches regardless of the office involved. It will also entail specification of needed technology solutions to manage network security and the integrity of information residing on centralized and distributed resources across the institution. Action Item 7:2 Develop clear and enforcible policies to address the integrity (management and protection) of data and information, and the security of IT infrastructure resources on which such information resides. IT security is the responsibility of all members of the UK community. However, the community relies heavily upontheexpertiseofITStodefinestandardsbaseduponbestpracticesandtodevelopandimplementpoliciesto ensure that the community is best positioned to defend the integrity of the UK environment. The development and enforcement of security policies should be done in collaboration with the various colleges/departments at the institution. These policies will depend upon the clear articulation of institutional values, and an understanding of how UK will make judgements when values are in conflict. A key step in the formulation of policy will be the development of a shared vision of information and technology based on the beliefs and values of the UK community. 31 | EmpoweringTransformation RECOMMENDATION 7: SECURITY AND POLICY The University should provide a secure, resilient, policy-based information and infrastructure environment to protect the security, integrity, and privacy of data. The environment should also ensure the stability and continuity of the institution’s IT resources and repositories in the face of potential catastrophic events.