Information Security Program

Background

UNM’s Information Security Program (“The Program”) applies to all UNM individuals and organizations (“UNM Personnel”), to all UNM Data, including but not limited to Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), or otherwise protected data (“Protected Data”), and to all UNM information systems (“UNM Systems”), particularly those that are used to access, collect, create, process, store, and/or transmit (“Use”) UNM Data, whether in paper, electronic, or other forms.

The Program is based on the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 and (SP) 800-53, which describe risk-based controls and safeguards required by regulations that apply to UNM Data, and to UNM Systems.  The Program directs the actions of UNM Personnel and organizations in safeguarding all UNM Data, and UNM systems.  The Program Coordinator or designees are responsible for helping to ensure the objectives of The Program are met, for evaluating controls, and for adjusting controls and otherwise updating The Program, as necessary.

The Program is organized into components of focused effort to achieve specific information security outcomes. Components include, but are not limited to:

• Awareness Management – ensuring that all UNM personnel who access UNM Systems or use UNM Data are trained to recognize and report threats to UNM Systems, to understand their for safeguarding UNM Data and UNM Systems, and to be aware of UNM's policies, standards, and procedures for safeguarding UNM Data and UNM Systems
• Event and Incident Management – ensuring that suspected and verified unauthorized access to UNM Data or UNM Systems, and/or disruption of UNM Systems is appropriately detected, reported, and responded to
• Information Risk Management – ensuring that UNM Data and UNM systems, including associated processes, are periodically assessed to identify reasonably foreseeable risks, and that risk management plans are implemented to remediate, mitigate, or respond to such risks
• Information Systems Safeguard Management – ensuring that minimum safeguards (i.e., administrative, to protect the use of UNM Data and UNM Systems are defined and standardized for UNM Data and UNM Systems and that those safeguards are reasonable and appropriate to protect the use of UNM Data and UNM Systems
• Vulnerability and Patch Management – ensuring that all UNM Systems are routinely assessed and that discovered vulnerabilities are remediated, or that a risk management plan with mitigating controls is implemented for the affected UNM System

Safeguards

Safeguards (also known as controls) are implemented to protect the confidentiality, integrity, and availability of UNM Data and UNM Systems. Safeguards can be administrative, physical, or technical. The goal of The Program is to ensure that safeguards are established, implemented, and effective at all times, and that safeguards must be reasonable and appropriate for managing or mitigating reasonably foreseeable risks to UNM Data and UNM systems. 

• Administrative safeguards – laws, regulations, guidelines, policies, procedures, and standards that help address and manage risks
  • Operational safeguards – process-based measures that help create and enforce awareness and management of risks
• Physical safeguards – physical barriers or protective measures that help address and manage risks
• Technical safeguards – technology based protective measures that help address and manage risks

UNM Information Security Program V 2.0
Last Revised: July 12, 2023

NOTICE: The ISPO's Information Security Operations area will update this document on a periodic basis in response to emerging trends and guidance from information security professional organizations.