PM-36 Louisiana State University System Information Security Plan

April 19, 2005 

This document is a coordinated effort of the Offices of the Executive Vice-President, the LSU System Internal Audit, the LSU System Compliance Office, the State of Louisiana Office of Information Technology and campus information technology representatives.  The purpose of the policy is to provide guidance to campuses in developing compliance programs that address state and federal regulations involving LSU System information technology systems that are either critical to business continuity in the event of a disaster or which contain protected or restricted information.

The LSU System Office recognizes that not all LSU System campuses are the same and that not all campus information systems contain protected or restricted information as defined by state or federal regulatory agencies.

Since the release of the HIPAA Security guidelines, industry best practice standards suggest implementation of a "universal" information security program that reasonably meets current and anticipated regulations.  The International Standard Organization (ISO) 17799 Standards have been recommended repeatedly.  The required regulatory policy statements in this document are based on these standards.  Aside from the specificity of HIPAA Security guidelines, regulations are often general and are left open to interpretation.  For that reason, this policy implements the HIPAA Security required and addressable standards using the ISO 17799 "best practices" approach.

It is the intent of the LSU System Office to provide flexibility and accountability to each System campus to develop and implement individual campus procedures that comply with the policy statements contained in this PM.  An addendum is attached to the policy statements which contain "best practices" suggestions to assist each campus in achieving compliance.  These suggestions are not mandatory, nor are they to be interpreted as a directive in a particular regulation.  they are merely suggestions of "best practices" to assist the campuses in carrying out the intent of the policy statements.  It will be the decision of the individual campus to include these suggestions in its operational procedures.  This decision should be made with the input at a minimum from campus administration, internal audit, budget and finance, and compliance.

This Information Security Plan is considered to be "living" in that it will be continually evaluated to ensure that all LSU System campuses remain in compliance with information security requirements.  It is important to note that the Louisiana Office of Information Technology will be publishing in the near future Information Technology Security policies based on the federal regulations listed earlier.  LSU System campuses are expected to continually evaluate their procedures and update as needed.

William L. Jenkins
President