IP3

IP3 is a security assessment system aimed at assisting University departments and units in protecting the privacy and security of its assets under the SIMPL security framework.

IP3 impliments the Plan - Do - Check - Act assesment cycle of KU's Information Security Management System (ISMS)

More information on SIMPL can be found at http://www.security.ku.edu/projects/simpl/

Breaches of information security can cause serious financial damage to an organization and/or cause embarrassment to the organization.

An expectation might be that if a serious incident occurs - perhaps hacking of an organization's web site or server- there should be people with sufficient training in appropriate procedures to minimize the impact.

Ensure proper security controls are in place to ensure due diligence in handling University Information.

• Documentation on how is this done today?
• Knowing where unit or organizational Assets are located, and are the proper security controls in place to address high and medium risk issues?
• When a new application or service is introduced, is there a process to measure the exposure, risk, or impact of this service to the unit, organization or to the University?

1. Assurance that critical have proper security controls applied
2. Fostering a culture of security awareness
3. A program that allows better more educated decisions to be made based off of documented risk assessment and internal audit results.
4. Little cost to implement

1. Documented communication channel for decision making. This is usually done by having a formal Governance Structure in place.
   • Many units or departments on campus have implemented technology oversite groups chaired or headed by the dean, chair or other senior management representative.
   • This group is usually charged with oversite and decision making of all things technology related for their department or unit.
2. Buy-in and support from Senior Management within units.