Information Security Functions & Responsibilities

Information Security Mission

The mission of Information Security is to design, implement and maintain an information security program that protects the Medical School's systems, services and data against unauthorized use, disclosure, modification, damage and loss. The Information Security Department is committed to engaging the Medical Schhol community to establish an appropriate information security governance structure that enables collaboration and support for new information security initiatives.

Information Security Approach

  • Foster a culture of empowerment, accountability and continuous improvement
  • Demonstrate a consistent Information Security and Compliance message through effective communication and partnerships
  • Prioritize information assets and processes
  • Strive to influence positive and meaningful change within IT and UMMS as a whole
  • Identify and prioritize risks
  • Implement foundational security controls across key assets
  • Build a targeted security capability model
  • Develop the security improvement roadmap
  • Ensure governance and organization engagement

Information Security Scope

  • Protect the assets of the Medical School through secure design, operations and management governance
  • Align work and work products within UMMS-relevant laws, regulations and requirements
  • Apply a risk-based approach to our security design, guidance and decisions
  • Continuously safeguard against current and potential threats

Information Security Importance

The importance of a proactive Information Security team is to provide the framework for keeping sensitive data confidential and available for authorized use while building effective relationships with our business and IT partners.

Information Security Principles and Goals

  • Protecting the confidentiality of data
  • Preserving the integrity of data
  • Promote the availability of data for authorized use
  • Proactively identify risks and propose viable mitigation steps
  • Cultivate a proactive risk management culture
  • Implement "best practice" threat management strategies and processes to reduce threats 

The Controls Framework

  • Policy Development
  • Security Awareness
  • Internal Risk Assessments
  • Third-party Risk Assessments
  • Risk Remediation Support
  • Secure SDLC
  • Record retention schedule management
  • SOC 2 Facilitation
  • Threat protection & monitoring
  • Malware detection (ePO)
  • Threat correlation & reporting
  • Incident response
  • Computer forensics
  • Vulnerability management
  • Application scanning
  • Penetration testing
  • Campus & industry threat collaboration
  • Security training administration

Legislative, regulatory, contractual requirements and other policy-related requirements - Information Security works closely with several departments, including the Office of Management (OOM) and Institutional Review Board (IRB) to ensure that sensitive information is appropriately protected. 

  • Privacy & Compliance liaison
  • UMass President's Office & UMMS Legal liaison
  • Subpoena and Public records requests support
  • Internal and External Audit participation and response
  • Regulatory guidance and direction
  • HIPAA Analysis / Assessment Security Oversight
  • IRB Support

To learn more about Privacy, please visit the UMMS Privacy page.