Information Assurance
Information Assurance (IA), reporting to the CISO, protects the University’s data, supports research, and proactively surfaces IT risk whenever possible.
We partner with academic, administrative, and research units to assess cybersecurity practices, guide risk-informed decision-making, and promote regulatory compliance. Through a combination of assessments, consultations, and governance activities, IA helps the University securely enable technology while managing cyber risk. Our work can be divided into the following three categories:
- Risk Assessment and Consultation
- Research Support
- University Research Administration Risk Reviews
- Regulatory and Framework Compliance Support
This includes as NIST 800-171, NIST 800-53, NIST CSF 2.0, HIPAA. Visit Research Support for more details.
- Governance, Training, and Policy
Security Framework Assessment
The Information Assurance team conducts an annual assessment of University units’ cybersecurity posture using the Cybersecurity Framework (CSF). This process includes inventorying unit end-user devices and their compliance with the End-User Device Policy. At the conclusion of the security framework assessment (SFA) cycle, the Information Assurance team provides recommendations on how to address common cybersecurity gaps across campus and how each unit can improve its cybersecurity posture.
Vendor Risk Reviews
Information Assurance conducts vendor risk reviews in consultation with the Financial Services’ Procurement and Payment Processes team. The team reviews agreements, statements of work, technical specifications, privacy policies, and integration plans. Information Assurance suggests modifications to contractual language, append appropriate information security terms, and identify IT practices that are required for successful implementation of the vendor’s product or service.
Risk Consultations
The Information Assurance team reviews products and services that a unit is considering prior to issuing an RFP or entering the procurement process. The team also assesses implementations of purchased solutions and evaluates the security of IoT devices. Additionally, the team reviews systems that may present elevated risks, recommending compensating controls where feasible or working with leadership to formally acknowledge and accept residual risks when necessary.
University Research Administration Risk Reviews
Information Assurance conducts pre- and post-award risk reviews in coordination with University Research Administration, Research Project Principal Investigators, embedded IT Security and additional support resources. In each case, Information Assurance reviews the security requirements provided by the data lender and provides guidance on how to comply with these requirements so that the project is conducted in a regulatory-compliant manner.
Security Awareness Training
Information Assurance helps shape the content for University-wide Security and Compliance training by leveraging Workday Learning. They can consult on the appropriateness of training specific to University unit’s compliance obligations.
Technical Review Committee
The Technical Review Committee (TRC) is a governance unit of IT Services that reviews designs for significant technology implementations at the University of Chicago. The TRC evaluates these designs to implement new or change existing technology products or services through lenses of the University’s overall infrastructure strategy, technology standards, security standards, and industry best practices. Prior to procuring the solution, requesting parties submit a completed TRC questionnaire, committee members review it, then provide feedback to the requestor.
Information Security Policies and Standards
The Information Assurance team leads the development and maintenance of the University’s information security policies. These policies establish the expectations and requirements for protecting University data, systems, and technology resources. Working in collaboration with stakeholders across campus, the team ensures that policies align with regulatory obligations, industry standards, and institutional priorities. The goal is to provide clear, actionable guidance that supports both security and academic, research, and operational excellence.