The University of Pittsburgh is at the midpoint of a three-year strategic plan focused on information technology. Our strategic direction is based on a tiered model consisting of these layers: network infrastructure, middleware, Web infrastructure, and the set of applications and services that can be provided to our user community. As applications and services become increasingly more complex, there is a greater potential for security breaches that must be adequately addressed.The ability for students and faculty to share data and collaborate on projects is of utmost importance to any higher education institution. A large, multidisciplinary institution such as the University of Pittsburgh must be able to find an effective balance between the need to provide people in the local, national, and international communities with access to information and the need to protect sensitive information from unauthorized access and misuse.The subject of information security has received a great deal of attention within academia before and after the events of September 11, 2001. Federal regulations such as the HIPAA legislation protecting patient data, the USA PATRIOT Act, and the Digital Millennium Copyright Act all have significant impact. The complexities involved in developing adequate security plans have resulted in the development of the ISO 17799 standard, used widely in security plan development.A University-wide security plan is under development that, when completed, will address security at all levels. This comprehensive security plan will cover policies, business practice changes, and user awareness concerns. This presentation focuses on the process that is underway to identify security issues and to design and implement a comprehensive security plan that maintains an open academic environment and fully addresses relevant legislation and best practice models.