The
Policies are high-level statements, equivalent to organizational law, that drive decision making within the University. University policies are subject to a rigorous review process.
Standards define minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. They provide a basis for verifying compliance through audits and assessments. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.
Procedures are step-by-step instructions for accomplishing a task. Procedures published by Info Sec are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.
Guidelines are general recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.
Policy Framework
| Number |
Category and Title |
Type |
Status |
|
Information Security Policy |
|||
| IS-100 |
Information Security |
Policy |
Final |
| IS-G100 |
Information Security Terms |
Guideline |
Final |
| IS-P100 |
Exceptions |
Procedure |
Final |
| Exceptions Form | |||
| Organization of Information Security |
|||
| Information Security Liaisons |
Guideline | Final |
|
| Asset Management |
|||
| IS-S301 |
SSN Usage [Compliance Checklist] | Standard |
Final |
| IS-S302 |
Data Classification |
Standard |
Final |
| IS-P301 |
Personal Information Sweep | Procedure |
Final |
| IS-G301 |
Encryption |
Guideline |
Draft |
| IS-G302 |
Technical Support of the Personal Information Sweep |
Guideline |
Final |
| Human Resources Security |
|||
| IS-S400 |
Management Responsibilities for Information Security [Compliance Checklist] | Standard |
Final |
| Physical and Environmental Security |
|||
| IS-S500/700 |
Access Control [Compliance Checklist] | Standard |
Final |
| IS-S501 |
Data Facility Physical Security [Compliance Checklist] | Standard |
Final |
| Communications and Operations Management |
|||
| IS-S601 |
Wireless Deployment and Management [Compliance Checklist] | Standard |
Final |
| IS-S602 |
University Network Operational Security [Compliance Checklist] |
Standard |
Final |
| IS-P601 |
Critical Device Scanning | Procedure |
Final |
| IS-G601 |
E-Mail Client and Usage |
Guideline |
Final |
| IS-G603 |
File Deletion |
Guideline |
Final |
| Access Control |
|||
| IS-701 |
Computer and Network Access Agreement |
Policy |
Final |
| IS-702 |
Acceptable Use of Computers and Networks |
Policy |
Final |
| IS-S500/700 |
Access Control [Compliance Checklist] |
Standard |
Final |
| IS-S701 |
Minimum Security for Networked Devices [Compliance Checklist] | Standard |
Final |
| IS-S702 |
Server Security [Compliance Checklist] | Standard |
Final |
| IS-P701 |
Enterprise Applications Account Access |
Procedure |
Final |
| IS-G701 |
Password Construction & Maintenance | Guideline |
Final |
| IS-G702 |
Anti-Virus Software |
Guideline |
Final |
| IS-G703 |
Firewall Software |
Guideline |
Final |
| IS-G704 |
Software Patching |
Guideline |
Final |
| IS-G705 |
Spyware and Adware Prevention |
Guideline |
Final |
| IS-G706 |
Minimum Security for Networked Devices Implementation |
Guideline |
Final |
| Information Systems Acquisition, Development and Maintenance |
|||
| IS-S801 | Application Security [Compliance Checklist] | Standard |
Final |
| IS-P801 | Web Application Security Assessment Procedure | Procedure | Final |
| Business Continuity Management |
|||
| IS-S900 |
Business Continuity and Disaster Recovery Planning [Compliance Checklist] | Standard |
Final |
| IS-G901 |
Disaster Recovery |
Guideline |
Final |
| IS-G902 |
Business Impact Analysis Form |
Guideline |
Final |
| IS-G903 |
Disaster Preparation Information for System & User Function |
Guideline |
Final |
| Compliance |
|||
| IS-1000 |
Electronic Privacy Statement |
Policy |
Final |
| IS-G1001 |
Federal Privacy Act and SSN Usage |
Guideline |
Final |
| Information Security Incident Management |
|||
| IS-S1100 |
Incident Response [Compliance Checklist] | Standard |
Final |
| IS-P1100 |
Incident Response Plan |
Procedure |
Final |
| IS-G1100 |
Guideline |
Final | |
| Risk Assessment |
|||
| IS-S1200 |
Risk Assessment |
Standard |
Final |
| IS-P1200 | Risk Assessment | Procedure | Final |
Legal Sources
| Federal Policy |
State & Local Policy |
| Health Insurance Portability and Accountability Act 45 CFR Parts 160, 162, and 164 (HIPAA) |
Arizona Revised Statutes Section 15-1823 (Identification numbers; social security numbers) |
| Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA) |
Arizona Revised Statutes Section 44-7501 (Notification of breach of security system) |
| Computer Fraud and Abuse Act of 1986 |
Arizona Board of Regents Policies 9-201 (General Policy) & 9-202 (University Responsibilities) |
|
|
Payment Card Industry Data Security Standard |
|
|
|
|
|
|
|
The Children's Internet Protection Act of 2000 |
|
| The No Electronic Theft (NET) Act of 1997 |

