Policy and Guidance

The Information Security Office is responsible for coordinating the development and dissemination of information security policies, standards, procedures and guidelines for the University. Info Sec is also responsible for coordinating various regulatory compliance efforts. See below for links to access policies, standards, procedures and guidelines published by Info Sec.

Policies are high-level statements, equivalent to organizational law, that drive decision making within the University. University policies are subject to a rigorous review process.

Standards define minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. They provide a basis for verifying compliance through audits and assessments. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.

Procedures are step-by-step instructions for accomplishing a task. Procedures published by Info Sec are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.

Guidelines are general recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.

Policy Framework

Number	Category and Title	Type	Status


	Information Security Policy

IS-100	Information Security	Policy	Final
IS-G100	Information Security Terms	Guideline	Final
IS-P100	Exceptions	Procedure	Final
	Exceptions Form

	Organization of Information Security

	Information Security Liaisons	Guideline	Final


	Asset Management

IS-S301	SSN Usage [Compliance Checklist]	Standard	Final
IS-S302	Data Classification [Compliance Checklist]	Standard	Final
IS-P301	Personal Information Sweep	Procedure	Final
IS-G301	Encryption	Guideline	Draft
IS-G302	Technical Support of the Personal Information Sweep	Guideline	Final


	Human Resources Security

IS-S400	Management Responsibilities for Information Security [Compliance Checklist]	Standard	Final


	Physical and Environmental Security

IS-S500/700	Access Control [Compliance Checklist]	Standard	Final
IS-S501	Data Facility Physical Security [Compliance Checklist]	Standard	Final


	Communications and Operations Management

IS-S601	Wireless Deployment and Management [Compliance Checklist]	Standard	Final
IS-S602	University Network Operational Security [Compliance Checklist]	Standard	Final
IS-P601	Critical Device Scanning	Procedure	Final
IS-G601	E-Mail Client and Usage	Guideline	Final
IS-G603	File Deletion	Guideline	Final


	Access Control

IS-701	Computer and Network Access Agreement	Policy	Final
IS-702	Acceptable Use of Computers and Networks	Policy	Final
IS-S500/700	Access Control [Compliance Checklist]	Standard	Final
IS-S701	Minimum Security for Networked Devices [Compliance Checklist]	Standard	Final
IS-S702	Server Security [Compliance Checklist]	Standard	Final
IS-P701	Enterprise Applications Account Access	Procedure	Final
IS-G701	Password Construction & Maintenance	Guideline	Final
IS-G702	Anti-Virus Software	Guideline	Final
IS-G703	Firewall Software	Guideline	Final
IS-G704	Software Patching	Guideline	Final
IS-G705	Spyware and Adware Prevention	Guideline	Final
IS-G706	Minimum Security for Networked Devices Implementation	Guideline	Final


	Information Systems Acquisition, Development and Maintenance

IS-S801	Application Security [Compliance Checklist]	Standard	Final
IS-P801	Web Application Security Assessment Procedure	Procedure	Final

	Business Continuity Management

IS-S900	Business Continuity and Disaster Recovery Planning [Compliance Checklist]	Standard	Final
IS-G901	Disaster Recovery	Guideline	Final
IS-G902	Business Impact Analysis Form	Guideline	Final
IS-G903	Disaster Preparation Information for System & User Function	Guideline	Final


	Compliance

IS-1000	Electronic Privacy Statement	Policy	Final
IS-G1001	Federal Privacy Act and SSN Usage	Guideline	Final


	Information Security Incident Management

IS-S1100	Incident Response [Compliance Checklist]	Standard	Final
IS-P1100	Incident Response Plan	Procedure	Final
IS-G1100	Incident Handling	Guideline	Final

	Risk Assessment

IS-S1200	Risk Assessment [Compliance Checklist]	Standard	Final
IS-P1200	Risk Assessment	Procedure	Final

Legal Sources

Federal Policy	State & Local Policy
Health Insurance Portability and Accountability Act 45 CFR Parts 160, 162, and 164 (HIPAA)	Arizona Revised Statutes Section 15-1823 (Identification numbers; social security numbers)
Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA)	Arizona Revised Statutes Section 44-7501 (Notification of breach of security system)
Computer Fraud and Abuse Act of 1986	Arizona Board of Regents Policies 9-201 (General Policy) & 9-202 (University Responsibilities)
Patriot Act	Payment Card Industry Data Security Standard
Computer Security Act of 1987
Homeland Security Act
The Children's Internet Protection Act of 2000
The No Electronic Theft (NET) Act of 1997