Policy and Guidance

The Information Security Office (InfoSec) is responsible for coordinating the development and dissemination of information security policies, standards, procedures and guidelines for the University. InfoSec is also responsible for coordinating various regulatory compliance efforts.

Policies: High level statements, equivalent to organizational law, that drive decision making within the University. University policies are subject to a rigorous review process.

Standards: Minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. These provide a basis for verifying compliance through audits and assessments. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.

Procedures: Step-by-step instructions for accomplishing a task. Procedures published by Info Sec are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.

Guidelines: General recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.

Policy Framework

Information Security Policy
Organization of Information Security
Asset Management
Human Resource Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Business Continuity Management
Compliance
Information Security Incident Management
Risk Assessment

Legal Resources

Federal Policy/Statutes
State and Local Statutes

Policy Framework

Number	Previous Number (if applicable)	Title	Type

Information Security Policy
IS-100		Information Security	Policy
IS-P100		Exceptions	Procedure
IS-G100		Information Security Terms	Guideline
IS-S101		Compliance Program Documentation Requirements	Standard
IS-G101		Compliance Program Documentation Requirements	Guideline

Organization of Information Security
IS-G200		Information Security Liaisons	Guideline
IS-G201		Information Security Advisory Committee	Guideline

Asset Management
IS-S301		SSN Usage	Standard
IS-S302		Data Classification	Standard
IS-S303	IS-G301	Encryption (note: this is still a guideline, and only in draft form)	Standard

Human Resource Security
IS-S400		Management Responsibilities for Information Security	Standard

Physical and Environmental Security
IS-S501		Data Facility Physical Security	Standard
IS-P501 (UITS)		Data Facility Physical Security (UITS)	Procedure

Communications and Operations Management
IS-S600	IS-S602	Network Security University Network Operational Security (NOTE: The University Network Operational Security Standard will be replaced by the Network Security Standard as soon as the new standard is finalized)	Standard Standard
IS-S601		Wireless Deployment and Management	Standard
IS-S602	IS-S701	Minimum Security for Networked Devices	Standard
IS-G602A	IS-G706	Minimum Security for Networked Devices Implementation	Guideline
IS-G602B	IS-G704	Software Patching	Guideline
IS-G602C	IS-G702	Antivirus Software	Guideline
IS-G602D	IS-G705	Spyware and Adware Prevention	Guideline
IS-G602E	IS-G703	Firewall Software	Guideline
IS-S603	IS-S702	Server Security	Standard
IS-P603	IS-P601	Server Scanning Procedure Server and Network Scanning Timeline and Action Plan Workbook	Procedure
IS-G603		Information System Activity Review	Guideline
IS-G604	IS-G601	E-Mail Client and Usage	Guideline

Access Control
IS-700	IS-701	Computer and Network Access Agreement	Policy
IS-701	IS-702	Acceptable Use of Computers and Networks	Policy
IS-S702	IS-S500/700	Access Control	Standard
IS-P702	IS-P701	Enterprise Applications Account Access (Legacy Systems)	Procedure
IS-P702M	IS-P701M	Enterprise Applications Account Access (UAccess)	Procedure
IS-S703U		UA NetID Passwords	Standard
IS-G703	IS-G701	Password Construction & Maintenance	Guideline

Information Systems Acquisition, Development, and Maintenance
IS-S801		Application Security	Standard
IS-P801		Web Application Security Assessment Procedure	Procedure
IS-P802		Web Application Security Review Procedure	Procedure

Business Continuity Management
IS-S900		Business Continuity and Disaster Recovery Planning	Standard
IS-G901		Disaster Recovery	Guideline
IS-G902		Business Impact Analysis Form	Guideline
IS-G903		Disaster Preparation Information for System & User Function	Guideline

Compliance
IS-1000		Electronic Privacy Statement	Policy
IS-G1001		Federal Privacy Act and SSN Usage	Guideline

Information Security Incident Management
IS-S1100		Incident Response	Standard
IS-P1100		Incident Response Plan	Procedure
IS-G1100		Incident Handling	Guideline

Risk Assessment
IS-S1200		Risk Assessment	Standard
IS-P1200		Risk Assessment	Procedure
IS-G1200		Unit Asset Identification and Workbook	Guideline

Legal Sources

Federal Policy
Health Insurance Portability and Accountability Act 45 CFR Parts 160,162, and 164 (HIPAA)
Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA)
Computer Fraud and Abuse Act of 1986
USA PATRIOT Act of 2001
Computer Security Act of 1987
Homeland Security Act
The Children's Internet Protection Act of 2000
The No Electronic Theft (NET) Act of 1997

State & Local Policy
Arizona Revised Statutes Section 15-1823 (Identification numbers; social security numbers)
Arizona Revised Statutes 44-1373 (Restricted use of personal identifying information; civil penalty)
Arizona Revised Statutes Section 44-7501 (Notification of breach of security system)
Arizona Board of Regents Policy 6-912 (Access to or Disclosure of Personnel Records or Information)
Arizona Board of Regents Policy 9-201 (General Policy)
Arizona Board of Regents Policy 9-202 (University Responsibilities)
Payment Card Industry Data Security Standard (PCI DSS)