The University of Arizona’s Security Framework is based on NIST’s Framework for Improving Critical Infrastructure Cybersecurity.The Framework is a risk-based approach to managing cybersecurity risk.
Additional tools and guidance to help units conduct self-assessments will be coming soon.
Policies: High level statements, equivalent to organizational law, that drive decision making within the University. University policies are subject to a rigorous review process. The University's information security policies reside on the University's policy website.
- Information Security Policy (IS-100)
- Computer and Network Access Agreement (IS-700)
- Acceptable Use of Computers Policy (IS-701)
- Electronic Privacy Statement Policy (IS-1000)
Standards: Minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. These provide a basis for verifying compliance through audits and assessments. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.
- Arizona Board of Regents Policy 9-201 (General Policy)
- Arizona Board of Regents Policy 9-202 (University Responsibilities)
- Arizona Revised Statutes Section 15-1823 (Identification numbers; social security numbers)
- Arizona Revised Statutes 44-1373 (Restricted use of personal identifying information; civil penalty)
- Arizona Revised Statutes Section 44-7501 (Notification of breach of security system)
- Health Insurance Portability and Accountability Act 45 CFR Parts 160,162, and 164 (HIPAA)
- Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA)
- PCI Security Standards Council