Policy and Guidance

The Information Security Office is responsible for coordinating the development and dissemination of information security policies, standards, procedures and guidelines for the University. Info Sec is also responsible for coordinating various regulatory compliance efforts. See below for links to access policies, standards, procedures and guidelines published by Info Sec.

Policies are high-level statements, equivalent to organizational law, that drive decision making within the University. University policies are subject to a rigorous review process.

Standards define minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. They provide a basis for verifying compliance through audits and assessments. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.

Procedures are step-by-step instructions for accomplishing a task. Procedures published by Info Sec are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.

Guidelines are general recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.

Policy Framework

Number	Category and Title	Type	Status


	Information Security Policy
IS-100	Information Security	Policy	Final
IS-P100	Exceptions	Procedure	Final
	Exceptions Form
IS-G100	Information Security Terms	Guideline	Final


	Organization of Information Security
IS-G200	Information Security Liaisons	Guideline	Final
IS-G201	Information Security Advisory Committee	Guideline	Final


	Asset Management
IS-S301	SSN Usage [Compliance Checklist]	Standard	Final
IS-S302	Data Classification [Compliance Checklist]	Standard	Final
IS-P301	Personal Information Sweep	Procedure	Final
IS-G301	Encryption	Guideline	Draft
IS-G302	Technical Support of the Personal Information Sweep	Guideline	Final


	Human Resources Security
IS-S400	Management Responsibilities for Information Security [Compliance Checklist]	Standard	Final


	Physical and Environmental Security
IS-S501	Data Facility Physical Security [Compliance Checklist]	Standard	Final
IS-P501 (UITS)	Data Facility Physical Security	Procedure	Final


	Communications and Operations Management
IS-S601	Wireless Deployment and Management [Compliance Checklist]	Standard	Final
IS-S602	University Network Operational Security [Compliance Checklist]	Standard	Final
IS-P601	Server Scanning Procedure	Procedure	Final
IS-G601	E-Mail Client and Usage	Guideline	Final
IS-G603	File Deletion	Guideline	Final


	Access Control
IS-701	Computer and Network Access Agreement	Policy	Final
IS-702	Acceptable Use of Computers and Networks	Policy	Final
IS-S700	Access Control [Compliance Checklist]	Standard	Final
IS-S701	Minimum Security for Networked Devices [Compliance Checklist]	Standard	Final
IS-S702	Server Security [Compliance Checklist]	Standard	Final
IS-S703U	UA NetID Passwords	Standard	Final
IS-P701	Enterprise Applications Account Access (Legacy Systems)	Procedure	Final
IS-P701M	Enterprise Applications Account Access (Mosaic)	Procedure	Final
IS-G701	Password Construction & Maintenance	Guideline	Final
IS-G702	Anti-Virus Software	Guideline	Final
IS-G703	Firewall Software	Guideline	Final
IS-G704	Software Patching	Guideline	Final
IS-G705	Spyware and Adware Prevention	Guideline	Final
IS-G706	Minimum Security for Networked Devices Implementation	Guideline	Final


	Information Systems Acquisition, Development and Maintenance
IS-S801	Application Security [Compliance Checklist]	Standard	Final
IS-P801	Web Application Security Assessment Procedure	Procedure	Final
IS-P802	Web Application Security Review Procedure	Procedure	Final


	Business Continuity Management
IS-S900	Business Continuity and Disaster Recovery Planning [Compliance Checklist]	Standard	Final
IS-G901	Disaster Recovery	Guideline	Final
IS-G902	Business Impact Analysis Form	Guideline	Final
IS-G903	Disaster Preparation Information for System & User Function	Guideline	Final


	Compliance
IS-1000	Electronic Privacy Statement	Policy	Final
IS-G1001	Federal Privacy Act and SSN Usage	Guideline	Final


	Information Security Incident Management
IS-S1100	Incident Response [Compliance Checklist]	Standard	Final
IS-P1100	Incident Response Plan	Procedure	Final
IS-G1100	Incident Handling	Guideline	Final

	Risk Assessment
IS-S1200	Risk Assessment [Compliance Checklist]	Standard	Final
IS-P1200	Risk Assessment	Procedure	Final

Legal Sources

Federal Policy	State & Local Policy
Health Insurance Portability and Accountability Act 45 CFR Parts 160, 162, and 164 (HIPAA)	Arizona Revised Statutes Section 15-1823 (Identification numbers; social security numbers)
Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA)	Arizona Revised Statutes Section 44-7501 (Notification of breach of security system)
Computer Fraud and Abuse Act of 1986	Arizona Board of Regents Policy 9-201 (General Policy)
USA PATRIOT Act	Arizona Board of Regents Policy 9-202 (University Responsibilities)
Computer Security Act of 1987	Payment Card Industry Data Security Standard
Homeland Security Act
The Children's Internet Protection Act of 2000
The No Electronic Theft (NET) Act of 1997