Policy and Guidance
Policies: High level statements, equivalent to organizational law, that drive decision making within the University. University policies are subject to a rigorous review process. The University's information security policies reside on the University's policy website.
Standards: Minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. These provide a basis for verifying compliance through audits and assessments. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.
Procedures: Step-by-step instructions for accomplishing a task. Procedures published by Info Sec are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.
Guidelines: General recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.
Policies, Standards, Procedures and Guidelines
UA Policy Brief Reference "What do the new policies mean for me?"
ISO-100 Information Security Program Policy
ISO-100-G1 ISO Policy Compliance Guidance
ISO-100-S1 Compliance Program Documentation Requirements Standard
ISO-100-P1 ISO Policy Exception Request Procedure
ISO-100-S2 Manager Information Security Standard
ISO-1000 Device and Media Protection Policy
ISO-1000-S1 Encryption Standard
ISO-1000-G1 Encryption Guideline
ISO-1100 Information System Audit, Accountability, and Activity Review Policy
ISO-1100-S1 Logging and Monitoring Standard
ISO-1100-P1 AWS CloudTrail Log Ingestion and Analysis Procedure
ISO-1100-P2 Linux Server Log Ingestion and Analysis Procedure
ISO-1100-P3 Shibboleth Log Ingestion and Analysis Procedure
ISO-1100-P4 Cisco ISE Log Ingestion and Analysis Procedure
ISO-1100-P5 Duo Log Ingestion and Analysis Procedure
ISO-1100-P6 Box Health Log Ingestion and Analysis Procedure
ISO-1100-P7 Cisco ASA VPN Log Ingestion and Analysis Procedure
ISO-1100-P8 Windows Active Directory (AD) Log Ingestion and Analysis Procedure
ISO-1100-P9 Windows File Change and Audit Logs Ingestion and Analysis Procedure
ISO-1100-P10 Windows Server Log Ingestion and Analysis Procedure
ISO-1200 Network, Server, and Transmission Security Policy
ISO-1200-G1 Secure Sharing of Personal Information Guideline
ISO-1200-G2 COVID-19 Remote Access Guideline
ISO-1200-G3 Zoom Settings Risk Analysis Guideline
ISO-1200 G4 Zoom for Research Security Guideline
ISO-1000-S1 Encryption Standard
ISO-1000-G1 Encryption Guideline
IS-S600 University Network Operational Security Standard
IS-S601 Wireless Deployment and Management Standard
IS-S602 Minimum Security for Networked Devices Standard
IS-S603 Server Security Standard
ISO-1600 Vulnerability and Patch Management Policy
ISO-1600-S1 Vulnerability Management Standard
ISO-1600-S2 Patch Management Standard
ISO-1600-G1 Patch Installation and Testing Guideline
ISO-1600-G2 Penetration Test Request Guideline
ISO-1600-G3 Vulnerability Identification and Remediation Communication Guideline
ISO-1600-G4 Vulnerability Information and Identification Source Guideline
ISO-1600-G5 Vulnerability Scanning Guideline
ISO-1600-P1 Patch Management and Data Reporting Procedure
ISO-1600-P2 Penetration Test Request Prioritization Procedure
ISO-1600-P3 Penetration Test Request Procedure
ISO-1600-P4 Vulnerability Data Reporting Procedure
ISO-1600-P5 Risk Treatment Guideline
Regulatory Reference
- Arizona Board of Regents Policy 9-201 (General Policy)
- Arizona Board of Regents Policy 9-202 (University Responsibilities)
- Arizona Revised Statutes Section 15-1823 (Identification numbers; social security numbers)
- Arizona Revised Statutes 44-1373 (Restricted use of personal identifying information; civil penalty)
- Arizona Revised Statutes Section 18-552 (Notification of breach of security system) (Definitions ARS 18-551)
- Health Insurance Portability and Accountability Act 45 CFR Parts 160,162, and 164 (HIPAA)
- Family Educational Rights and Privacy Act 34 CFR Part 99 (FERPA)
- PCI Security Standards Council
University Compliance Information