Legacy Standards and Guidelines

The University of Arizona has adopted the University of Arizona’s Cybersecurity Framework, which is based on NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The Framework is a risk-based approach to managing cybersecurity risk.

The Information Security Office and its governance organizations are in the process of updating the University standards, procedures and guidelines so that they align with the new Cybersecurity Framework. Our legacy standards, procedures and guidelines are listed below.  We will announce these updates to campus as they become available, and will add them to our policy page.  Below, they will be highlighted as "updated."  Thank you for your patience.  .


Information Security Policy
IS-100 Information Security Policy
IS-P100 Exceptions Procedure
IS-G100 Information Security Terms  Guideline
IS-S101 Compliance Program Documentation Requirements Standard
IS-G101 Compliance Program Documentation Requirements Guideline
Asset Management
IS-S301 SSN Usage Standard
IS-S302 Data Classification (refer to main policy page for updated Standard) *Updated
IS-S303 Encryption
(note: this is still a guideline, and only in draft form)
Human Resource Security
IS-S400 Management Responsibilities for Information Security Standard
Physical and Environmental Security
IS-S501 Data Facility Physical Security Standard
IS-P501 (UITS) Data Facility Physical Security (UITS) Procedure
Communications and Operations Management
IS-S600 Network Security
University Network Operational Security
(NOTE:  The University Network Operational Security Standard will be replaced by the Network Security Standard as soon as the new standard is finalized)
IS-S601 Wireless Deployment and Management Standard
IS-S602 Minimum Security for Networked Devices Standard
IS-G602A Minimum Security for Networked Devices Implementation Guideline
IS-G602B Software Patching Guideline
IS-G602C Antivirus Software  Guideline
IS-G602D Spyware and Adware Prevention Guideline
IS-G602E Firewall Software Guideline
IS-S603 Server Security  Standard
IS-P603 Server Scanning Procedure Procedure
  Server and Network Scanning Timeline and Action Plan Workbook  
IS-G603 Information System Activity Review Guideline
IS-G604 Email Client and Usage Guideline
Access Control
IS-700 Computer and Network Access Agreement Policy
IS-701 Acceptable Use of Computers and Networks Policy
IS-S702 Access Control Standard
IS-P702 Enterprise Applications Account Access (Legacy Systems) Procedure
IS-P702M Enterprise Applications Account Access (UAccess) Procedure
IS-S703U UA NetID Passwords Standard
IS-G703 Password Construction & Maintenance Guideline
Information Systems Acquisition, Development, and Maintenance
IS-S801 Application Security Standard

Web Application Security Assessment Procedure 

Server and Network Scanning Timeline and Action Plan Workbook

IS-P802 Web Application Security Review Procedure Procedure
Business Continuity Management
IS-S900 Business Continuity and Disaster Recovery Standard
IS-G901 Disaster Recovery Guideline
IS-G902 Business Impact Analysis Form Guideline
IS-G903 Disaster Preparation Information for System & User Function Guideline
IS-1000 Electronic Privacy Statement Policy
IS-G1001 Federal Privacy Act and SSN Usage Guideline
Information Security Incident Management
IS-S1100 Incident Response  Standard
IS-P1100 Incident Response Plan Procedure
IS-G1100 Incident Handling  Guideline
Risk Assessment
IS-S1200 Risk Assessment Standard
IS-P1200 Risk Assessment Procedure

Unit Asset Identification Guideline