Policy and Guidance

The University's Information Security Office (ISO) is responsible for coordinating the development and dissemination of information security policies, standards, and guidelines for the University. ISO is also responsible for coordinating various regulatory compliance efforts as they relate to information technology systems. 

Policies Standards Procedures GuidelinesPolicies: High level statements, equivalent to organizational law, that drive decision making within the University. University policies are subject to a rigorous review process.  The University's information security policies reside on the University's policy website. 

Standards: Minimum requirements designed to address certain risks and specific requirements that ensure compliance with a policy or standard. These provide a basis for verifying compliance through audits and assessments. All units must meet the standards supporting the Information Security Policy and are encouraged to adopt local standards that exceed the minimum requirements.

Procedures:  Step-by-step instructions for accomplishing a task. Procedures published by Info Sec are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.

Guidelines:  General recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.

 Policies, Standards, Procedures and Guidelines

Information Security Policy
IS-100 Information Security Policy
IS-P100 Exceptions Procedure
IS-S101 Compliance Program Documentation Requirements Standard
IS-G101 Compliance Program Documentation Requirements Guideline
Asset Management
IS-S302 Data Classification and Handling Standard
IS-S303 Endpoint Encryption Standard
Human Resource Security
IS-S400 Manager Information Security Standard
IS-S401 Security Awareness and Training Standard
Physical and Environmental Security
IS-S501 Data Facility Physical Security Standard
IS-P501 (UITS) Data Facility Physical Security (UITS) Procedure
Communications and Operations Management
IS-S600 University Network Operational Security

IS-S601 Wireless Deployment and Management Standard
IS-S602 Minimum Security for Networked Devices Standard
IS-G602A Minimum Security for Networked Devices Implementation Guideline
IS-G602B Software Patching Guideline
IS-G602C Antivirus Software  Guideline
IS-G602D Spyware and Adware Prevention Guideline
IS-G602E Firewall Software Guideline
IS-S603 Server Security  Standard
IS-P603 Server Scanning Procedure Procedure
  Server and Network Scanning Timeline and Action Plan Workbook  
IS-G603 Information System Activity Review Guideline
IS-G604 Email Client and Usage Guideline
Access Control
IS-700 Computer and Network Access Agreement Policy
IS-701 Acceptable Use of Computers and Networks Policy
IS-S702 Access Control Standard
IS-P702 Enterprise Applications Account Access (Legacy Systems) Procedure
IS-P702M Enterprise Applications Account Access (UAccess) Procedure
IS-S703U UA NetID Passwords Standard
IS-G703 Password Construction & Maintenance Guideline
Information Systems Acquisition, Development, and Maintenance
IS-S801 Application Security Standard

Web Application Security Assessment Procedure 

Server and Network Scanning Timeline and Action Plan Workbook

IS-P802 Web Application Security Review Procedure Procedure
Business Continuity Management
IS-S900 Business Continuity and Disaster Recovery Standard
IS-G901 Disaster Recovery Guideline
IS-G902 Business Impact Analysis Form Guideline
IS-G903 Disaster Preparation Information for System & User Function Guideline
IS-1000 Electronic Privacy Statement Policy
IS-G1001 Federal Privacy Act and SSN Usage Guideline
Information Security Incident Management
IS-S1100 Incident Response  Standard
IS-P1100 Incident Response Plan Procedure
IS-G1100 Incident Handling  Guideline
Risk Assessment
IS-S1200 Risk Assessment Standard
IS-P1200 Risk Assessment
Includes 2016 UA Cybersecurity Risk Assessment Procedure, Workbook, Reference Materials -- Note: requires NetID+ to access

Unit Asset Identification Guideline


 back to top

Regulatory Reference

back to top