Using the Information Security Standards
The information security standards define security controls to maintain information security based on the unique business requirements of the University. Each information security standard identifies controls that are required, recommended, or optional for the data or IT resource at the three security levels (high, medium, or low).
The information security standards apply to University IT resources owned, leased, operated or provided by the University or otherwise connected to University resources. This includes but is not limited to computers, workstations, external drives, mobile phones, wireless devices, and operating systems/software/applications (free or contracted by the University).
University community members work with IT staff, IT Director, IT Service Director, Department Head, or contractor to apply the appropriate controls to the data and IT resource following this process:
- Identify the security level (high, medium, or low) for the data and IT resource following the process in the procedure of Administrative Policy: Data Security Classification.
- Apply the appropriate controls from the information security standards to the data and IT resource based on the security level. The security level defines the minimum requirements that must be followed for that level.
- Document a security gap analysis for required controls that are not currently in place. Units have up to one year from effective/revision date to comply with new controls. The Information Security Standards are listed in the Appendices section of this policy.