Using the Information Security Standards

The information security standards define security controls to maintain information security based on the unique requirements of the University. Each information security standard identifies controls that are required, recommended, or optional for the data or IT resource at the three security levels (high, medium, or low).

The information security standards apply to University IT resources owned, leased, operated or provided by the University or otherwise connected to University resources (including either free or contracted). This includes but is not limited to computers, workstations, external drives, mobile phones, wireless devices, operating systems/software/applications, and personal devices (e.g., smartphones, tablets, laptops, computers) used for University business.

University community members work with IT staff, IT Director, IT Service Owner, Department Head, or contractor to apply the appropriate controls to the data and IT resource following this process:

• Identify the security level (high, medium, or low) for the data and IT resource following the process in the procedure of Administrative Policy: Data Security Classification.
• Apply the appropriate controls from the information security standards to the data and IT resource based on the security level. The security level defines the minimum requirements that must be followed for that level.
• Document a security gap analysis of required controls that are not currently in place. Units have up to one year from effective or published date to comply with new controls. The Information Security Standards are listed in the Appendices section of this policy
• Request an exception if the unit does not comply with a required control.