Welcome to the initial information site for the university’s information security Standard!
The Policy on Information Security and the Protection of Digital Assets protects the privacy, confidentiality, authenticity, integrity and availability of the university’s digital assets. The Policy states, in part, “Across the University, those charged with managing and securing Digital Assets shall operate in a manner that reduces and mitigates vulnerabilities by following Standards, Guidelines and Procedures for protecting the University’s Digital Assets.”
This page is a view of the University’s Information Security Standard which is endorsed by the University’s Information Security Council and is aligned with the National Institute of Standards and Technology (NIST) 800-171 for protecting data.
Overview
The University’s Information Security Standard consists of a set of baseline control statements ordered in groups known as domains. An example of a domain in the Standard is ‘Access Control’. An example of a control in the Access Control domain is:
AC-12 Monitor and control remote access sessions.
Each control is mapped to the data classification and protection standard using the applicability words: essential, required, recommended, optional. Definitions of the applicability words:
Essential: Must be addressed for all current and future systems
Required: Must be addressed for future systems and prioritized for current systems
Recommended: Not compulsory but highly encouraged
Optional: Apply if appropriate
In addition to the 14 domain groups, there is an additional group of controls known as Minimum Standards. The controls listed are considered to be the highest priority for implementation. The following are 14 domain groups listed below.
Minimum Standards
Essential controls that apply to most university systems, procedures and processes.
Access Control
Awareness & Training
These controls ensure that university staff are provided with appropriate training and skills.
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
These controls manage the impact of security incidents through response plan testing and creation.
Maintenance
Maintenance controls mitigate vulnerabilities through hardware, firmware and software updates.
Media Protection
Personnel Security
Physical Protection
Access to physical systems and locations controlled through appropriate security measures.
Risk Assessment
Security Assessment
Security assessment controls ensure the security program is operating effectively.
System & Communications Protection
System & Information Integrity