Welcome to the initial information site for the university’s information security Standard!

The Policy on Information Security and the Protection of Digital Assets protects the privacy, confidentiality, authenticity, integrity and availability of the university’s digital assets. The Policy states, in part, “Across the University, those charged with managing and securing Digital Assets shall operate in a manner that reduces and mitigates vulnerabilities by following Standards, Guidelines and Procedures for protecting the University’s Digital Assets.” This document is a view of the Standard. The Standard is endorsed by the university’s Information security Council and is aligned with the National Institute of Standards and Technology (NIST) 800-171 for protecting data.

Overview

The Standard consists of a set of baseline control statements ordered  in groups known as domains. An example of a domain in the Standard is ‘Access Control’. An example of a control in the Access Control domain is:

AC-12 Monitor and control remote access sessions.

Each control is mapped to the data classification and protection standard using the applicability words: essential, required, recommended, optional. Definitions of the applicability words:

Essential: Must be addressed for all current and future systems

Required: Must be addressed for future systems and prioritized for current systems

Recommended: Not compulsory but highly encouraged

Optional: Apply if appropriate

In addition to the 14 domain groups, there is an additional group of controls known as Minimum Standards. The controls listed are considered to be the highest priority for implementation. The following are 14 domain groups listed below.

Minimum Standards

Essential controls that apply to most university systems, procedures and processes.

Access Control

These controls ensure authorized personnel, accounts and system processes have access to the university’s data. 

Awareness & Training

These controls ensure that university staff are provided with appropriate training and skills.

Audit and Accountability

Audit and accountability controls ensure that the university’s data is properly maintained, including storage, processing and handling.

Configuration Management

Configurations, systems and software are standardized and managed to ensure they perform in definable and measurable ways.

Identification and Authentication

Identification and authentication controls ensure only confirmed and approved identities gain authorized access.

Incident Response

These controls manage the impact of security incidents through response plan testing and creation.

Maintenance

Maintenance controls mitigate vulnerabilities through hardware, firmware and software updates.

Media Protection

Media protection controls ensure media that hold data, including paper and electronic storage, are protected.

Personnel Security

These controls protect University data against unauthorized access through staff authorization changes.

Physical Protection

Access to physical systems and locations controlled through appropriate security measures.

Risk Assessment

Risk assessment controls ensure appropriate measures are in place to assess and remediate identified risks.

Security Assessment

Security assessment controls ensure the security program is operating effectively.

System & Communications Protection

These controls ensure University data is protected from unauthorized exposure while at rest or in transit over university services and networks.  

System & Information Integrity

These controls ensure University systems, data, and processes are trusted and protected against malicious or accidental alteration.