Welcome to the initial information site for the university’s information security Standard!
The Policy on Information Security and the Protection of Digital Assets protects the privacy, confidentiality, authenticity, integrity and availability of the university’s digital assets. The Policy states, in part, “Across the University, those charged with managing and securing Digital Assets shall operate in a manner that reduces and mitigates vulnerabilities by following Standards, Guidelines and Procedures for protecting the University’s Digital Assets.” This document is a view of the Standard. The Standard is endorsed by the university’s Information security Council and is aligned with the National Institute of Standards and Technology (NIST) 800-171 for protecting data.
The Standard consists of a set of baseline control statements ordered in groups known as domains. An example of a domain in the Standard is ‘Access Control’. An example of a control in the Access Control domain is:
AC-12 Monitor and control remote access sessions.
Each control is mapped to the data classification and protection standard using the applicability words: essential, required, recommended, optional. Definitions of the applicability words:
Essential: Must be addressed for all current and future systems
Required: Must be addressed for future systems and prioritized for current systems
Recommended: Not compulsory but highly encouraged
Optional: Apply if appropriate
In addition to the 14 domain groups, there is an additional group of controls known as Minimum Standards. The controls listed are considered to be the highest priority for implementation. The following are 14 domain groups listed below.
Awareness & Training
Audit and Accountability
Identification and Authentication
System & Communications Protection
System & Information Integrity