Control ID |
Control Description | Data Protection Classification | ||||||
Level 1 | Level 2 | Level 3 | Level 4 | |||||
MIN-1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | essential | essential | essential | essential | |||
MIN-2 | Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. | essential | essential | essential | essential | |||
MIN-3 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | recommended | required | essential | essential | |||
MIN-4 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | essential | essential | essential | essential | |||
MIN-5 | Protect (i.e., physically control and securely store) system media containing the University’s data, both paper and digital. | optional | recommended | essential | essential | |||
MIN-6 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation,) organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of the University’s data. | required | required | essential | essential | |||
MIN-7 | Remediate vulnerabilities in accordance with risk assessments. | essential | essential | essential | essential | |||
MIN-8 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | required | required | essential | essential | |||
MIN-9 | Identify, report, and correct system flaws in a timely manner. | essential | essential | essential | essential | |||
MIN-10 | Monitor system security alerts and advisories and take action in response. | essential | essential | essential | essential |