Policies, Standards, and Guidelines

Policy Summaries

To help quickly locate information, we've created summaries of the most important security policies and standards. The summaries only cover key elements of these policies and standards. If you need more detailed information, you should refer to the full documents given as links provided in the tables below..

Download the Information Security Standards & Guidelines Management Process (PDF) for more information on how ITS-OIS manages the drafting, reviewing, approving, and maintaining of standards and guidelines.

Policies, Standards, and Guidelines

TypeTitleStatusDescriptionInformation CoveredGovernance Groups
Policies

Information Security Policy(916)

Active

Defines at a high level the roles, responsibilities, and measures required to cost effectively manage risks related to University information resources.

Security Governance

Security Roles and Responsibilities

Key Security Controls

Information Security Advisory Council

Use Of Computers And Data Communication (901)

Active

Outlines technology practices and utilization requirements necessary for ensuring University information systems are protected from misuse.

Acceptable Use

Information Security Advisory Council

Statement of Confidentiality (902)

Active

Outlines responsibilities for limiting access to confidential and senstive University information to a business/education need-to-know. 

 Non-Disclosure

Information Security Advisory Council

Payment Card Services Policy

Active

Outlines process for authorizing units to accept payment cards, and campus compliance with the Payment Card Industry Data Security Standard

Payment Card Compliance

Payment Card Oversight Committee

Standards

Data Management Standard (PDF)

Active

Outlines the responsibilities and requirements needed to consistently protect the value and security of University data.

Data Governance

Data Classification

Data Management Group

Information Security Advisory Council

 

Encryption Standard (PDF)

DRAFT

Defines the requirements necessary for securely managing encryption technologies in order to provide acceptable levels of protection for institutional data and systems. 

 Logical Control Requirements 

Information Security Advisory Council

 

Enterprise Password Standard (PDF)

Active

Defines the requirements associated with the management of passwords utilized for managing, accessing, and supporting University enterprise information systems.  

 Password Creation and Management

Chancellor's Cabinet

Information Security Advisory Council

Information Security Risk Management Standard

Active

Define the required processes and controls needed to effectively identify, analyze, report, and manage information risks related to University information assets. 

 Information Security Risk Management 

Information Security Advisory Council

IT Security Liaisons

Minimum Security Standard (PDF)

Active

Define the specific minimum technical security practices needed to protect different types of University information resources based on the degree of risk that may be realized should these resources be compromised, stolen, degraded, or destroyed.

Technical Security Measures

 Information Security Advisory Council

IT Security Liaisons

Secure Data Handling Standard (PDF)

Active

Defines University Secure Data Environments and requirements for the secure storage, transmission, and disposal of University Data.

Data Handling

Information Security Advisory Council

Guidelines

Secure File Storage and Sharing

Active

Provides guidance of which campus technologies can be used to securely transmit or store different types of University data.

How to securely transmit and store confidential data.

What practices to avoid to help prevent potential data breach.

Information Security Advisory Council

Mobile Device Security

Active

Provide guidance and best practices to secure mobile devices to help safeguard both personal and University data.

Mobile device security steps.

Information Security Advisory Council