Standards & Guidelines

Information Security is guided by University Policy 311 Information Security and the internationally recognized ISO/IEC 27002 code of practice. Standards and guidelines support Policy 311:

• Standards outline the minimum requirements designed to address certain risks and specific requirements that ensure compliance with Policy 311. These provide a basis for verifying compliance through audits and assessments. All units must comply with the standards by following prescribed procedures or by developing unit-specific procedures that meet or exceed the minimum requirements established by the standards.
• Guidelines offer general recommendations or instructions that provide a framework for achieving compliance with standards. They are more technical in nature and are updated on a more frequent basis to account for changes in technology and/or University practices.

Access Control

• Standard for Account Passwords
  • Guideline for Account Passwords
• Standard for Business Requirements for Access Control
• Standard for Responsible Use
• Standard for System and Application Access Control
• Standard for User Access Management
  • Guideline for User Access Management
  • Guideline for Privileged Account Management
• InCommon Federation: Participant Operational Practices (POP)

Business Continuity Management

• Standard for Information Security Continuity

Communications Security

• Standard for Communications Security
  • Guideline for Information Transfer
  • Guideline for Network Security

Compliance

• Standard for Compliance with Legal and Contractual Requirements
• Standard for Information Security Reviews
• Payment (Credit/Debit) Card Processing Standard
• Identity Theft Prevention Program

Data Management

• Standard for Information Classification
  • Guideline for Data Handling
  • Guideline for Data Security in Cloud Services
  • Guideline for Research Data Security
• Standard for Hardware and Media Disposal
  • Guideline for Hardware and Media Disposal

Encryption and Cryptographic Controls

• Standard for Encryption Controls

Human Resources Security

• Standard for Information Security Related to Employees
• Standard for Teleworking and Remote Work

Information Security Incident Management

• Standard for Managing Information Security Incidents
  • Guideline for Reporting Information Security Incidents

Information Security Organization

• Standard for Information Security Oversight

Mobile and Remote Access

• Standard for Mobile Devices
  • Guideline for Laptops and Handheld Mobile Devices
  • Guideline for Remote Access

Operations Security

• Standard for Operations Security
  • Guideline for Security of Endpoints
  • Guideline for Security of Applications
  • Gudeline for Security of Systems

Physical and Environmental Security

• Standard for Physical and Environmental Security – Equipment
• Standard for Physical and Environmental Security – Secure Areas

System Acquisition, Development and Maintenance

• Standard for Protection of Test Data
• Standard for Security in Development and Support Processes
• Standard for Security Requirements of Information Systems

Vendors and External Parties

• Standard for Information Security Related to Vendors and External Parties