The Policy on Information Security and the Protection of Digital Assets protects the privacy, confidentiality, authenticity, integrity and availability of the University’s digital assets. The Policy states, in part, “Across the University, those charged with managing and securing digital assets shall operate in a manner that reduces and mitigates vulnerabilities by following standards, guidelines and procedures for protecting the University’s digital assets.” This document is a view of the Information Security Standard (the Standard). The Standard is endorsed by the University’s Information Security Council and is aligned with the National Institute of Standards and Technology (NIST) 800-171 for protecting data.
Overview
The Standard consists of a set of baseline control statements ordered in groups known as domains. An example of a domain in the Standard is ‘Access Control’. An example of a control in the Access Control domain is:
AC-12 Monitor and control remote access sessions.
Each control is mapped to the data classification and protection standard using the applicability words: essential, required, recommended and optional. Definitions of the applicability words:
Essential: Must be addressed for all current and future systems.
Required: Must be addressed for future systems and prioritized for current systems.
Recommended: Not compulsory but highly encouraged.
Optional: Apply if appropriate.
Domain groups and controls
In addition to the 14 domain groups, there is an additional group of controls known as Minimum Standards. The controls listed are considered to be the highest priority for implementation. The following are 14 domain groups.
Essential controls that apply to most university systems, procedures and processes.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| MIN-1 | Limit system access to authorized users. Processes acting on behalf of authorized users and devices (including other systems). | essential | essential | essential | essential |
| MIN-2 | Ensure that managers, systems administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems. | essential | essential | essential | essential |
| MIN-3 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity. | recommended | required | essential | essential |
| MIN-4 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities. | essential | essential | essential | essential |
| MIN-5 | Protect (i.e., physically control and securely store) system media containing the University’s data, both paper and digital. | optional | recommended | essential | essential |
| MIN-6 | Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of the University’s data. | required | required | required | required |
| MIN-7 | Remediate vulnerabilities in accordance with risk assessments. | essential | essential | essential | essential |
| MIN-8 | Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems. | required | required | essential | essential |
| MIN-9 | Identify, report and correct system flaws in a timely manner. | essential | essential | essential | essential |
| MIN-10 | Monitor system security alerts and advisories and take action in response. | essential | essential | essential | essential |
These controls ensure authorized personnel, accounts and system processes have access to the university’s data.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| AC-1 | Limit system access to authorized users, processes acting on behalf of authorized users and devices (including other systems). |
essential | essential | essential | essential |
| AC-2 | Limit system access to the types of transactions and functions. | recommended | recommended | essential | essential |
| AC-3 | Control the flow of the University’s data in accordance with approved authorizations. | recommended | required | essential | essential |
| AC-4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | optional | optional | recommended | recommended |
| AC-5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | recommended | recommended | essential | essential |
| AC-6 | Use non-privileged accounts or roles when accessing non-security functions. | recommended | recommended | essential | essential |
| AC-7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | required | required | essential | essential |
| AC-8 | Limit unsuccessful login attempts. | recommended | recommended | essential | essential |
| AC-9 | Provide privacy and security notices consistent with applicable university data rules. | required | required | required | essential |
| AC-10 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | recommended | recommended | required | essential |
| AC-11 | Automatically terminate a user session after a defined condition. | optional | recommended | required | essential |
| AC-12 | Monitor and control remote access sessions. | recommended | required | essential | essential |
| AC-13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | recommended | required | essential | essential |
| AC-14 | Route remote access via managed access control points. | recommended | required | essential | essential |
| AC-16 | Authorize wireless access prior to allowing such connections. | essential | essential | essential | essential |
| AC-17 | Protect wireless access using authentication and encryption. | essential | essential | essential | essential |
| AC-18 | Control connection of mobile devices. | optional | optional | recommended | recommended |
| AC-20 | Verify and control/limit connections to and use of external systems. | optional | recommended | recommended | essential |
| AC-21 | Limit use of portable storage devices on external systems. | optional | optional | recommended | required |
| AC-22 | Control data posted or processed on publicly accessible systems. | optional | optional | required | essential |
These controls ensure that university staff are provided with appropriate training and skills.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| AT-1 | Ensure that managers, systems administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems. | essential | essential | essential | essential |
| AT-2 | Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. | required | required | essential | essential |
| AT-3 | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | required | required | essential | essential |
Audit and accountability controls ensure that the University’s data is properly maintained, including storage, processing and handling.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| AA-1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity. | recommended | required | essential | essential |
| AA-2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | optional | recommended | required | essential |
| AA-3 | Review and update logged events. | required | required | essential | essential |
| AA-4 | Alert in the event of an audit logging process failure. | required | required | essential | essential |
| AA-5 | Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity. | required | required | essential | essential |
| AA-6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | recommended | recommended | required | essential |
| AA-7 | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. | required | required | essential | essential |
| AA-8 | Protect audit information and audit logging tools from unauthorized access, modification and deletion. | essential | essential | essential | essential |
| AA-9 | Limit management of audit logging functionality to a subset of privileged users. | essential | essential | essential | essential |
Configurations, systems and software are standardized and managed to ensure they perform in definable and measurable ways.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| CM-1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | recommended | recommended | required | essential |
| CM-4 | Analyze the security impact of changes prior to implementation. | essential | essential | essential | essential |
| CM-7 | Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols and services. | essential | recommended | essential | essential |
| CM-8 | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. | recommended | recommended | required | essential |
Identification and authentication controls ensure only confirmed and approved identities gain authorized access.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| IA-1 | Identify system users, processes acting on behalf of users, and devices. | recommended | recommended | required | essential |
| IA-3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | recommended | recommended | required | essential |
| IA-4 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | recommended | recommended | required | required |
| IA-5 | Prevent reuse of identifiers for a defined period. | recommended | recommended | required | essential |
| IA-7 | Enforce a minimum password complexity and change of characters when new passwords are created. | required | required | required | required |
| IA-8 | Prohibit password reuse for a specified number of generations. | essential | essential | essential | essential |
| IA-9 | Allow temporary password use for system logons with an immediate change to a permanent password. | recommended | recommended | required | essential |
| IA-11 | Obscure feedback of authentication information. | required | required | essential | essential |
These controls manage the impact of security incidents through response plan testing and creation.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| IR-1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities. | essential | essential | essential | essential |
| IR-2 | Track, document and report incidents to designated officials and/or authorities both internal and external to the organization. | required | required | essential | essential |
| IR-3 | Test the organizational incident response capability. | required | required | essential | essential |
Maintenance controls mitigate vulnerabilities through hardware, firmware and software updates.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| M-1 | Perform maintenance on organizational systems. | required | required | essential | essential |
| M-2 | Provide controls on the tools, techniques, mechanisms and personnel used to conduct system maintenance. | required | required | essential | essential |
| M-3 | Ensure equipment removed for off-site maintenance is sanitized of any of the University’s data. | optional | recommended | essential | essential |
| M-5 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. | recommended | recommended | required | essential |
| M-6 | Supervise the maintenance activities of maintenance personnel without required access authorization. | optional | recommended | essential | essential |
Media protection controls ensure media that hold data, including paper and electronic storage, are protected.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| MP-1 | Protect (i.e., physically control and securely store) system media containing data, both paper and digital. | optional | recommended | essential | essential |
| MP-2 | Limit access to the University’s data on system media to authorized users. | optional | recommended | essential | essential |
| MP-3 | Sanitize or destroy system media containing the University’s data before disposal or release for reuse. | optional | recommended | essential | essential |
| MP-5 | Control access to media containing the University’s data and maintain accountability for media during transport outside of controlled areas. | optional | recommended | essential | essential |
| MP-6 | Implement cryptographic mechanisms to protect the confidentiality of the University’s data stored on digital media during transport unless otherwise protected by alternative physical safeguards. | optional | recommended | essential | essential |
| MP-9 | Protect the confidentiality of backup University data at storage locations. | optional | recommended | essential | essential |
These controls protect University data against unauthorized access through staff authorization changes.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| PS-2 | Ensure that organizational systems containing the University’s data are protected during and after personnel actions such as terminations and transfers. | required | required | essential | essential |
Access to physical systems and locations controlled through appropriate security measures.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| PP-1 | Limit physical access to organizational systems, equipment and the respective operating environments to authorized individuals. | recommended | required | essential | essential |
| PP-3 | Escort visitors and monitor visitor activity. | optional | recommended | recommended | essential |
| PP-4 | Maintain audit logs of physical access. | optional | recommended | recommended | essential |
| PP-5 | Control and manage physical access devices. | required | required | essential | essential |
| PP-6 | Enforce safeguarding measures for the University’s data at alternate work sites. | optional | recommended | essential | essential |
Risk assessment controls ensure appropriate measures are in place to assess and remediate identified risks.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| RA-1 | Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of the University’s data. | required | required | essential | essential |
| RA-2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | required | required | essential | essential |
| RA-3 | Remediate vulnerabilities in accordance with risk assessments. | essential | essential | essential | essential |
Security assessment controls ensure the security program is operating effectively.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| SA-1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | required | required | required | essential |
| SA-2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | required | required | required | essential |
| SA-3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | recommended | recommended | required | essential |
These controls ensure University data is protected from unauthorized exposure while at rest or in transit over university services and networks.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| SCP-1 | Monitor, control and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | recommended | required | essential | essential |
| SCP-2 | Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems. | required | required | essential | essential |
| SCP-8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of the University’s data during transmission unless otherwise protected by alternative physical safeguards. | optional | recommended | essential | essential |
| SCP-10 | Establish and manage cryptographic keys for cryptography employed in organizational systems | required | required | essential | essential |
| SCP-11 | Employ university-approved cryptography when used to protect the confidentiality of the University’s data. | optional | recommended | essential | essential |
| SCP-12 | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. | optional | recommended | recommended | essential |
| SCP-14 | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. | recommended | recommended | required | essential |
| SCP-15 | Protect the authenticity of communications sessions. | recommended | recommended | essential | essential |
| SCP-16 | Protect the confidentiality of the University’s data at rest. | optional | recommended | essential | essential |
These controls ensure University systems, data and processes are trusted and protected against malicious or accidental alteration.
| Control ID | Control description | Data protection classification | |||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | ||
| SII-1 | Identify, report and remediate system flaws in a timely manner. | essential | essential | essential | essential |
| SII-2 | Provide protection from malicious code at designated locations within organizational systems. | required | required | essential | essential |
| SII-3 | Monitor system security alerts and advisories and take action in response. | essential | essential | essential | essential |
| SII-4 | Update malicious code protection mechanisms when new releases are available. | required | required | essential | essential |
| SII-6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | recommended | recommended | required | essential |
