The Policy on Information Security and the Protection of Digital Assets protects the privacy, confidentiality, authenticity, integrity and availability of the University’s digital assets. The Policy states, in part, “Across the University, those charged with managing and securing digital assets shall operate in a manner that reduces and mitigates vulnerabilities by following standards, guidelines and procedures for protecting the University’s digital assets.” This document is a view of the Information Security Standard (the Standard). The Standard is endorsed by the University’s Information Security Council and is aligned with the National Institute of Standards and Technology (NIST) 800-171 for protecting data.

Overview

The Standard consists of a set of baseline control statements ordered in groups known as domains. An example of a domain in the Standard is ‘Access Control’. An example of a control in the Access Control domain is:

AC-12 Monitor and control remote access sessions.

Each control is mapped to the data classification and protection standard using the applicability words: essential, required, recommended and optional. Definitions of the applicability words:

Essential: Must be addressed for all current and future systems.

Required: Must be addressed for future systems and prioritized for current systems.

Recommended: Not compulsory but highly encouraged.

Optional: Apply if appropriate.

Domain groups and controls

In addition to the 14 domain groups, there is an additional group of controls known as Minimum Standards. The controls listed are considered to be the highest priority for implementation. The following are 14 domain groups.

Essential controls that apply to most university systems, procedures and processes.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
MIN-1 Limit system access to authorized users. Processes acting on behalf of authorized users and devices (including other systems). essential essential essential essential
MIN-2 Ensure that managers, systems administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems. essential essential essential essential
MIN-3 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity. recommended required essential essential
MIN-4 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities. essential essential essential essential
MIN-5 Protect (i.e., physically control and securely store) system media containing the University’s data, both paper and digital. optional recommended essential essential
MIN-6 Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of the University’s data. required required required required
MIN-7 Remediate vulnerabilities in accordance with risk assessments. essential essential essential essential
MIN-8 Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems. required required essential essential
MIN-9 Identify, report and correct system flaws in a timely manner. essential essential essential essential
MIN-10 Monitor system security alerts and advisories and take action in response. essential essential essential essential
These controls ensure authorized personnel, accounts and system processes have access to the university’s data.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
AC-1 Limit system access to authorized users, processes acting on
behalf of authorized users and devices (including other systems).
essential essential essential essential
AC-2 Limit system access to the types of transactions and functions. recommended recommended essential essential
AC-3 Control the flow of the University’s data in accordance with approved authorizations. recommended required essential essential
AC-4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. optional optional recommended recommended
AC-5 Employ the principle of least privilege, including for specific security functions and privileged accounts. recommended recommended essential essential
AC-6 Use non-privileged accounts or roles when accessing non-security functions. recommended recommended essential essential
AC-7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. required required essential essential
AC-8 Limit unsuccessful login attempts. recommended recommended essential essential
AC-9 Provide privacy and security notices consistent with applicable university data rules. required required required essential
AC-10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. recommended recommended required essential
AC-11 Automatically terminate a user session after a defined condition. optional recommended required essential
AC-12 Monitor and control remote access sessions. recommended required essential essential
AC-13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. recommended required essential essential
AC-14 Route remote access via managed access control points. recommended required essential essential
AC-16 Authorize wireless access prior to allowing such connections. essential essential essential essential
AC-17 Protect wireless access using authentication and encryption. essential essential essential essential
AC-18 Control connection of mobile devices. optional optional recommended recommended
AC-20 Verify and control/limit connections to and use of external systems. optional recommended recommended essential
AC-21 Limit use of portable storage devices on external systems. optional optional recommended required
AC-22 Control data posted or processed on publicly accessible systems. optional optional required essential

These controls ensure that university staff are provided with appropriate training and skills.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
AT-1 Ensure that managers, systems administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems. essential essential essential essential
AT-2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. required required essential essential
AT-3 Provide security awareness training on recognizing and reporting potential indicators of insider threat. required required essential essential
Audit and accountability controls ensure that the University’s data is properly maintained, including storage, processing and handling.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
AA-1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity. recommended required essential essential
AA-2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. optional recommended required essential
AA-3 Review and update logged events. required required essential essential
AA-4 Alert in the event of an audit logging process failure. required required essential essential
AA-5 Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity. required required essential essential
AA-6 Provide audit record reduction and report generation to support on-demand analysis and reporting. recommended recommended required essential
AA-7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. required required essential essential
AA-8 Protect audit information and audit logging tools from unauthorized access, modification and deletion. essential essential essential essential
AA-9 Limit management of audit logging functionality to a subset of privileged users. essential essential essential essential
Configurations, systems and software are standardized and managed to ensure they perform in definable and measurable ways.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
CM-1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. recommended recommended required essential
CM-4 Analyze the security impact of changes prior to implementation. essential essential essential essential
CM-7 Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols and services. essential recommended essential essential
CM-8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. recommended recommended required essential
Identification and authentication controls ensure only confirmed and approved identities gain authorized access.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
IA-1 Identify system users, processes acting on behalf of users, and devices. recommended recommended required essential
IA-3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. recommended recommended required essential
IA-4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. recommended recommended required required
IA-5 Prevent reuse of identifiers for a defined period. recommended recommended required essential
IA-7 Enforce a minimum password complexity and change of characters when new passwords are created. required required required required
IA-8 Prohibit password reuse for a specified number of generations. essential essential essential essential
IA-9 Allow temporary password use for system logons with an immediate change to a permanent password. recommended recommended required essential
IA-11 Obscure feedback of authentication information. required required essential essential

These controls manage the impact of security incidents through response plan testing and creation.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
IR-1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities. essential essential essential essential
IR-2 Track, document and report incidents to designated officials and/or authorities both internal and external to the organization. required required essential essential
IR-3 Test the organizational incident response capability. required required essential essential
Maintenance controls mitigate vulnerabilities through hardware, firmware and software updates.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
M-1 Perform maintenance on organizational systems. required required essential essential
M-2 Provide controls on the tools, techniques, mechanisms and personnel used to conduct system maintenance. required required essential essential
M-3 Ensure equipment removed for off-site maintenance is sanitized of any of the University’s data. optional recommended essential essential
M-5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. recommended recommended required essential
M-6 Supervise the maintenance activities of maintenance personnel without required access authorization. optional recommended essential essential

Media protection controls ensure media that hold data, including paper and electronic storage, are protected.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
MP-1 Protect (i.e., physically control and securely store) system media containing data, both paper and digital. optional recommended essential essential
MP-2 Limit access to the University’s data on system media to authorized users. optional recommended essential essential
MP-3 Sanitize or destroy system media containing the University’s data before disposal or release for reuse. optional recommended essential essential
MP-5 Control access to media containing the University’s data and maintain accountability for media during transport outside of controlled areas. optional recommended essential essential
MP-6 Implement cryptographic mechanisms to protect the confidentiality of the University’s data stored on digital media during transport unless otherwise protected by alternative physical safeguards. optional recommended essential essential
MP-9 Protect the confidentiality of backup University data at storage locations. optional recommended essential essential

These controls protect University data against unauthorized access through staff authorization changes.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
PS-2 Ensure that organizational systems containing the University’s data are protected during and after personnel actions such as terminations and transfers. required required essential essential
Access to physical systems and locations controlled through appropriate security measures.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
PP-1 Limit physical access to organizational systems, equipment and the respective operating environments to authorized individuals. recommended required essential essential
PP-3 Escort visitors and monitor visitor activity. optional recommended recommended essential
PP-4 Maintain audit logs of physical access. optional recommended recommended essential
PP-5 Control and manage physical access devices. required required essential essential
PP-6 Enforce safeguarding measures for the University’s data at alternate work sites. optional recommended essential essential

Risk assessment controls ensure appropriate measures are in place to assess and remediate identified risks.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
RA-1 Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of the University’s data. required required essential essential
RA-2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. required required essential essential
RA-3 Remediate vulnerabilities in accordance with risk assessments. essential essential essential essential

Security assessment controls ensure the security program is operating effectively.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
SA-1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. required required required essential
SA-2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. required required required essential
SA-3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. recommended recommended required essential
These controls ensure University data is protected from unauthorized exposure while at rest or in transit over university services and networks.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
SCP-1 Monitor, control and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. recommended required essential essential
SCP-2 Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems. required required essential essential
SCP-8 Implement cryptographic mechanisms to prevent unauthorized disclosure of the University’s data during transmission unless otherwise protected by alternative physical safeguards. optional recommended essential essential
SCP-10 Establish and manage cryptographic keys for cryptography employed in organizational systems required required essential essential
SCP-11 Employ university-approved cryptography when used to protect the confidentiality of the University’s data. optional recommended essential essential
SCP-12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. optional recommended recommended essential
SCP-14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. recommended recommended required essential
SCP-15 Protect the authenticity of communications sessions. recommended recommended essential essential
SCP-16 Protect the confidentiality of the University’s data at rest. optional recommended essential essential

These controls ensure University systems, data and processes are trusted and protected against malicious or accidental alteration.

Control ID Control description Data protection classification
Level 1 Level 2 Level 3 Level 4
SII-1 Identify, report and remediate system flaws in a timely manner. essential essential essential essential
SII-2 Provide protection from malicious code at designated locations within organizational systems. required required essential essential
SII-3 Monitor system security alerts and advisories and take action in response. essential essential essential essential
SII-4 Update malicious code protection mechanisms when new releases are available. required required essential essential
SII-6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. recommended recommended required essential