Information Security is guided by University Policy 311 Information Security and the internationally recognized ISO/IEC 27002 code of practice. Standards and guidelines support Policy 311:
- Standards outline the minimum requirements designed to address certain risks and specific requirements that ensure compliance with Policy 311. These provide a basis for verifying compliance through audits and assessments. All units must comply with the standards by following prescribed procedures or by developing unit-specific procedures that meet or exceed the minimum requirements established by the standards.
- Guidelines offer general recommendations or instructions that provide a framework for achieving compliance with standards. They are more technical in nature and are updated on a more frequent basis to account for changes in technology and/or University practices.
Access Control
- Standard for Account Passwords
- Standard for Business Requirements for Access Control
- Standard for Responsible Use
- Standard for System and Application Access Control
- Standard for User Access Management
- InCommon Federation: Participant Operational Practices (POP)
Business Continuity Management
Communications Security
Compliance
- Standard for Compliance with Legal and Contractual Requirements
- Standard for Information Security Reviews
- Payment (Credit/Debit) Card Processing Standard
- Identity Theft Prevention Program
Data Management
Encryption and Cryptographic Controls
Human Resources Security
Information Security Incident Management
Information Security Organization
Mobile and Remote Access
Operations Security
Physical and Environmental Security
- Standard for Physical and Environmental Security - Equipment
- Standard for Physical and Environmental Security - Secure Areas
System Acquisition, Development and Maintenance
- Standard for Protection of Test Data
- Standard for Security in Development and Support Processes
- Standard for Security Requirements of Information Systems