University of Illinois System

Job Aids

Over a multi-year period, the Security Program continues to develop job aids in the form of documentation (procedures, checklists, templates) and software tools as needed to support the implementation of the standards and controls. Job aids help organizations implement controls and control requirements effectively and efficiently.

Data Classification

If you're not sure what kind of data you work with, check the flowchart below.

Data Survey

The data survey tool is available to any campus member who wants to evaluate their work or research data for data classification. By answering a series of questions the data is classified into one of the four levels defined in the DAT01: High Risk, Sensitive, Internal or Public. The data survey tool is available here:

Exception Process

The Illinois Security Program recognizes that business goals, research projects, and educational objectives happening at the university could justify an exception to the Standards & Controls defined for the program. The Information Security Policy call for an exception process. Each exception request is carefully considered by unit leadership and the Office of Privacy and Information Assurance. We have developed risk acceptance process for some specific use cases such as end of life operating system and SSH firewall exception. We will add to this list as common use cases present themselves. Any Standard or specific Control can have an exception if you have a business case and risk acceptance from campus and unit leadership. For any questions about exceptions or the process please contact

Risk level is a component of all exception requests. Use this form to help determine risk level:

General Exception Process:
End of Life Operating System Exception Process:
Firewall SSH Block Exception Process:

CIS Benchmarks and Assessor

The Center for Internet Security has a series of published benchmarks for securing Linux, Windows, Cloud Providers, Mobile Devices, Networking Equipment, and many more.  The benchmarks often include multiple levels depending on how hardened the system needs to be as referenced by the security controls. These benchmarks are used to provide best practices to the campus community on creating secure deploy-able systems.

The benchmarks can be accessed by creating an account with your address. Visit to create the account and start working with the benchmarks.

Included is CIS-CAT which is an automated assessor of systems. It enables IT pros to check their systems automatically against the CIS benchmarks to determine if they are meeting the benchmark.  The assessor, along with the benchmarks themselves, provide clear step-by-step instructions in remediation of the issues found by the assessor. 

Security Program logo featuring the Data Policy and Information Security Policy circling the Information Security standards (highlighted), control requirements, and job aids.