Controls

The Information Security Control Requirements provide detailed implementation guidance for each risk objective specified in the standards. Each standard has it's own control document breaking down the risk objectives into specific controls at various data and system sensitivity levels. The coding scheme makes it easy to identify what controls map to the system security level and the university's priority. This enables university organizations to apply only the controls that are required for their IT resources. The standards are listed below with links to the individual control documents. You must be a member of the campus community to access them and will be prompted to login.

Security Program logo featuring the Data Policy and Information Security Policy circling the Information Security standards (highlighted), control requirements, and job aids.

Management Controls Index

  • Management
    • MGT01 - Information Risk Management (P1)
    • MGT02 - Information Security Management (P2)
    • MGT03 - Compliance Management (P1)
    • MGT04 - Business Continuity Management (P3)
  • Legal Risk
    • LEG01 - Legal & Regulatory Compliance (P2)
  • Business Risk
    • BUS01 - Financial Systems (P2)
  • Purchasing Risk
    • PUR01 - Contract Management (P3)
  • Personnel Security Risk
    • PS01 - Personnel Security (P2)
  • Facilities Risk
    • FAC01 - IT Site Security (P2)
    • FAC02 - IT Workspace Security (P2)
  • Institutional Data Risk
    • DAT01 - Institutional Data Security (P1)
    • DAT02 - Information Access Control (P1)

Information Technology Controls Index

  • Information Technology
    • IT01 - Disaster Recovery (P1)
    • IT02 - Infrastructure Security (P1)
    • IT03 - Network Security (P1)
    • IT04 - Server Security (P1)
    • IT05 - Identity Management (P1)
    • IT06 - Malicious Software Protection (P1)
    • IT07 - Application Development Security (P1)
    • IT08 - Development Process (P2)
    • IT09 - Vendor Management Security (P2)
    • IT10 - Client Computer Security (P2)
    • IT11 - Mobile Device Security (P2)
    • IT12 - Digital Communications Security (P2)
    • IT13 - Web Application Security (P2)
    • IT14 - Security Incident Management (P2)
    • IT15 - Storage Media Security (P2)
    • IT16 - Security Training (P2)
    • IT17 - Asset Management (P2)
    • IT18 - Software License Management (P3)