Standards

The Information Security Standards correlate to 30 risk area topics for the university. They are divided in to two groups: Management Standards and Information Technology Standards.

The Standards have their mandate in the Information Technology policy and the data classifications are defined in DAT01. Each Standard has a risk statement that is the goal for the standard and then defines the risk objectives to meet that goal. Each standard is then given a priority to allow leaders to focus on specific areas of need. These risk areas are used to organize, measure, and manage risk levels consistently across the university. For information on implementing the objectives view the controls page for which you must be a member of the university.

The 30 risk areas can be found in the table below with links to the detailed objectives.

Security Program logo featuring the Data Policy and Information Security Policy circling the Information Security standards (highlighted), control requirements, and job aids.

Management Standards Index

  • Management Risk
    • MGT01 - Information Risk Management (P1)
    • MGT02 - Information Security Management (P2)
    • MGT03 - Compliance Management (P1)
    • MGT04 - Business Continuity Management (P3)
  • Legal Risk
    • LEG01 - Legal & Regulatory Compliance (P2)
  • Business Risk
    • BUS01 - Financial Systems (P2)
  • Purchasing Risk
    • PUR01 - Contract Management (P3)
  • Personnel Security Risk
    • PS01 - Personnel Security (P2)
  • Facilities Risk
    • FAC01 - IT Site Security (P2)
    • FAC02 - IT Workspace Security (P2)
  • Institutional Data Risk
    • DAT01 - Institutional Data Security (P1)
    • DAT02 - Information Access Control (P1)

Information Technology Standards Index

  • Information Technology Risk
    • IT01 - Disaster Recovery (P1)
    • IT02 - Infrastructure Security (P1)
    • IT03 - Network Security (P1)
    • IT04 - Server Security (P1)
    • IT05 - Identity Management (P1)
    • IT06 - Malicious Software Protection (P1)
    • IT07 - Application Development Security (P1)
    • IT08 - Development Process (P2)
    • IT09 - Vendor Management Security (P2)
    • IT10 - Client Computer Security (P2)
    • IT11 - Mobile Device Security (P2)
    • IT12 - Digital Communications Security (P2)
    • IT13 - Web Application Security (P2)
    • IT14 - Security Incident Management (P2)
    • IT15 - Storage Media Security (P2)
    • IT16 - Security Training (P2)
    • IT17 - Asset Management (P2)
    • IT18 - Software License Management (P3)

MGT01 - MANAGEMENT RISK: Information Risk Management

Risk Statement: To ensure that information risks are identified and treated

Risk Objectives:

  • MGT01.1 - A risk assessment must be performed periodically.
  • MGT01.2 - A risk management strategy must be developed and maintained.

Priority: P1

MGT02 - MANAGEMENT RISK: Information Security Management

Risk Statement: To ensure the information security program manages information risks.

Risk Objectives:

  • MGT02.1 - An information security plan must be developed and maintained
  • MGT02.2 - Information security role(s) must be assigned.
  • MGT02.2 - Information security resources must be allocated.

Priority: P2

MGT03 - MANAGEMENT RISK: Compliance Management

Risk Statement: To ensure the risk management and information security programs effectively identify and manage information risks.

Risk Objectives:

  • MGT03.1 - Security assessments must be performed periodically.
  • MGT03.2 - Penetration testing must be performed where required by regulation.

Priority: P1

MGT04 - MANAGEMENT RISK: Business Continuity Management Risk

Risk Statement: To limit the negative impact of a disruptive event upon university operations.

Risk Objectives:

  • MGT04.1 - Business continuity plan(s) must be developed and maintained.

Priority: P3

LEG01 - LEGAL RISK: Legal And Regulatory Compliance Risk

Risk Statement: To ensure compliance with legal and regulatory requirements for risk management and information security.

Risk Objectives:

  • LEG01.1 - Applicable legislation and regulations must be identified and reviewed periodically.

Priority: P2

BUS01 - BUSINESS RISK: Financial Systems-related Risk

Risk Statement: To prevent financial fraud.

Risk Objectives:

  • BUS01.1 - Segregation of duties must be verified in applicable financial systems.

Priority: P2

PUR01 - PURCHASING RISK: Contract Management Risk

Risk Statement: To ensure third party software product and service vendors are contractually obligated to satisfy The University of Illinois at Urbana-Champaign’s information security requirements.

Risk Objectives:

  • PUR01.1 - An acquisition process that includes security requirements must be used for the purchase of software products and information services.
  • PUR01.2 - Contracts with third party software product and information service vendors must stipulate that their software and services satisfy the requirements of The University of Illinois at Urbana-Champaign’s Information Security Standards.
  • PUR01.3 - Contracts with third parties that need data and/or network access must require documented and approved access agreements.
  • PUR01.4 - Contracts with third parties that have personnel who will need access to The University of Illinois at Urbana-Champaign’s internal information systems must require that their personnel review and comply with the Policy On Appropriate Use of Computers and Network Systems at the University of Illinois at Urbana-Champaign.
  • PUR01.5 - Contracts with third parties that have personnel who will need access to data must require that background checks are performed on their personnel before access is granted.

Priority: P3

PS01 - EMPLOYMENT RISK: Personnel Security

Risk Statement: To ensure that personnel-related risk is managed throughout the lifecycle of the University Community Member relationship.

Risk Objectives:

  • PS01.1 - Personnel must have a background check performed before being placed in positions where they will have access to data.
  • PS01.2 - Digital identities must be disabled/deleted, access rights must be removed, and university information assets and data must be retrieved and/or relinquished when personnel transfer within or are separated from the organization.

Priority: P2

FAC01 - FACILITIES RISK: IT Site Security

Risk Statement: To prevent the theft of, tampering with, or destruction of information assets in university locations.

Risk Objectives:

  • FAC01.1 - University locations must be equipped with physical access controls.

Priority: P2

FAC02 - FACILITIES RISK: IT Workspace Security

Risk Statement: To prevent the theft of, tampering with, or destruction of information assets within workspaces.

Risk Objectives:

  • FAC02.1 - Workspace locations must be equipped with physical access controls.

Priority: P2

DAT01 - INSTITUTIONAL DATA RISK: Institutional Data Security

Risk Statement: To ensure the proper classification, labeling, and handling of institutional data.

Risk Objectives:

  • DAT01.1 - Data must be categorized according to University of Illinois at Urbana-Champaign’s Data Management Policy.
  • DAT01.2 - University records must be managed according to records retention and disposition schedules.
  • DAT01.3 - Data must be protected during storage as indicated by the data classification level.
  • DAT01.4 - Data must be protected during transit as indicated by the data classification level.
  • DAT01.5 - University-approved cryptography must be used as indicated by the data classification level.
  • DAT01.6 - Networks, servers, and client systems must be monitored to detect the disclosure of institutional data.

Priority: P1

DAT02 - INSTITUTIONAL DATA RISK: Information Access Control

Risk Statement: To ensure authorized access, use, and modification of institutional data as defined by University of Illinois at Urbana-Champaign’s Data Management Policy.

Risk Objectives:

  • DAT02.1 - Information systems must enforce access controls.
  • DAT02.2 - Users must receive only the minimum amount of access required to perform their work

Priority: P1

IT01 - INFORMATION TECHNOLOGY RISK: Disaster Recovery

Risk Statement: To limit the negative impact of a disruptive event upon IT operations and to ensure the timely access to information assets.

Risk Objectives:

  • IT01.1 - Backups must be made of information systems periodically.
  • IT01.2 - A disaster recovery plan must be developed and maintained.

Priority: P1

IT02 - INFORMATION TECHNOLOGY RISK: Infrastructure Security

Risk Statement: To ensure university locations that house infrastructure are securely maintained.

Risk Objectives:

  • IT02.1 - Infrastructure locations must be equipped with physical access controls.
  • IT02.2 - Configuration changes must be made using a formal change control process.
  • IT02.3 - Electricity must be provided from an alternate source in case of an emergency.
  • IT02.4 - Fire detection and fire suppression systems must be maintained.
  • IT02.5 - Temperature and humidity must be monitored and controlled.

Priority: P1

IT03 - INFORMATION TECHNOLOGY RISK: Network Security

Risk Statement: To ensure the secure operation of network devices and timely access to network services.

Risk Objectives:

  • IT03.1 - A predefined, secure configuration must be used.
  • IT03.2 - A minimal configuration must be used with only essential services enabled and configured.
  • IT03.3 - Configuration changes must be made using a formal change control process
  • IT03.4 - Software flaws must be identified and corrected.
  • IT03.5 - Current, vendor-supported software and firmware must be used.
  • IT03.6 - Network device and security events must be logged and monitored.
  • IT03.7 - Network device clocks must be synchronized with a university-approved time source.
  • IT03.8 - Secure remote access must be enforced.
  • IT03.9 - Secure network boundaries must be enforced.
  • IT03.10 - Network device vulnerabilities must be identified and managed.
  • IT03.11 - The network must be monitored to detect unauthorized access or exploit.
  • IT03.12 - The effects of denial of service attacks must be limited
  • IT03.13 - Maintenance must be provided by authorized personnel without compromising device security or disclosing data.
  • IT03.14 - Secure wireless access must be enforced.

Priority: P1

IT04 - INFORMATION TECHNOLOGY RISK: Server Security

Risk Statement: To ensure the secure operation of server systems and timely access to services.

Risk Objectives:

  • IT04.1 - A predefined, secure configuration must be used
  • IT04.2 - A minimal configuration must be used with only essential services enabled and configured.
  • IT04.3 - Configuration changes must be made using a formal change control process.
  • IT04.4 - Software flaws must be identified and corrected.
  • IT04.5 - Current, vendor-supported software and firmware must be used.
  • IT04.6 - System and security events must be logged and monitored .
  • IT04.7 - System clocks must be synchronized with a university-approved time source.
  • IT04.8 - Secure remote access must be enforced.
  • IT04.9 - Secure host boundaries/perimeter must be enforced (e.g. firewalls).
  • IT04.10 - Server system vulnerabilities must be identified and managed.
  • IT04.11 - Server systems must be monitored to detect unauthorized access or exploit.
  • IT04.12 - The effects of denial of service attacks must be limited
  • IT04.13 - Maintenance must be provided by authorized personnel without compromising server security or disclosing data.
  • IT04.14 - Name/address resolution services (DNS) must be securely configured and managed.
  • IT04.15 - Database management services must be securely configured and managed.
  • IT04.16 - A system security plan must be used.

Priority: P1

IT05 - INFORMATION TECHNOLOGY RISK: Identity Management

Risk Statement: To ensure the secure use and management of digital identities and that secure authentication processes are used.

Risk Objectives:

  • IT05.1 - Information systems must require authentication before providing access.
  • IT05.2 - Digital identities must be securely managed.
  • IT05.3 - Authentication credentials must be securely managed.
  • IT05.4 - Authentication processes must enforce a limit of consecutive invalid logon attempts.
  • IT05.5 - Identity management servers must be securely configured and managed.

Priority: P1

IT06 - INFORMATION TECHNOLOGY RISK: Malicious Software Protection

Risk Statement: To ensure information systems are protected from exploitation by malicious software.

Risk Objectives:

  • IT06.1 - Software to prevent malicious code from compromising a system must be used to detect and remove malicious software.

Priority: P1

IT07 - INFORMATION TECHNOLOGY RISK: Application Development Security

Risk Statement: To ensure secure operation of applications; that applications produce the correct results and perform only authorized transactions; and that data is not inadvertently exposed during processing.

Risk Objectives:

  • IT07.1 - Input data must be validated.
  • IT07.2 - Error messages must be produced without exposing data.
  • IT07.3 - Segregation of duties must be implemented in applicable financial systems.
  • IT07.4 - A system use notification banner must be displayed.
  • IT07.5 - Secure application boundaries must be enforced using application-based tools.
  • IT07.6 - Application and security events must be logged.
  • IT07.7 - Session locks are enforced after periods of inactivity.
  • IT07.8 - Applications must limit the effects of denial of service attacks.
  • IT07.9 - Application data must be protected during processing as indicated by the data classification level.
  • IT07.10 - Application developers must have the requisite skills to develop secure applications.
  • IT07.11 - Current, vendor-supported development environments and tools must be used.

Priority: P1

IT08 - INFORMATION TECHNOLOGY RISK: Development Process

Risk Statement: To ensure the software development process produces secure applications

Risk Objectives:

  • IT08.1 - A formal software development process must be used.
  • IT08.2 - Application and configuration changes must be made using a formal change control process.
  • IT08.3 - Third-party agreements must require that external information services providers satisfy the requirements of University of Illinois at Urbana-Champaign’s Information Security Standards.
  • IT08.4 - Internal and external connections to university information systems must be documented and approved.

Priority: P2

IT09 - INFORMATION TECHNOLOGY RISK: Vendor Management Security

Risk Statement: To ensure third party software product and information service vendors are meeting contractually defined service levels and University of Illinois at Urbana-Champaign’s information security requirements.

Risk Objectives:

  • IT09.1 - Software and services provided by third party software product and information service vendors must be verified to ensure they satisfy the requirements of the University of Illinois at Urbana-Champaign Information Security Standards.

Priority: P2

IT10 - INFORMATION TECHNOLOGY RISK: Client Computer Security

Risk Statement: To ensure the secure operation of client systems and applications.

Risk Objectives:

  • IT10.1 - A predefined, secure configuration must be used.
  • IT10.2 - A minimal configuration must be used with only essential services enabled and configured.
  • IT10.3 - Configuration changes must be made using a formal change control process.
  • IT10.4 - Software flaws must be identified and corrected.
  • IT10.5 - Current, vendor-supported software and firmware must be used.
  • IT10.6- System and security events must be logged and monitored.
  • IT10.7 - System clocks must be synchronized with a university-approved time source.
  • IT10.8 - Secure remote access must be enforced.
  • IT10.9 - Secure system boundaries must be enforced.
  • IT10.10 - Client system vulnerabilities must be identified and managed.

Priority: P2

IT11 - INFORMATION TECHNOLOGY RISK: Mobile Device Security

Risk Statement: To ensure the secure operation of mobile devices and applications.

Risk Objectives:

  • IT11.1 - Mobile devices accessing University of Illinois at Urbana-Champaign’s data must be configured with a basic security configuration.
  • IT11.2 - Mobile devices must be owned by the University and securely managed (mobile device management (MDM)) or configured with a secure access application (mobile application management (MAM)).
  • IT11.3 - Configuration changes to the MDM or MAM system must be made using a formal change control process
  • IT11.4 - Software flaws in MDM or MAM systems and mobile devices must be identified and corrected.
  • IT11.5 - Current, vendor-supported MDM and MAM software must be used.
  • IT11.6 - System and security events from MDM or MAM systems must be logged and monitored.
  • IT11.7 - A predefined, secure configuration must be used.
  • IT11.8 - MDM systems must be able to be remotely erase and reset mobile devices; MAM systems must be able to remotely erase the MAM application data.
  • IT11.9 - MDM or MAM systems must be monitored to detect unauthorized administrative access or exploit

Priority: P2

IT12 - INFORMATION TECHNOLOGY RISK: Digital Communications Security

Risk Statement: To ensure the secure operation of and timely access to messaging services.

Risk Objectives:

  • IT12.1 - Filter mechanisms must be used to detect and remove or block unsolicited bulk messages (e.g., spam or Spam over Internet Telephony (SPIT)) and social engineering attacks (e.g., Phishing, etc.)
  • IT12.2 - Malicious code protection software must be used to detect and remove or block malicious messages or attachments.
  • IT12.3 - Messaging servers must be securely configured and managed.
  • IT12.4 - Messages must be transmitted using encryption as indicated by the data classification level.
  • IT12.5 - Voice over Internet Protocol (VoIP) services must be securely configured and managed.

Priority: P2

IT13 - INFORMATION TECHNOLOGY RISK: Web Application Security

Risk Statement: To ensure the secure operation of web applications.

Risk Objectives:

  • IT13.1 - Secure sessions must be enforced.
  • IT13.2 - Web application vulnerabilities must be identified and managed.

Priority: P2

IT14 - INFORMATION TECHNOLOGY RISK: Security Incident Management

Risk Statement: To ensure prompt, effective response to information security incidents.

Risk Objectives:

  • IT14.1 - An incident response plan must be developed and maintained.
  • IT14.2 - Responses to information security incidents must be coordinated and managed. 

  • IT14.3 - Security incidents must be reported promptly to Privacy and Information Security

Priority: P2

IT15 - INFORMATION TECHNOLOGY RISK: Storage Media Security

Risk Statement: To ensure that storage media and documents are used securely.

Risk Objectives:

  • IT15.1 - Physical access to storage media and documents must be controlled.
  • IT15.2 - Storage media and documents must be disposed of securely.
  • IT15.3 - Data must be encrypted on storage media as indicated by the data classification level.

Priority: P2

IT16 - INFORMATION TECHNOLOGY RISK: Security Training

Risk Statement: To ensure users are aware of security threats and behavior that makes them vulnerable.

Risk Objectives:

  • IT16.1 - All users must participate in information security awareness programs.

Priority: P2

IT17 - INFORMATION TECHNOLOGY RISK: Asset Management

Risk Statement: To ensure that information assets are identified so they can be managed securely.

Risk Objectives:

  • IT17.1 - An inventory must be maintained of all university-owned network devices, information systems and mobile devices

Priority: P2

IT18 - INFORMATION TECHNOLOGY RISK: Software License Management

Risk Statement: To ensure that software is being used in compliance with license agreements and copyright law

Risk Objectives:

  • IT18.1 - An inventory must be maintained of all software, software licenses, and related purchase records.

Priority: P3