Standards

Risk Statement: To ensure that information risks are identified and treated

Risk Objectives:

• MGT01.1 - A risk assessment must be performed periodically.
• MGT01.2 - A risk management strategy must be developed and maintained.

Priority: P1

Risk Statement: To ensure the information security program manages information risks.

Risk Objectives:

• MGT02.1 - An information security plan must be developed and maintained
• MGT02.2 - Information security role(s) must be assigned.
• MGT02.2 - Information security resources must be allocated.

Priority: P2

Risk Statement: To ensure the risk management and information security programs effectively identify and manage information risks.

Risk Objectives:

• MGT03.1 - Security assessments must be performed periodically.
• MGT03.2 - Penetration testing must be performed where required by regulation.

Priority: P1

Risk Statement: To limit the negative impact of a disruptive event upon university operations.

Risk Objectives:

• MGT04.1 - Business continuity plan(s) must be developed and maintained.

Priority: P3

Risk Statement: To ensure compliance with legal and regulatory requirements for risk management and information security.

Risk Objectives:

• LEG01.1 - Applicable legislation and regulations must be identified and reviewed periodically.

Priority: P2

Risk Statement: To prevent financial fraud.

Risk Objectives:

• BUS01.1 - Segregation of duties must be verified in applicable financial systems.

Priority: P2

Risk Statement: To ensure third party software product and service vendors are contractually obligated to satisfy The University of Illinois at Urbana-Champaign’s information security requirements.

Risk Objectives:

• PUR01.1 - An acquisition process that includes security requirements must be used for the purchase of software products and information services.
• PUR01.2 - Contracts with third party software product and information service vendors must stipulate that their software and services satisfy the requirements of The University of Illinois at Urbana-Champaign’s Information Security Standards.
• PUR01.3 - Contracts with third parties that need data and/or network access must require documented and approved access agreements.
• PUR01.4 - Contracts with third parties that have personnel who will need access to The University of Illinois at Urbana-Champaign’s internal information systems must require that their personnel review and comply with the Policy On Appropriate Use of Computers and Network Systems at the University of Illinois at Urbana-Champaign.
• PUR01.5 - Contracts with third parties that have personnel who will need access to data must require that background checks are performed on their personnel before access is granted.

Priority: P3

Risk Statement: To ensure that personnel-related risk is managed throughout the lifecycle of the University Community Member relationship.

Risk Objectives:

• PS01.1 - Personnel must have a background check performed before being placed in positions where they will have access to data.
• PS01.2 - Digital identities must be disabled/deleted, access rights must be removed, and university information assets and data must be retrieved and/or relinquished when personnel transfer within or are separated from the organization.

Priority: P2

Risk Statement: To prevent the theft of, tampering with, or destruction of information assets in university locations.

Risk Objectives:

• FAC01.1 - University locations must be equipped with physical access controls.

Priority: P2

Risk Statement: To prevent the theft of, tampering with, or destruction of information assets within workspaces.

Risk Objectives:

• FAC02.1 - Workspace locations must be equipped with physical access controls.

Priority: P2

Risk Statement: To ensure the proper classification, labeling, and handling of institutional data.

Risk Objectives:

• DAT01.1 - Data must be categorized according to University of Illinois at Urbana-Champaign’s Data Management Policy.
• DAT01.2 - University records must be managed according to records retention and disposition schedules.
• DAT01.3 - Data must be protected during storage as indicated by the data classification level.
• DAT01.4 - Data must be protected during transit as indicated by the data classification level.
• DAT01.5 - University-approved cryptography must be used as indicated by the data classification level.
• DAT01.6 - Networks, servers, and client systems must be monitored to detect the disclosure of institutional data.

Priority: P1

Risk Statement: To ensure authorized access, use, and modification of institutional data as defined by University of Illinois at Urbana-Champaign’s Data Management Policy.

Risk Objectives:

• DAT02.1 - Information systems must enforce access controls.
• DAT02.2 - Users must receive only the minimum amount of access required to perform their work

Priority: P1

Risk Statement: To limit the negative impact of a disruptive event upon IT operations and to ensure the timely access to information assets.

Risk Objectives:

• IT01.1 - Backups must be made of information systems periodically.
• IT01.2 - A disaster recovery plan must be developed and maintained.

Priority: P1

Risk Statement: To ensure university locations that house infrastructure are securely maintained.

Risk Objectives:

• IT02.1 - Infrastructure locations must be equipped with physical access controls.
• IT02.2 - Configuration changes must be made using a formal change control process.
• IT02.3 - Electricity must be provided from an alternate source in case of an emergency.
• IT02.4 - Fire detection and fire suppression systems must be maintained.
• IT02.5 - Temperature and humidity must be monitored and controlled.

Priority: P1

Risk Statement: To ensure the secure operation of network devices and timely access to network services.

Risk Objectives:

• IT03.1 - A predefined, secure configuration must be used.
• IT03.2 - A minimal configuration must be used with only essential services enabled and configured.
• IT03.3 - Configuration changes must be made using a formal change control process
• IT03.4 - Software flaws must be identified and corrected.
• IT03.5 - Current, vendor-supported software and firmware must be used.
• IT03.6 - Network device and security events must be logged and monitored.
• IT03.7 - Network device clocks must be synchronized with a university-approved time source.
• IT03.8 - Secure remote access must be enforced.
• IT03.9 - Secure network boundaries must be enforced.
• IT03.10 - Network device vulnerabilities must be identified and managed.
• IT03.11 - The network must be monitored to detect unauthorized access or exploit.
• IT03.12 - The effects of denial of service attacks must be limited
• IT03.13 - Maintenance must be provided by authorized personnel without compromising device security or disclosing data.
• IT03.14 - Secure wireless access must be enforced.

Priority: P1

Risk Statement: To ensure the secure operation of server systems and timely access to services.

Risk Objectives:

• IT04.1 - A predefined, secure configuration must be used
• IT04.2 - A minimal configuration must be used with only essential services enabled and configured.
• IT04.3 - Configuration changes must be made using a formal change control process.
• IT04.4 - Software flaws must be identified and corrected.
• IT04.5 - Current, vendor-supported software and firmware must be used.
• IT04.6 - System and security events must be logged and monitored .
• IT04.7 - System clocks must be synchronized with a university-approved time source.
• IT04.8 - Secure remote access must be enforced.
• IT04.9 - Secure host boundaries/perimeter must be enforced (e.g. firewalls).
• IT04.10 - Server system vulnerabilities must be identified and managed.
• IT04.11 - Server systems must be monitored to detect unauthorized access or exploit.
• IT04.12 - The effects of denial of service attacks must be limited
• IT04.13 - Maintenance must be provided by authorized personnel without compromising server security or disclosing data.
• IT04.14 - Name/address resolution services (DNS) must be securely configured and managed.
• IT04.15 - Database management services must be securely configured and managed.
• IT04.16 - A system security plan must be used.

Priority: P1

Risk Statement: To ensure the secure use and management of digital identities and that secure authentication processes are used.

Risk Objectives:

• IT05.1 - Information systems must require authentication before providing access.
• IT05.2 - Digital identities must be securely managed.
• IT05.3 - Authentication credentials must be securely managed.
• IT05.4 - Authentication processes must enforce a limit of consecutive invalid logon attempts.
• IT05.5 - Identity management servers must be securely configured and managed.

Priority: P1

Risk Statement: To ensure information systems are protected from exploitation by malicious software.

Risk Objectives:

• IT06.1 - Software to prevent malicious code from compromising a system must be used to detect and remove malicious software.

Priority: P1

Risk Statement: To ensure secure operation of applications; that applications produce the correct results and perform only authorized transactions; and that data is not inadvertently exposed during processing.

Risk Objectives:

• IT07.1 - Input data must be validated.
• IT07.2 - Error messages must be produced without exposing data.
• IT07.3 - Segregation of duties must be implemented in applicable financial systems.
• IT07.4 - A system use notification banner must be displayed.
• IT07.5 - Secure application boundaries must be enforced using application-based tools.
• IT07.6 - Application and security events must be logged.
• IT07.7 - Session locks are enforced after periods of inactivity.
• IT07.8 - Applications must limit the effects of denial of service attacks.
• IT07.9 - Application data must be protected during processing as indicated by the data classification level.
• IT07.10 - Application developers must have the requisite skills to develop secure applications.
• IT07.11 - Current, vendor-supported development environments and tools must be used.

Priority: P1

Risk Statement: To ensure the software development process produces secure applications

Risk Objectives:

• IT08.1 - A formal software development process must be used.
• IT08.2 - Application and configuration changes must be made using a formal change control process.
• IT08.3 - Third-party agreements must require that external information services providers satisfy the requirements of University of Illinois at Urbana-Champaign’s Information Security Standards.
• IT08.4 - Internal and external connections to university information systems must be documented and approved.

Priority: P2

Risk Statement: To ensure third party software product and information service vendors are meeting contractually defined service levels and University of Illinois at Urbana-Champaign’s information security requirements.

Risk Objectives:

• IT09.1 - Software and services provided by third party software product and information service vendors must be verified to ensure they satisfy the requirements of the University of Illinois at Urbana-Champaign Information Security Standards.

Priority: P2

Risk Statement: To ensure the secure operation of client systems and applications.

Risk Objectives:

• IT10.1 - A predefined, secure configuration must be used.
• IT10.2 - A minimal configuration must be used with only essential services enabled and configured.
• IT10.3 - Configuration changes must be made using a formal change control process.
• IT10.4 - Software flaws must be identified and corrected.
• IT10.5 - Current, vendor-supported software and firmware must be used.
• IT10.6- System and security events must be logged and monitored.
• IT10.7 - System clocks must be synchronized with a university-approved time source.
• IT10.8 - Secure remote access must be enforced.
• IT10.9 - Secure system boundaries must be enforced.
• IT10.10 - Client system vulnerabilities must be identified and managed.

Priority: P2

Risk Statement: To ensure the secure operation of mobile devices and applications.

Risk Objectives:

• IT11.1 - Mobile devices accessing University of Illinois at Urbana-Champaign’s data must be configured with a basic security configuration.
• IT11.2 - Mobile devices must be owned by the University and securely managed (mobile device management (MDM)) or configured with a secure access application (mobile application management (MAM)).
• IT11.3 - Configuration changes to the MDM or MAM system must be made using a formal change control process
• IT11.4 - Software flaws in MDM or MAM systems and mobile devices must be identified and corrected.
• IT11.5 - Current, vendor-supported MDM and MAM software must be used.
• IT11.6 - System and security events from MDM or MAM systems must be logged and monitored.
• IT11.7 - A predefined, secure configuration must be used.
• IT11.8 - MDM systems must be able to be remotely erase and reset mobile devices; MAM systems must be able to remotely erase the MAM application data.
• IT11.9 - MDM or MAM systems must be monitored to detect unauthorized administrative access or exploit

Priority: P2

Risk Statement: To ensure the secure operation of and timely access to messaging services.

Risk Objectives:

• IT12.1 - Filter mechanisms must be used to detect and remove or block unsolicited bulk messages (e.g., spam or Spam over Internet Telephony (SPIT)) and social engineering attacks (e.g., Phishing, etc.)
• IT12.2 - Malicious code protection software must be used to detect and remove or block malicious messages or attachments.
• IT12.3 - Messaging servers must be securely configured and managed.
• IT12.4 - Messages must be transmitted using encryption as indicated by the data classification level.
• IT12.5 - Voice over Internet Protocol (VoIP) services must be securely configured and managed.

Priority: P2

Risk Statement: To ensure the secure operation of web applications.

Risk Objectives:

• IT13.1 - Secure sessions must be enforced.
• IT13.2 - Web application vulnerabilities must be identified and managed.

Priority: P2

Risk Statement: To ensure prompt, effective response to information security incidents.

Risk Objectives:

• IT14.1 - An incident response plan must be developed and maintained.
• IT14.2 - Responses to information security incidents must be coordinated and managed. 

• IT14.3 - Security incidents must be reported promptly to Privacy and Information Security

Priority: P2

Risk Statement: To ensure that storage media and documents are used securely.

Risk Objectives:

• IT15.1 - Physical access to storage media and documents must be controlled.
• IT15.2 - Storage media and documents must be disposed of securely.
• IT15.3 - Data must be encrypted on storage media as indicated by the data classification level.

Priority: P2

Risk Statement: To ensure users are aware of security threats and behavior that makes them vulnerable.

Risk Objectives:

• IT16.1 - All users must participate in information security awareness programs.

Priority: P2

Risk Statement: To ensure that information assets are identified so they can be managed securely.

Risk Objectives:

• IT17.1 - An inventory must be maintained of all university-owned network devices, information systems and mobile devices

Priority: P2

Risk Statement: To ensure that software is being used in compliance with license agreements and copyright law

Risk Objectives:

• IT18.1 - An inventory must be maintained of all software, software licenses, and related purchase records.

Priority: P3