Standards and Controls

The Information Technology Standards and Controls listed below have been adopted as campus-wide policy at the Urbana and Springfield campuses as well as the University System Offices. Questions about the standards and controls should be sent to digitalrisk@illinois.edu.

Information Security Controls provide implementation information for each standard at various risk levels. The controls could be interpreted as a “how-to” version of the standards. A coding scheme makes it easy to cross-reference between the documents. To better guide prioritization efforts, the detailed controls are specified according to the level of data being protected, as defined by the Data Management Policy.

We will continue to develop job aids in the form of documentation (procedures, checklists, templates) and software tools to support implementation of standards and controls. 

The standards are listed below with links to the individual control documents. You must be a member of the campus community to access them and will be prompted to login.


STANDARDRISK STATEMENT
MGT01 – Information Risk Management To ensure that information risks are identified and treated.
MGT02 – Information Security Management To ensure the information security program manages information risks.
MGT03 – Compliance Management To ensure the risk management and information security programs effectively identify and manage information risks.
MGT04 – Business Continuity Management To limit the negative impact of a disruptive event upon university operations.
LEG01 – Legal & Regulatory Compliance To ensure compliance with legal and regulatory requirements for risk management and information security.
BUS01 – Financial Systems To prevent financial fraud.
PUR01 – Contract Management To ensure third party software product and service vendors are contractually obligated to satisfy The University of Illinois at Urbana-Champaign’s information security requirements.
PS01 – Personnel Security To ensure that personnel-related risk is managed throughout the lifecycle of the University Community Member relationship.
FAC01 – IT Site Security To prevent the theft of, tampering with, or destruction of information assets in university locations.
FAC02 – IT Workspace Security To prevent the theft of, tampering with, or destruction of information assets within workspaces.
DAT01 – Institutional Data Security To ensure the proper classification, labeling, and handling of institutional data.
DAT02 – Information Access Control To ensure authorized access, use, and modification of institutional data as defined by University of Illinois at Urbana-Champaign’s Data Management Policy.
IT01 – Disaster Recovery To limit the negative impact of a disruptive event upon IT operations and to ensure the timely access to information assets.
IT02 – Infrastructure Security To ensure university locations that house infrastructure are securely maintained.
IT03 – Network Security To ensure the secure operation of network devices and timely access to network services.
IT04 – Server Security To ensure the secure operation of server systems and timely access to services.
IT05 – Identity Management To ensure the secure use and management of digital identities and that secure authentication processes are used.
IT06 – Malicious Software Protection To ensure information systems are protected from exploitation by malicious software.
IT07 – Application Development Security To ensure secure operation of applications; that applications produce the correct results and perform only authorized transactions; and that data is not inadvertently exposed during processing.
IT08 – Development ProcessTo ensure the software development process produces secure. applications.
IT09 – Vendor Management Security To ensure third party software product and information service vendors are meeting contractually defined service levels and University of Illinois at Urbana-Champaign’s information security requirements.
IT10 – Client Computer Security To ensure the secure operation of client systems and applications.
IT11 – Mobile Device Security To ensure the secure operation of mobile devices and applications.
IT12 – Digital Communications Security To ensure the secure operation of and timely access to messaging services.
IT13 – Web Application Security To ensure the secure operation of web applications.
IT14 – Security Incident Management To ensure prompt, effective response to information security incidents.
IT15 – Storage Media Security To ensure that storage media and documents are used securely.
IT16 – Security Training To ensure users are aware of security threats and behavior that makes them vulnerable.
IT17 – Asset Management To ensure that information assets are identified so they can be managed securely.
IT18 – Software License Management To ensure that software is being used in compliance with license agreements and copyright law.