The Information Technology Standards and Controls listed below have been adopted as campuswide policy at the Urbana and Springfield campuses as well as the University System Offices. Questions about the standards and controls should be sent to digitalrisk@illinois.edu.
Information Security Controls provide implementation information for each standard at various risk levels. The controls could be interpreted as a “how-to” version of the standards. A coding scheme makes it easy to cross-reference between the documents. To better guide prioritization efforts, the detailed controls are specified according to the level of data being protected, as defined by the Data Management Policy.
We will continue to develop job aids in the form of documentation (procedures, checklists and templates) and software tools to support implementation of standards and controls.
The standards are listed below with links to the individual control documents. You must be a member of the campus community to access them and will be prompted to login.
STANDARD | RISK STATEMENT |
MGT01 – Information Risk Management | To ensure that information risks are identified and treated. |
MGT02 – Information Security Management | To ensure the information security program manages information risks. |
MGT03 – Compliance Management | To ensure the risk management and information security programs effectively identify and manage information risks. |
MGT04 – Business Continuity Management | To limit the negative impact of a disruptive event upon university operations. |
LEG01 – Legal & Regulatory Compliance | To ensure compliance with legal and regulatory requirements for risk management and information security. |
BUS01 – Financial Systems | To prevent financial fraud. |
PUR01 – Contract Management | To ensure third party software product and service vendors are contractually obligated to satisfy The University of Illinois at Urbana-Champaign’s information security requirements. |
PS01 – Personnel Security | To ensure that personnel-related risk is managed throughout the lifecycle of the University Community Member relationship. |
FAC01 – IT Site Security | To prevent the theft of, tampering with, or destruction of information assets in university locations. |
FAC02 – IT Workspace Security | To prevent the theft of, tampering with, or destruction of information assets within workspaces. |
DAT01 – Institutional Data Security | To ensure the proper classification, labeling, and handling of institutional data. |
DAT02 – Information Access Control | To ensure authorized access, use, and modification of institutional data as defined by University of Illinois at Urbana-Champaign’s Data Management Policy. |
IT01 – Disaster Recovery | To limit the negative impact of a disruptive event upon IT operations and to ensure the timely access to information assets. |
IT02 – Infrastructure Security | To ensure university locations that house infrastructure are securely maintained. |
IT03 – Network Security | To ensure the secure operation of network devices and timely access to network services. |
IT04 – Server Security | To ensure the secure operation of server systems and timely access to services. |
IT05 – Identity Management | To ensure the secure use and management of digital identities and that secure authentication processes are used. |
IT06 – Malicious Software Protection | To ensure information systems are protected from exploitation by malicious software. |
IT07 – Application Development Security | To ensure secure operation of applications; that applications produce the correct results and perform only authorized transactions; and that data is not inadvertently exposed during processing. |
IT08 – Development Process | To ensure the software development process produces secure. applications. |
IT09 – Vendor Management Security | To ensure third party software product and information service vendors are meeting contractually defined service levels and University of Illinois at Urbana-Champaign’s information security requirements. |
IT10 – Client Computer Security | To ensure the secure operation of client systems and applications. |
IT11 – Mobile Device Security | To ensure the secure operation of mobile devices and applications. |
IT12 – Digital Communications Security | To ensure the secure operation of and timely access to messaging services. |
IT13 – Web Application Security | To ensure the secure operation of web applications. |
IT14 – Security Incident Management | To ensure prompt, effective response to information security incidents. |
IT15 – Storage Media Security | To ensure that storage media and documents are used securely. |
IT16 – Security Training | To ensure users are aware of security threats and behavior that makes them vulnerable. |
IT17 – Asset Management | To ensure that information assets are identified so they can be managed securely. |
IT18 – Software License Management | To ensure that software is being used in compliance with license agreements and copyright law. |