Skip to content

Control Requirements

The Information Security Control Requirements provide detailed implementation guidance for each risk objective specified in the standards. Each standard has its own control document breaking down the risk objectives into specific controls at various data and system sensitivity levels. The coding scheme makes it easy to identify what controls map to the system security level and the university's priority. This enables university organizations to apply only the controls that are required for their IT resources. The standards are listed below with links to the individual control documents. You must be a member of the campus community to access them and will be prompted to login.

Management Controls Index

  • MGT01 - Information Risk Management (P1)
  • MGT02 - Information Security Management (P2)
  • MGT03 - Compliance Management (P1)
  • MGT04 - Business Continuity Management (P3)
Legal Risk
  • LEG01 - Legal & Regulatory Compliance (P2)
Business Risk
  • BUS01 - Financial Systems (P2)
Purchasing Risk
  • PUR01 - Contract Management (P3)
  • Personnel Security Risk
    • PS01 - Personnel Security (P2)
Facilities Risk
  • FAC01 - IT Site Security (P2)
  • FAC02 - IT Workspace Security (P2)
Institutional Data Risk
  • DAT01 - Institutional Data Security (P1)
  • DAT02 - Information Access Control (P1)

Information Technology Controls Index

Information Technology
  • IT01 - Disaster Recovery (P1)
  • IT02 - Infrastructure Security (P1)
  • IT03 - Network Security (P1)
  • IT04 - Server Security (P1)
  • IT05 - Identity Management (P1)
  • IT06 - Malicious Software Protection (P1)
  • IT07 - Application Development Security (P1)
  • IT08 - Development Process (P2)
  • IT09 - Vendor Management Security (P2)
  • IT10 - Client Computer Security (P2)
  • IT11 - Mobile Device Security (P2)
  • IT12 - Digital Communications Security (P2)
  • IT13 - Web Application Security (P2)
  • IT14 - Security Incident Management (P2)
  • IT15 - Storage Media Security (P2)
  • IT16 - Security Training (P2)
  • IT17 - Asset Management (P2)
  • IT18 - Software License Management (P3)

Controls Exceptions

The Illinois Security Program recognizes that business goals, research projects, and educational objectives happening at the university could justify an exception to the Standards & Controls defined for the program. The Information Security Policy call for an exception process. Each exception request is carefully considered by unit leadership and the Office of Privacy and Information Assurance. We have developed risk acceptance process for some specific use cases such as end of life operating system and SSH firewall exception. We will add to this list as common use cases present themselves. 

Risk level is a component of all exception requests. Use this form to help determine risk level:

Any Standard or specific Control can have an exception if there is a business case and risk acceptance from campus and unit leadership. For any questions about exceptions or the process, please contact