Standards

The Standards have their mandate in the Information Technology policy and the data classifications are defined in DAT01. Each Standard has a risk statement that is the goal for the standard and then defines the risk objectives to meet that goal. Each standard is then given a priority to allow leaders to focus on specific areas of need. These risk areas are used to organize, measure, and manage risk levels consistently across the university. 

The 30 risk areas can be found in the below with links to the detailed objectives.

Management Risk

• MGT01 - Information Risk Management (P1)
• MGT02 - Information Security Management (P2)
• MGT03 - Compliance Management (P1)
• MGT04 - Business Continuity Management (P3)

Legal Risk

• LEG01 - Legal & Regulatory Compliance (P2)

Business Risk

• BUS01 - Financial Systems (P2)

Purchasing Risk

• PUR01 - Contract Management (P3)
• Personnel Security Risk
  • PS01 - Personnel Security (P2)

Facilities Risk

• FAC01 - IT Site Security (P2)
• FAC02 - IT Workspace Security (P2)

Institutional Data Risk

• DAT01 - Institutional Data Security (P1)
• DAT02 - Information Access Control (P1)

Information Technology Risk

• IT01 - Disaster Recovery (P1)
• IT02 - Infrastructure Security (P1)
• IT03 - Network Security (P1)
• IT04 - Server Security (P1)
• IT05 - Identity Management (P1)
• IT06 - Malicious Software Protection (P1)
• IT07 - Application Development Security (P1)
• IT08 - Development Process (P2)
• IT09 - Vendor Management Security (P2)
• IT10 - Client Computer Security (P2)
• IT11 - Mobile Device Security (P2)
• IT12 - Digital Communications Security (P2)
• IT13 - Web Application Security (P2)
• IT14 - Security Incident Management (P2)
• IT15 - Storage Media Security (P2)
• IT16 - Security Training (P2)
• IT17 - Asset Management (P2)
• IT18 - Software License Management (P3)