UNIV 1.51 [pdf]
The purpose of policy UNIV 1.51 is to establish data and information governance programs that ensure the appropriate use, availability, and risk mitigation for university data and information assets.
The following policies and standards provide the foundation for the University Information Security Office to administer the Information Security Program and coordinate all incident responses. They also empowers organization units (OUs) to implement appropriate safeguards.
Policies are University-Wide rules established at the executive level. They represent the intention and direction of the University, formally expressed by the administration and management.
The purpose of policy UNIV 1.51 is to establish data and information governance programs that ensure the appropriate use, availability, and risk mitigation for university data and information assets.
The purpose of policy UNIV 1.52 is to establish requirements for ensuring the responsible use of data, technology, and user credentials.
The purpose of policy IT 3.00 is to establish the university's information security program. The program seeks to ensure the confidentiality, integrity and availability of university data and information technology assets.
Control Objectives are University-Wide or data specific targets to be met. They describe what is to be achieved as a result of the University implementing a control, which is what a Standard is intended to address (CSF, HIPAA, CMMC, PCI-DSS, GLBA). The University-wide target is NIST Framework CyberSecurity Framework.
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
The Family Educational Rights and Privacy Act (FERPA) is a federal privacy law that provides certain protections with regard to education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
Standards are University-wide rules established by those authorities who are designated in University policy. These tend to be broad, setting standards for conduct and process within the OU's. Standards must always conform to applicable policies. [Must Log in to Service Now]
Procedures are documents created or adopted by OU administrators with specific directions for conducting business and operations at the University. Procedures must conform to applicable policies and standards, and should adhere to applicable guidelines, where practical.
Guidelines are documents created by subject-matter authorities who are designated in university policy. These documents contain recommendations to assist in the creation of related procedures. Guidelines must conform to applicable standards.