UNIV 1.51 [pdf]
The purpose of policy UNIV 1.51 is to establish data and information governance programs that ensure the appropriate use, availability, and risk mitigation for university data and information assets.
Policies
Policies are University-Wide rules established at the executive level. They represent the intention and direction of the University, formally expressed by the administration and management.
UNIV 1.52 [pdf]
The purpose of policy UNIV 1.52 is to establish requirements for ensuring the responsible use of data, technology, and user credentials.
IT 3.00 [pdf]
The purpose of policy IT 3.00 is to establish the university's information security program. The program seeks to ensure the confidentiality, integrity and availability of university data and information technology assets.
Control Objectives
Control Objectives are University-Wide or data specific targets to be met. They describe what is to be achieved as a result of the University implementing a control, which is what a Standard is intended to address (CSF, HIPAA, CMMC, PCI-DSS, GLBA). The University-wide target is NIST Framework CyberSecurity Framework.
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
The Family Educational Rights and Privacy Act (FERPA) is a federal privacy law that provides certain protections with regard to education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions, companies, and
institutions that offer consumers financial products or services like loans, financial
or investment advice, or insurance – to explain their information-sharing practices
to their customers and to safeguard sensitive data.
Founded in 1901, NIST is an agency of the U.S. Department of Commerce. It advances
measurement science, standards, and technology to improve our quality of life. NIST
has provided important computer security guidance for many decades.
Standards
Standards are University-wide rules established by those authorities who are designated in University policy. These tend to be broad, setting standards for conduct and process within the OU's. Standards must always conform to applicable policies. [Must Log in to Service Now]
- Email Security Configuration Standard
- Security Monitoring Standard
- Vulnerability Management Standard
- Technical Security Configuration Standard
- Asset Management Standard
- Physical Access Standard
- Account Management Standard
Procedures
Procedures are documents created or adopted by OU administrators with specific directions for conducting business and operations at the University. Procedures must conform to applicable policies and standards, and should adhere to applicable guidelines, where practical.
Guidelines
Guidelines are documents created by subject-matter authorities who are designated in university policy. These documents contain recommendations to assist in the creation of related procedures. Guidelines must conform to applicable standards.