The Policy on Information Security and the Protection of Digital Assets protects the privacy, confidentiality, authenticity, integrity and availability of the University’s digital assets. The Policy states, in part, “Across the University, those charged with managing and securing digital assets shall operate in a manner that reduces and mitigates vulnerabilities by following standards, guidelines and procedures for protecting the University’s digital assets.” This document is a view of the Information Security Standard (the Standard). The Standard is endorsed by the University’s Information Security Council and is aligned with the National Institute of Standards and Technology (NIST) 800-171 for protecting data.
The Standard consists of a set of baseline control statements ordered in groups known as domains. An example of a domain in the Standard is ‘Access Control’. An example of a control in the Access Control domain is:
AC-12 Monitor and control remote access sessions.
Each control is mapped to the data classification and protection standard using the applicability words: essential, required, recommended and optional. Definitions of the applicability words:
Essential: Must be addressed for all current and future systems.
Required: Must be addressed for future systems and prioritized for current systems.
Recommended: Not compulsory but highly encouraged.
Optional: Apply if appropriate.