Overview
Data and information are important assets of the university and must be protected from loss of integrity, confidentiality, or availability in compliance with university policy and standards, Board of Regents policy, applicable contracts, and state and federal laws and regulations. These documents define the base requirements for processing, storing, or transmitting University Data as per APM 30.11.
The standards are published here: https://www.uidaho.edu/oit/standards/data-security
Additional policies regarding technology can be found in APM chapter 30.
For any questions regarding the standards please feel free to reach out to OIT Security.
How do I meet the standards?
For students
- If you are a student & employee, please follow the staff guidance and use your employee account when working in your employee role.
- Utilize the UI VPN for remote access to university resources.
- Utilize AirVandalGold/home or Eduroam for wireless access while on campus.
- Install security updates and antivirus on your devices as they become available.
- Never share your password.
For faculty
- Use OIT-managed or approved technology devices, networks, and applications.
- Use University accounts for University business.
- Use approved storage locations for University data.
- Where non-OIT managed technologies, including personal devices, are allowed:
- Install security patches and antivirus on devices.
- Use University provided applications, such as Office 365, for handling University data.
- Report any security issues or concerns to Security@uidaho.edu and respond to requests from OIT Security in a timely manner.
- If you are doing federally funded research, or research with specific security requirements, please contact the research cyber support team for assistance.
- Reach out to OIT for any specific questions.
For staff
- Use OIT managed or approved technology devices, networks, and applications.
- Use University accounts for University business.
- Use approved storage locations for University data.
- Where non-OIT managed technologies, including personal devices, are allowed:
- Install security patches and antivirus on devices.
- Use University provided applications, such as Office 365, for handling University data.
- Reach out to OIT for any specific questions.
FAQ
Do I need to meet the requirements of each document?
Yes, however, each document does have it's own scope and each requirement is applied to only specific risk level. If no risk level is listed it should applied to all risk levels.
What if something is vague or undefined?
While reading this document some requirements may have open ended wording such as use of the term periodic. In general, the open ended wording is to allow system owners flexibility in determining their own requirements, such as determining if periodic means monthly or yearly for their system. OIT Security may request the reasoning of specific implementation of the controls. Additionally, OIT Security may require specific changes to the implementation should the reasoning be insufficient.
What do these document mean when they say 'systems'?
In these documents systems is broad definition of “A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.” (NIST SP800-171r2). This means that systems can range from an application, to a specific laptop, to series of connected devices.
What do I do if I am working with regulated data or under a contract that has additional requirements that aren't met by these standards?
Please reach out to the research cyber support group at rcsp-team@uidaho.edu for assistance.
How do these standards differ from the APM?
The standard documents are intended to be more granular and adaptable than the APM. This enables OIT to keep the requirements up-to-date and technical. The standard documents are supported by the Data Security Standards, as described in APM 30.11 Section B-3. As a result, they are still enforceable to the same extent as APM 30.11.
Changes to standards
September 2023 Changes:
The new revision is primarily built to document the existing practices already in place that map to the NIST SP 800-171 controls. As a result, the impact to production systems is minimal. Changes that may be required are mostly to align similar systems that are configured differently to be aligned together. There are a few changes that required some changes to systems within IT. The owners of those systems have already been contacted and standard alignment is already underway.
Other changes include:
- Separating controls into domains
- Defining scopes per domain
- Additional definitions
- References to source NIST SP 800-171
2017 Changes: