Data security standards Overview


Data and information are important assets of the university and must be protected from loss of integrity, confidentiality, or availability in compliance with university policy and standards, Board of Regents policy, applicable contracts, and state and federal laws and regulations. These documents define the base requirements for processing, storing, or transmitting University Data as per APM 30.11.

The standards are published here:
Additional policies regarding technology can be found in APM chapter 30.

For any questions regarding the standards please feel free to reach out to OIT Security.

How do I meet the standards?

For students
For faculty
For staff


Do I need to meet the requirements of each document?
What if something is vague or undefined?
What do these document mean when they say 'systems'?
What do I do if I am working with regulated data or under a contract that has additional requirements that aren't met by these standards?
How do these standards differ from the APM?

Changes to standards

April 2024 Changes:

The new revision was to make minor adjustments that do not make any material changes to the standards.

September 2023 Changes:

The new revision is primarily built to document the existing practices already in place that map to the NIST SP 800-171 controls. As a result, the impact to production systems is minimal. Changes that may be required are mostly to align similar systems that are configured differently to be aligned together. There are a few changes that required some changes to systems within IT. The owners of those systems have already been contacted and standard alignment is already underway.

Other changes include:

  • Separating controls into domains
  • Defining scopes per domain
  • Additional definitions
  • References to source NIST SP 800-171

2017 Changes:

  • Creation of standards
100% helpful - 1 review
Print Article


Article ID: 2689
Fri 7/21/23 2:08 PM
Tue 5/14/24 1:28 PM

Related Articles (1)

The following locations have been approved by OIT for storage of university data, consistent with U of I policies and standards.

Related Services / Offerings (3)

Use this service to request an exception to UI policy or standards. An exception requires an in-depth review by the OIT Security Office in order to establish the appropriate documentation and mitigation of any potential security risks introduced by an exception.
Support for known and expected compliance requirements for information technology security and compliance in research, or creation of a System Security Plan.
Report an information security incident.