Policies The following OIT security policies establish a baseline for information security and risk management activities for the University and are based on the COV ITRM SEC501 and SEC514 Standards, which defines the minimum acceptable level of information security and risk management activities that the University must implement. It is the User's responsibility to ensure they familiarize themselves with these policies. Questions should be directed to the University Information Security Officer. Office of Information Technology Policies 32-01 - Acceptable Use of Technological Resources 32-8-2 Information Security Roles and Responsibilities 32-8-3 Business Impact Analysis 32-8-4 System and Data Sensitivity Classification 32-8-5 Sensitive IT System Inventory and Definition 32-8-6 Risk Assessment 32-8-7 Security Audits 32.8 Security Control Catalog 32.8.100 Access Control 32 - 8 - 101 Access Control Policy and Procedures 32 - 8 - 102 Account Management 32 - 8 - 103 Access Enforcement 32 - 8 - 104 Information Flow Enforcement 32 - 8 - 105 Separation of Duties 32 - 8 - 106 Least Privilege 32 - 8 - 107 Unsuccessful Login Attempts 32 - 8 - 108 System Use Notifications 32 - 8 - 111 Session Lock 32 - 8 - 114 Permitted Actions Without Identification or Authentication 32 - 8 - 117 Remote Access 32 - 8 - 118 Wireless Access 32 - 8 - 119 Access Control for Mobile Devices 32 - 8 - 120 Use of External Information Systems 32 - 8 - 122 Publicly Accessible Content 32.8.200 Awareness And Training 32 - 8 - 201 Security Awareness and Training Policy and Procedures 32 - 8 - 202 Security Awareness 32 - 8 - 203 Security Training 32 - 8 - 204 Security Training Records 32 - 8 - 205 Contacts With Security Groups and Associations 32.8.300 Audit And Accountability 32 - 8 - 301 Audit and Accountability Policy and Procedures 32 - 8 - 302 Auditable Events 32 - 8 - 303 Content of Audit Records 32 - 8 - 304 Audit Storage Capacity 32 - 8 - 305 Response to Audit Processing Failures 32 - 8 - 306 Audit Review, Analysis, and Reporting 32 - 8 - 308 Time Stamps 32 - 8 - 309 Protection of Audit Information 32 - 8 - 311 Audit Record Retention 32.8.400 Security Assessment And Authorization 32 - 8 - 401 Security Assessment and Authorization Policies and Procedures 32 - 8 - 403 Information System Connections 32 - 8 - 406 Security Authorization 32 - 8 - 407 Continuous Monitoring 32.8.500 Configuration Management 32 - 8 - 501 Configuration Management Policy and Procedures 32 - 8 - 502 Baseline Configuration 32 - 8 - 503 Configuration Change control 32 - 8 - 504 Security Impact Analysis 32 - 8 - 505 Access Restrictions for Change 32 - 8 - 506 Configuration Settings 32 - 8 - 507 Least Functionality 32 - 8 - 508 Information System Component Inventory 32 - 8 - 509 Configuration Management Plan 32.8.600 Contingency Planning 32 - 8 - 601 Contingency Planning Policy and Procedures 32 - 8 - 602 Contingency Plan 32 - 8 - 603 Contingency Training 32 - 8 - 604 Contingency Plan Testing and Exercises 32 - 8 - 606 Alternate Storage Site 32 - 8 - 607 Alternate Processing Site 32 - 8 - 608 Telecommunication Services 32 - 8 - 609 Information System Backup 32 - 8 - 610 Information System Recovery and Reconstitution 32.8.700 Identification And Authentication 32 - 8 - 701 Identification and Authentication Policy and Procedures 32 - 8 - 702 Identification and Authentication (University Users) 32 - 8 - 704 Identifier Management 32 - 8 - 705 Authenticator Management 32 - 8 - 705.1 Password Management 32 - 8 - 706 Authenticator Feedback 32 - 8 - 707 Cryptographic Module Authentication 32 - 8 - 708 Identification and Authentication (Non-University Users) 32.8.800 Incident Response 32 - 8 - 801 Incident Response Policy and Procedures 32 - 8 - 802 Incident Response Training 32 - 8 - 803 Incident Response Testing and Exercises 32 - 8 - 804 Incident Handling 32 - 8 - 805 Incident Monitoring 32 - 8 - 806 Incident Reporting 32 - 8 - 807 Incident Response Assistance 32 - 8 - 808 Incident Response Plan 32.8.900 Maintenance 32 - 8 - 901 System Maintenance Policies and Procedures 32 - 8 - 902 Controlled Maintenance 32 - 8 - 905 Maintenance Personnel 32.8.1000 Media Protection 32 - 8 - 1001 Media Protection Policy and Procedures 32 - 8 - 1002 Media Access 32 - 8 - 1004 Media Storage 32 - 8 - 1005 Media Transport 32 - 8 - 1006 Media Sanitization 32.8.1100 Physical And Environmental Protection 32 - 8 - 1101 Physical and Environmental Protection Policy and Procedures 32 - 8 - 1102 Physical Access Authorizations 32 - 8 - 1103 Physical Access Control 32 - 8 - 1105 Access Control for Output Devices 32 - 8 - 1106 Monitoring Physical Access 32 - 8 - 1107 Visitor Control 32 - 8 - 1108 Access Records 32 - 8 - 1109 Power Equipment and Power Cabling 32 - 8 - 1110 Emergency Shutoff 32 - 8 - 1111 Emergency Power 32 - 8 - 1113 Fire Protection 32 - 8 - 1114 Temperature and Humidity Controls 32 - 8 - 1118 Location Of Information System Components 32.8.1200 Planning 32 - 8 - 1201 Security Planning Policy and Procedures 32 - 8 - 1202 System Security Plan 32 - 8 - 1204 Rules of Behavior 32 - 8 - 1206 Security-Related Activity Planning 32.8.1300 Personnel Security 32 - 8 - 1301 Personnel Security Policy and Procedures 32 - 8 - 1303 Personnel Screening 32 - 8 - 1304 Personnel Termination 32 - 8 - 1305 Personnel Transfer 32 - 8 - 1306 Access Agreements 32 - 8 - 1307 Third-Party Personnel Security 32 - 8 - 1308 Personnel Sanctions 32.8.1400 Risk Assessment 32 - 8 - 1401 Risk Assessment Policy and Procedures 32 - 8 - 1402 Security Categorization 32 - 8 - 1403 Risk Assessment 32 - 8 - 1405 Vulnerability Scanning 32.8.1500 System And Services Acquisition 32 - 8 - 1501 System and Services Acquisition Policy and Procedures 32 - 8 - 1502 Allocation of Resources 32 - 8 - 1503 Life Cycle Support 32 - 8 - 1505 Information System Documentation 32 - 8 - 1506 Software Usage Restrictions 32 - 8 - 1507 User-Installed Software 32 - 8 - 1508 Security Engineering Principles 32 - 8 - 1509 External Information System Services 32 - 8 - 1510 Developer Configuration Management 32 - 8 - 1511 Developer Security Testing 32.8.1600 System And Communications Protection 32 - 8 - 1601 System and Communications Protection Policy and Procedures 32 - 8 - 1602 Application Partitioning 32 - 8 - 1603 Security Function Isolation 32 - 8 - 1604 Information in Shared Resources 32 - 8 - 1607 Boundary Protection 32 - 8 - 1608 Transmission Integrity 32 - 8 - 1609 Transmission Confidentiality 32 - 8 - 1612 Cryptographic Key Establishment and Management 32 - 8 - 1613 Use of Cryptography 32 - 8 - 1614 Public Access Protections 32 - 8 - 1617 Public Key Infrastructure Certificates 32 - 8 - 1620 Secure Name-Address Resolution Service (Authoritative Source) 32 - 8 - 1623 Session Authenticity 32 - 8 - 1628 Protection of Information At Rest 32.8.1700 System And Information Integrity 32 - 8 - 1701 System and Information Integrity Policy and Procedures 32 - 8 - 1702 Flaw Remediation 32 - 8 - 1703 Malicious Code Protection 32 - 8 - 1704 Information System Monitoring 32 - 8 - 1705 Security Alerts, Advisories, and Directives 32 - 8 - 1708 Spam Protection 32 - 8 - 1709 Information Input Restrictions 32 - 8 - 1710 Information Input Validation