Skip to main content

Policies

The following OIT security policies establish a baseline for information security and risk management activities for the University and are based on the COV ITRM SEC501 and SEC514 Standards, which defines the minimum acceptable level of information security and risk management activities that the University must implement.

It is the User's responsibility to ensure they familiarize themselves with these policies. Questions should be directed to the University Information Security Officer.

Office of Information Technology Policies

32-01 - Acceptable Use of Technologicial Resources
32-8-2 Information Security Roles and Responsibilities
32-8-3 Business Impact Analysis
32-8-4 System and Data Sensitivity Classification
32-8-5 Sensitive IT System Inventory and Definition
32-8-6 Risk Assessment
32-8-7 Security Audits

32.8 Security Control Catalog

32.8.100 Access Control

32 - 8 - 101 Access Control Policy and Procedures
32 - 8 - 102 Account Management
32 - 8 - 103 Access Enforcement
32 - 8 - 104 Information Flow Enforcement
32 - 8 - 105 Separation of Duties
32 - 8 - 106 Least Privilege
32 - 8 - 107 Unsuccessful Login Attempts
32 - 8 - 108 System Use Notifications
32 - 8 - 111 Session Lock
32 - 8 - 114 Permitted Actions Without Identification or Authentication
32 - 8 - 117 Remote Access
32 - 8 - 118 Wireless Access
32 - 8 - 119 Access Control for Mobile Devices
32 - 8 - 120 Use of External Information Systems
32 - 8 - 122 Publicly Accessible Content
 

32.8.200 Awareness And Training

32 - 8 - 201 Security Awareness and Training Policy and Procedures
32 - 8 - 202 Security Awareness
32 - 8 - 203 Security Training
32 - 8 - 204 Security Training Records
32 - 8 - 205 Contacts With Security Groups and Associations
 

32.8.300 Audit And Accountability

32 - 8 - 301 Audit and Accountability Policy and Procedures
32 - 8 - 302 Auditable Events
32 - 8 - 303 Content of Audit Records
32 - 8 - 304 Audit Storage Capacity
32 - 8 - 305 Response to Audit Processing Failures
32 - 8 - 306 Audit Review, Analysis, and Reporting
32 - 8 - 308 Time Stamps
32 - 8 - 309 Protection of Audit Information
32 - 8 - 311 Audit Record Retention
 

32.8.400 Security Assessment And Authorization

32 - 8 - 401 Security Assessment and Authorization Policies and Procedures
32 - 8 - 403 Information System Connections
32 - 8 - 406 Security Authorization
32 - 8 - 407 Continuous Monitoring
 

32.8.500 Configuration Management

32 - 8 - 501 Configuration Management Policy and Procedures
32 - 8 - 502 Baseline Configuration
32 - 8 - 503 Configuration Change control
32 - 8 - 504 Security Impact Analysis
32 - 8 - 505 Access Restrictions for Change
32 - 8 - 506 Configuration Settings
32 - 8 - 507 Least Functionality
32 - 8 - 508 Information System Component Inventory
32 - 8 - 509 Configuration Management Plan
 

32.8.600 Contingency Planning

32 - 8 - 601 Contingency Planning Policy and Procedures
32 - 8 - 602 Contingency Plan
32 - 8 - 603 Contingency Training
32 - 8 - 604 Contingency Plan Testing and Exercises
32 - 8 - 606 Alternate Storage Site
32 - 8 - 607 Alternate Processing Site
32 - 8 - 608 Telecommunication Services
32 - 8 - 609 Information System Backup
32 - 8 - 610 Information System Recovery and Reconstitution
 

32.8.700 Identification And Authentication

32 - 8 - 701 Identification and Authentication Policy and Procedures
32 - 8 - 702 Identification and Authentication (University Users)
32 - 8 - 704 Identifier Management
32 - 8 - 705 Authenticator Management
32 - 8 - 705.1 Password Management
32 - 8 - 706 Authenticator Feedback
32 - 8 - 707 Cryptographic Module Authentication
32 - 8 - 708 Identification and Authentication (Non-University Users)
 

32.8.800 Incident Response

32 - 8 - 801 Incident Response Policy and Procedures
32 - 8 - 802 Incident Response Training
32 - 8 - 803 Incident Response Testing and Exercises
32 - 8 - 804 Incident Handling
32 - 8 - 805 Incident Monitoring
32 - 8 - 806 Incident Reporting
32 - 8 - 807 Incident Response Assistance
32 - 8 - 808 Incident Response Plan
 

32.8.900 Maintenance

32 - 8 - 901 System Maintenance Policies and Procedures
32 - 8 - 902 Controlled Maintenance
32 - 8 - 905 Maintenance Personnel
 

32.8.1000 Media Protection

32 - 8 - 1001 Media Protection Policy and Procedures
32 - 8 - 1002 Media Access
32 - 8 - 1004 Media Storage
32 - 8 - 1005 Media Transport
32 - 8 - 1006 Media Sanitization
 

32.8.1100 Physical And Environmental Protection

32 - 8 - 1101 Physical and Environmental Protection Policy and Procedures
32 - 8 - 1102 Physical Access Authorizations
32 - 8 - 1103 Physical Access Control
32 - 8 - 1105 Access Control for Output Devices
32 - 8 - 1106 Monitoring Physical Access
32 - 8 - 1107 Visitor Control
32 - 8 - 1108 Access Records
32 - 8 - 1109 Power Equipment and Power Cabling
32 - 8 - 1110 Emergency Shutoff
32 - 8 - 1111 Emergency Power
32 - 8 - 1113 Fire Protection
32 - 8 - 1114 Temperature and Humidity Controls
32 - 8 - 1118 Location Of Information System Components
 

32.8.1200 Planning

32 - 8 - 1201 Security Planning Policy and Procedures
32 - 8 - 1202 System Security Plan
32 - 8 - 1204 Rules of Behavior
32 - 8 - 1206 Security-Related Activity Planning

32.8.1300 Personnel Security

32 - 8 - 1301 Personnel Security Policy and Procedures
32 - 8 - 1303 Personnel Screening
32 - 8 - 1304 Personnel Termination
32 - 8 - 1305 Personnel Transfer
32 - 8 - 1306 Access Agreements
32 - 8 - 1307 Third-Party Personnel Security
32 - 8 - 1308 Personnel Sanctions
 

32.8.1400 Risk Assessment

32 - 8 - 1401 Risk Assessment Policy and Procedures
32 - 8 - 1402 Security Categorization
32 - 8 - 1403 Risk Assessment
32 - 8 - 1405 Vulnerability Scanning

32.8.1500 System And Services Acquisition

32 - 8 - 1501 System and Services Acquisition Policy and Procedures
32 - 8 - 1502 Allocation of Resources
32 - 8 - 1503 Life Cycle Support
32 - 8 - 1505 Information System Documentation
32 - 8 - 1506 Software Usage Restrictions
32 - 8 - 1507 User-Installed Software
32 - 8 - 1508 Security Engineering Principles
32 - 8 - 1509 External Information System Services
32 - 8 - 1510 Developer Configuration Management
32 - 8 - 1511 Developer Security Testing
 

32.8.1600 System And Communications Protection

32 - 8 - 1601 System and Communications Protection Policy and Procedures
32 - 8 - 1602 Application Partitioning
32 - 8 - 1603 Security Function Isolation
32 - 8 - 1604 Information in Shared Resources
32 - 8 - 1607 Boundary Protection
32 - 8 - 1608 Transmission Integrity
32 - 8 - 1609 Transmission Confidentiality
32 - 8 - 1612 Cryptographic Key Establishment and Management
32 - 8 - 1613 Use of Cryptography
32 - 8 - 1614 Public Access Protections
32 - 8 - 1617 Public Key Infrastructure Certificates
32 - 8 - 1620 Secure Name-Address Resolution Service (Authoritative Source)
32 - 8 - 1623 Session Authenticity
32 - 8 - 1628 Protection of Information At Rest
 

32.8.1700 System And Information Integrity

32 - 8 - 1701 System and Information Integrity Policy and Procedures
32 - 8 - 1702 Flaw Remediation
32 - 8 - 1703 Malicious Code Protection
32 - 8 - 1704 Information System Monitoring
32 - 8 - 1705 Security Alerts, Advisories, and Directives
32 - 8 - 1708 Spam Protection
32 - 8 - 1709 Information Input Restrictions
32 - 8 - 1710 Information Input Validation