Policies The following OIT security policies establish a baseline for information security and risk management activities for the University and are based on the COV ITRM SEC501 and SEC514 Standards, which defines the minimum acceptable level of information security and risk management activities that the University must implement. It is the User's responsibility to ensure they familiarize themselves with these policies. Questions should be directed to the University Information Security Officer. Office of Information Technology Policies 32-01 - Acceptable Use of Technological Resources 32-8-2 Information Security Roles and Responsibilities 32-8-3 Business Impact Analysis 32-8-4 System and Data Sensitivity Classification 32-8-5 Sensitive IT System Inventory and Definition 32-8-6 Risk Assessment 32-8-7 Security Audits 32.8 Security Control Catalog 32.8.100 Access Control Replaced by BOV #38-02 (2020) - Logical Access Control Policy Replaced by BOV #38-08 (2022) Remote Wireless and Mobile Access Policy 32.8.200 Awareness And Training Replaced by BOV #38-04 (2021) - Security Awareness and Training Policy 32.8.300 Audit And Accountability 32 - 8 - 301 Audit and Accountability Policy and Procedures 32 - 8 - 302 Auditable Events 32 - 8 - 303 Content of Audit Records 32 - 8 - 304 Audit Storage Capacity 32 - 8 - 305 Response to Audit Processing Failures 32 - 8 - 306 Audit Review, Analysis, and Reporting 32 - 8 - 308 Time Stamps 32 - 8 - 309 Protection of Audit Information 32 - 8 - 311 Audit Record Retention 32.8.400 Security Assessment And Authorization 32 - 8 - 401 Security Assessment and Authorization Policies and Procedures 32 - 8 - 403 Information System Connections 32 - 8 - 406 Security Authorization 32 - 8 - 407 Continuous Monitoring 32.8.500 Configuration Management Replaced by BOV #38-05 (2021) - Identification and Authentication Policy 32.8.600 Contingency Planning 32 - 8 - 601 Contingency Planning Policy and Procedures 32 - 8 - 602 Contingency Plan 32 - 8 - 603 Contingency Training 32 - 8 - 604 Contingency Plan Testing and Exercises 32 - 8 - 606 Alternate Storage Site 32 - 8 - 607 Alternate Processing Site 32 - 8 - 608 Telecommunication Services 32 - 8 - 609 Information System Backup 32 - 8 - 610 Information System Recovery and Reconstitution 32.8.700 Identification And Authentication Replaced by BOV #38-05 (2021) - Identification and Authentication Policy 32.8.800 Incident Response 32 - 8 - 801 Incident Response Policy and Procedures 32 - 8 - 802 Incident Response Training 32 - 8 - 803 Incident Response Testing and Exercises 32 - 8 - 804 Incident Handling 32 - 8 - 805 Incident Monitoring 32 - 8 - 806 Incident Reporting 32 - 8 - 807 Incident Response Assistance 32 - 8 - 808 Incident Response Plan 32.8.900 Maintenance Replaced by BOV #38 (2020) - System Maintenance Policy 32.8.1000 Media Protection Replaced by #38-01 (2020) - Media Protection Policy 32.8.1100 Physical And Environmental Protection 32 - 8 - 1101 Physical and Environmental Protection Policy and Procedures 32 - 8 - 1102 Physical Access Authorizations 32 - 8 - 1103 Physical Access Control 32 - 8 - 1105 Access Control for Output Devices 32 - 8 - 1106 Monitoring Physical Access 32 - 8 - 1107 Visitor Control 32 - 8 - 1108 Access Records 32 - 8 - 1109 Power Equipment and Power Cabling 32 - 8 - 1110 Emergency Shutoff 32 - 8 - 1111 Emergency Power 32 - 8 - 1113 Fire Protection 32 - 8 - 1114 Temperature and Humidity Controls 32 - 8 - 1118 Location Of Information System Components 32.8.1200 Planning 32 - 8 - 1201 Security Planning Policy and Procedures 32 - 8 - 1202 System Security Plan 32 - 8 - 1204 Rules of Behavior 32 - 8 - 1206 Security-Related Activity Planning 32.8.1300 Personnel Security 32 - 8 - 1301 Personnel Security Policy and Procedures 32 - 8 - 1303 Personnel Screening 32 - 8 - 1304 Personnel Termination 32 - 8 - 1305 Personnel Transfer 32 - 8 - 1306 Access Agreements 32 - 8 - 1307 Third-Party Personnel Security 32 - 8 - 1308 Personnel Sanctions 32.8.1400 Risk Assessment 32 - 8 - 1401 Risk Assessment Policy and Procedures 32 - 8 - 1402 Security Categorization 32 - 8 - 1403 Risk Assessment 32 - 8 - 1405 Vulnerability Scanning 32.8.1500 System And Services Acquisition Replaced by BOV #38-03 (2021) - System and Services Acquisition Policy 32.8.1600 System And Communications Protection 32 - 8 - 1601 System and Communications Protection Policy and Procedures 32 - 8 - 1602 Application Partitioning 32 - 8 - 1603 Security Function Isolation 32 - 8 - 1604 Information in Shared Resources 32 - 8 - 1607 Boundary Protection 32 - 8 - 1608 Transmission Integrity 32 - 8 - 1609 Transmission Confidentiality 32 - 8 - 1612 Cryptographic Key Establishment and Management 32 - 8 - 1613 Use of Cryptography 32 - 8 - 1614 Public Access Protections 32 - 8 - 1617 Public Key Infrastructure Certificates 32 - 8 - 1620 Secure Name-Address Resolution Service (Authoritative Source) 32 - 8 - 1623 Session Authenticity 32 - 8 - 1628 Protection of Information At Rest 32.8.1700 System And Information Integrity 32 - 8 - 1701 System and Information Integrity Policy and Procedures 32 - 8 - 1702 Flaw Remediation 32 - 8 - 1703 Malicious Code Protection 32 - 8 - 1704 Information System Monitoring 32 - 8 - 1705 Security Alerts, Advisories, and Directives 32 - 8 - 1708 Spam Protection 32 - 8 - 1709 Information Input Restrictions 32 - 8 - 1710 Information Input Validation