InfoSec Home

Identity Theft

Policy
Interim Policy
Policy Status

Resources

Services

 

Office of Information Technology

UNLV IT POLICIES

 

Information security policy structure is based on ISO 17799/27001 – the International Standard for Information Security, and enhanced as needed by the Federal Information Processing Standards (FIPS) Pub 199 Standards for Security Categorization, the National Institute of Standards and Technology (NIST) Special Publication 800-series reports on the Information Technology Laboratory's research related to information security controls, standards, and guidelines. The standard reference text for ISO 17799/27001 policy development is the most current edition of Information Security Policies and Procedures: a practitioner's reference, Thomas R. Peltier, Auerback Publications or it's replacement.

Status:

  • Policies in black are planned but not drafted
  • Policies in blue have been drafted but not yet adopted
  • Policies in green have been adopted for OIT internal use but not yet by the University
  • Policies in red have been adopted by the University as "Interim" (pending review by appropriate committees).

 

SERIES IS – CAPSTONE POLICIES GROUP (Tier 1)

Policies that establish the foundation for information security and information assets policies.

 

IS01        Information Security for IT Resources Policy**

IS02       Information Sensitivity and Classification Policy (with Handbook)**

IS03       Personal Non-Public Information Policy**

IS04       Infrastructure Responsibilities and Services Policy**

IS05       Business Continuity and Disaster Recovery Planning Policy

IS0x       Information Security Acronyms, Terms and Definitions

 
   SERIES IST100 - INDIVIDUAL PRIVILEGES & RESPONSIBILITIES

Policies that address acceptable personal use of the computing services, assets, and networks.

 

101A        Acceptable Use of IT Resources Policy (Users)**

101B        Acceptable Use of IT Resources Policy (Mgmt & SysAdmin)**

102           Password Standards and Guideline Policy (with Guide)

103           Virus, Trojan, Spyware & Other Malicious Code Policy

104           Reporting Electronic Security Incidents Policy (with Guide)

 

   SERIES IST200 - COMMUNICATIONS, PRIVACY & CONFIDENTIALITY (Tier 2)

Policies that address acceptable personal and organizational use of the E-mail services.

 

201           E-mail Usage Policy

202           Access to E-mail Accounts Policy (with Guide)

 

   SERIES IST300 - REGULATORY COMPLIANCE APPLICATIONS (Tier 2)

Policies covering application development processes, secure programming, data integrity and confidentiality, production systems, operating systems, and application authentication and

authorization. This group addresses digital property and interests, privacy, and individual

user responsibilities.

 

301           Application Specific Policy

302           Regulatory IT Compliance Policy

                  A - HIPAA Compliance Directive (with Guide)

                  B - FERPA Compliance Directive (with Guide)

                  C - GLBA Compliance Directive (with Guide)

                  D - SOX Compliance Directive

                  E – Adjunctive Sensitive Systems Compliance Directive

303           Remote Access to Networks and Systems Policy

 

   SERIES IST400 - IT OPERATIONS & PROVISIONING (Tier 2)

Policies that provide for monitoring and logging, provisioning and implementation, assessment and compliance, system administration, remote access, physical security, configuration management,

and training and awareness programs.

 

401           IT System Security Plan Policy (with Handbook)

402           Risk Assessment and Management Policy (with Handbook)**

403         General Server Security and Access Policy (with Guide)

                  A - Logs Directive

404         Password Standards for Servers and Network Devices Policy (with Guide)

405         Technical Security of End-Point (User) Systems Policy (with Guide)

406           Data Media Sanitization & Destruction Policy (with Guide)**

407         Access to General IT User Accounts Policy (with Guide)

408         Computer Security Incident Response for First Responders Policy (with Handbook)

409         Coordinating and Reporting IT Outages Guidelines

 

   SERIES IST500 - NETWORKS & NETWORKING SERVICES (Tier 2)

Policies dealing with perimeter defenses, network components, storage solutions, wireless, directory services, host hardening, authentication and authorization, and network support systems. The group

is primarily focused on the core network services, organizational responsibilities, and protection of

an open network.

 

501         Technical Security of IT Resources Policy, Standards, & Directives

                A - Risk, Criticality, and Data Sensitivity Directive

                B - Network And Security Architectures Directive

                C - Minimum Security Requirements for Tier-1 Networks and Systems Directive

                D - Minimum Security Requirements for Tier-2 Networks and Systems Directive

                E - Intrusion Systems Directive

                F - Firewall Systems Directive (with Guide)

                G – Network Server Security Directive

                H – Network Monitoring and Logs Directive

502          Privileged Access Agreement Policy

503          Guidelines and Procedures for Blocking Network Access Policy

           

   SERIES IST600 - DOMAIN NAMES, ENCRYPTION KEYS & OTHER (Tier 2)

                  Policies that address Digital Property and interests, Privacy, Encryption.

 

601           Acceptable Encryption Policy

 

   SERIES IST700 - BUSINESS CONTINUITY & RECOVERY (Tier 2)

Policies that address business continuity and disaster recovery, database backups, and information records retention.

 

701           IT Continuity and Disaster Recovery Policy & Guidelines

702         Application Data Backup Policy

 

   SERIES IST800 - IT SECURITY & INCIDENT RESPONSE (Tier 3)

Policies that deal with incident response and readiness, digital forensics, internal threat profiling,

and cyberspace investigation support. Directly supports the Series-300 group.

 

801           Security Incident Handling and Digital Investigations Policy (with Guide and Handbook)

802           Security Auditing and Vulnerability Scanning Policy (with Handbook)

803         To Be Assigned

804          Security Education and Awareness Program

(Manual) Computer Security Incident Handling Guide

(Manual) Handbook for Digital Investigations

(Manual) Handbook for Information Security Auditing

 

 

   SERIES IST900 - CIVIL & COMMUNITY DISASTER RESPONSE  (Tier 3)

Policies that deal with responding to or supporting any disaster response actions by the University.

 

901           To Be Assigned

 

"SERIES" – Provide a management blueprint for information technology policies, the policies are assigned to one of the nine categories. Each individual IT Policy is also/will be assigned one or more of the following security response priority levels depending on the impacts of violations of the policy. For instance, if a policy defines a “threat to an individual” as a violation then that policy would be assigned a response level 1. These priority levels will be used by the IT security and Help Desk personnel to initiate the defined response actions contained in the respective policy. The levels are defined as: 1-Danger to persons; 2-Privacy/Sensitivity of Data; 3-Outbound Computer Attacks;      4-Inbound Computer Attacks; 5-Protection of IT Assets; or 6-N/A

 

** - UNLV Current Interim Operational Policies