Skip to Content

Division of Information Technology

  • Policy structure infographic. The upside down triangle starts with Policy at the top, then Control Objective, Standard, Procedure, and Guideline.

Policy & Standards

The following policies and standards provide the foundation for the University Information Security Office to administer the Information Security Program and coordinate all incident responses. They also empowers organization units (OUs) to implement appropriate safeguards. 


Policies are University-Wide rules established at the executive level. They represent the intention and direction of the University, formally expressed by the administration and management.

Control Objectives

Control Objectives are University-Wide or data specific targets to be met. They describe what is to be achieved as a result of the University implementing a control, which is what a Standard is intended to address (CSF, HIPAA, CMMC, PCI-DSS, GLBA). The University-wide target is NIST Framework CyberSecurity Framework.

HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.


The Family Educational Rights and Privacy Act (FERPA) is a federal privacy law that provides certain protections with regard to education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions, companies, and institutions that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
Founded in 1901, NIST is an agency of the U.S. Department of Commerce. It advances measurement science, standards, and technology to improve our quality of life. NIST has provided important computer security guidance for many decades. 


Standards are University-wide rules established by those authorities who are designated in University policy. These tend to be broad, setting standards for conduct and process within the OU's. Standards must always conform to applicable policies. [Must Log in to Service Now]


Procedures are documents created or adopted by OU administrators with specific directions for conducting business and operations at the University. Procedures must conform to applicable policies and standards, and should adhere to applicable guidelines, where practical.


Guidelines are documents created by subject-matter authorities who are designated in university policy. These documents contain recommendations to assist in the creation of related procedures. Guidelines must conform to applicable standards. 

Challenge the conventional. Create the exceptional. No Limits.