Last updated April 15, 2021
The Office of Cybersecurity has developed four information technology security principles. These principles are to assist the campus community with how to securely manage information and other assets. This list is based on principles used by other universities, government agencies, and private businesses and on national standards. The four principles are:
The entire campus community is responsible for securing information by following university policies, processes and controls or by developing unit-specific policies, processes and controls.
The development life cycle for any system includes identifying, developing, implementing and maintaining security processes and controls. The system becomes more secure when the following are considered:
Protect the privacy of personal and business information relating to faculty, staff and students and other university populations or information.
Systems design should include logging controls and auditing processes to detect inappropriate use and to support incident investigations.
The processes and controls should be developed so that the user can easily follow the process or use the control.
Defense in depth
Systems should be developed and maintained to ensure no single point of vulnerability. Layering security defenses in an application can reduce the chance of a successful attack. Incorporating redundant security mechanisms requires an attacker to circumvent each mechanism to gain access to a digital asset.
The management of a system should include processes and controls that secure the information by considering:
The information owner should identify information as restricted, sensitive, internal or public in order to determine what security controls should be considered.
Only the minimum necessary rights should be assigned to a person to access, modify or delete information. Those rights and should be in effect for the shortest time necessary.
Separation of duties
Processes and controls should prevent a single person from executing transactions that conflict with best business practices.
The campus community is responsible for understanding the risks, threats, costs and incidents associated with securing information. There should also be an understanding of how incidents are reported and managed. It should consider:
Consider threats and risks against the costs and manageability when identifying and implementing mitigating strategies.
Manage risk appropriately
Within the system development life cycle, the system partners will identify, measure and manage risk.
Management and the campus community should keep informed of current and emerging threats.
Management and business owners should consider the costs of implementing and maintaining controls to mitigate risk as well as the costs associated with experiencing an information security incident.
The campus community will report incidents relating to the security of information. Management will be informed of information-based security incidents. Incidents will be managed in a confidential and appropriate manner.
Each security principle is explained in detail by following the links above. Examples illustrate how the principles are applied and may apply to the campus community. Best practices associated with the principle are listed, as are references to other materials. This list of security procedures and controls is not exhaustive, however.
The Office of Cybersecurity encourages you to use these principles as a guide for securing the information and systems for which you are responsible. But this is only a start. To learn more, you can discuss information security with your project team or with IT staff in your university department. Feel free to contact the Office of Cybersecurity with your questions or to offer suggestions about how we can develop a more secure environment for information.