Information Security

  1. Issued:April 8, 2003
  2. Revised:April 21, 2025
  3. Last Reviewed:April 21, 2025
  4. Policy Number: FO-36
  5. Responsible Office:Vice Provost for Information Technology and Chief Information Officer
  6. Policy Contact: securitysupport@illinois.edu
  8. Print Policy

Purpose

At University of Illinois, our data and digital ecosystem are tremendous and valuable. Any negative impact to them dulls our advantage, slows our momentum, and hurts our ability to achieve our mission. The purpose for placing these policies on the use, handling, and management of digital things is to preserve their value, utility and continual advantage for the whole institution.

This policy intends to:

  • define requirements such that everyone may understand and implement them.
  • facilitate a reasonable process for navigating risks, and decision-making needed for policy variances.
  • enable the success of the university mission by supporting the usefulness of digital technologies and data for the whole university community.

Scope

This policy sets requirements upon all University Information and/or Digital University Technology Resources (“I&T Resources”), and applies to all persons and/or their agents who manage, access, store, use, or interact with such resources directly or indirectly.

Related Policies

Related Law & Regulations

Authority

This Policy is issued under the authority of the Vice Chancellor and Provost, with the concurrence of the Vice Provost for Information Technology and Chief Information Officer (CIO), who is charged with establishing and maturing policy, standards, and practices which support and maintain the integrity and availability of I&T Resources.

Policy

  1. University Data must be managed and protected:
    1. University Data must be classified and labeled per Institutional Data Security Standard (“DAT01”); and handled accordingly.
    2. Access to and use of University Data must conform to DAT02-Information Access Control Standard (“DAT02”).
    3. All sensitive and high-risk university data in any university technology or environment must be officially, promptly, and accurately documented such that it may be accounted for by university risk officials.
  2. University units or organizations hosting or managing University Data or I&T Resources must establish and maintain the following features within their program:
    1. A risk management strategy meeting or exceeding the Information Risk Management Standard (“MGT01”).
    2. An information security plan assigning security roles and resources meeting or exceeding the Information Security Management Standard (“MGT02”).
    3. Periodic security assessments meeting or exceeding Compliance Management Standard (“MGT03”).
    4. Business continuity and disaster recovery plan(s) meeting or exceeding the MGT04-Business Continuity Management Standard and the Disaster Recovery Standard (“IT01”).
  3. University units or organizations; and persons acting in legal and/or administrative capacities must:
    1. (Legal functions) Identify laws and regulations relevant to I&T Resources as they emerge, per Legal and Regulatory Compliance Standard (“LEG01”).
    2. (Financial functions) Verify separation of duties in financial systems and processes, per Financial Systems Security Standard (“BUS01”).
    3. (Purchasing functions) Require third party digital products, software, and services vendors to satisfy the university information security requirements, per Contract Management Security Standard (“PUR01”) and Vendor Management Security Standard (“IT09”).
    4. (Human Resources functions) Manage employee risks over the span of each’s employment at the university, per Personnel Security Standard (“PS01”), including:
      1. Perform prior background analysis for employees or potential employees to be placed in official roles giving or requiring access to I&T Resources, and;
        1. Limit or expand access authorization appropriate only to specific role needs, and;
        2. Limit or deny access based on role access requirements or adverse background check results.
      2. Establish and maintain processes to:
        1. authorize, grant, audit, or revoke access to I&T Resources by employees; and
        2. execute timely access revisions, based on employee role or status change; and
        3. recover I&T Resources from employees upon any role or employment status change.
  4. All physical facilities and infrastructure used for I&T Resources must meet the following standards:
    1. Site Security Standard (“FAC01”),
    2. IT Workspace Security Standard (“FAC02”); and
    3. Infrastructure Security Standard (“IT02”).
  5. Information Technology Programs (“IT Programs”) and persons acting in information technology support roles must:
    1. Detect, respond, to and manage cybersecurity incidents promptly and effectively, per Security Incident Management (“IT14”).
    2. Align and secure university digital identities, access, and authorization technologies, schemes, and methods per the Identity Management Standard (“IT05”), including
      1. all creation, use, and management of digital identities; and
      2. authentication and authorization processes.
    3. Design, protect and operate securely all I&T Resources administered, managed, shared, and used:
      1. Network technologies must meet the Network Security Standard (“IT03”).
      2. Server technologies must meet the Server Security Standard (“IT04”).
      3. Client systems and applications must meet the Client Computer Security Standard (“IT10”).
      4. Mobile devices and applications must meet the Mobile Device Security Standard (“IT11”).
      5. Digital Communications must meet the Digital Communications Security Standard (“IT12”).
    4. Protect I&T Resources endpoints from exploitation, including from threat activity, compromise, and malware, per the Malicious Software Protection Standard (“IT06”).
    5. Protect I&T Resources’ storage media by using and disposing per Storage Media Security Standard (“IT15”).
    6. Identify and label I&T Resources, including information assets and software, such they may be managed securely per Asset Management Standard (“IT17”) and Software License Management Standard (“IT18”).
  6. IT Programs and/or persons who develop software for production or official use anywhere within the university ecosystem must:
    1. have established and maintain a formal, risk-managed software development lifecycle process, per Development Process Standard (“IT08”); and
    2. develop security controls and assurance based on calculated level of risk during development, modification, use, and retirement; and
    3. secure their development and operation of applications such that;
      1. all developed software produce correct, intended results and perform only authorized, valid transactions; and
      2. University Data is not and will not be exposed inappropriately or unintentionally, per Application Development Security Standard (“IT07”); and
      3. web applications meet Web Application Security Standard (“IT13”).
  7. Persons with access to I&T Resources and acting in any official university capacity must:
    1. complete cybersecurity awareness training at least annually, per Security Training Standard (“IT16”); and
    2. review the Appropriate Use of Information and Technology Resources policy; and
    3. sign a data confidentiality agreement affirming knowledge of Data Classification and acknowledging responsibility to protect University Data.
    4. exercise due diligence to address Information Security Policy gaps by:
      1. working with staff, unit Cybersecurity Liaisons, or Identity, Privacy, & Cybersecurity (IPC) to remedy gaps; or
      2. obtaining executive authorization via official university Risk Acceptance process.
  8. All policy exceptions, variances, or non-conformance require Executive Authorization and Business Risk Acceptance (“Risk Acceptance”). Unauthorized or unmitigated variances may result in sanctions including:
    • denied access to or isolation of I&T Resources; or
    • reduced functionality of I&T Resources; or
    • disciplinary action up to and including termination or dismissal.

Definitions

University Information and/or Digital University Technology Resources (“I&T Resources”)

See “I&T Resources,” as defined in Appropriate Use of Information and Technology Resources (Campus Administrative Manual; Policy FO-07);

“University Data”

“University Data” refers to the body of digital information or data ideated, generated, recorded, transmitted, leased, processed, or stored for academic, business, administrative, and other official purposes. University Data includes, but is not limited to, communications, administrative records, research data, operational information, reports, papers, files, business records, metadata, telemetry, data streams, or metrics.

UIUC Information Security Standards (“Security Standards”)

“Security Standards” are technical and administrative controls specifications representing a minimum level of standard practices and controls required by this policy upon I&T Resources. Ref.: Security Standards index.

Executive Authorization and Business Risk Acceptance (“Risk Acceptance”)

“Risk Acceptance” refers to the university risk process established to evaluate business risks at an executive level. All executive stewards and stakeholders may, at their discretion, decide to accept, mitigate, or not accept risk items under consideration. Common stakeholders can include data stewards such as the HIPAA data officer or Registrar; deans, vice chancellors or provosts; university counsel, or members of the president’s cabinet. Risk Acceptance process may be initiated by visiting the Illinois Exception Request site. More information.

“IT Programs”

“IT Programs” refers to University units or organizations developing or managing I&T Resources; or having personnel acting in any Information Technology support capacity.

Procedural

Processes

Tools

Contact

Office of the CIO
Identity, Privacy, & Cybersecurity; securitysupport@illinois.edu

 

  1. Issued:April 8, 2003
  2. Revised:April 21, 2025
  3. Last Reviewed:April 21, 2025
  4. Policy Number: FO-36
  5. Responsible Office:Vice Provost for Information Technology and Chief Information Officer
  6. Policy Contact: securitysupport@illinois.edu
  8. Print Policy
  1. 9-1-1 Service As Used For Emergency Response
  2. Access Security Systems
  3. Accident Investigation Procedures
  4. Acquiring Energy-consuming Equipment
  5. Aerial Activities Over, On, or In Campus Property
  6. Alcohol Management Policy
  7. Appropriate Use of Information and Technology Resources
  8. Approval of Project Involving the Addition, Modification, or Deletion of Physical Facilities (“Site Approvals”)
  9. Art in Public Spaces
  10. Assignment of Campus Car Pool Vehicles to Departments
  11. Automated External Defibrillators (AED)
  12. Banner (Vexilla) Displays
  13. Bicycle Regulations
  14. Building Emergency Action and Business Continuity Plans
  15. Building Regulations
  16. Building Signage
  17. Campus Demonstrations and Protests
  18. Campus Threat Assessment
  19. Carpeting and Drapery
  20. Clery Act
  21. Computer Security
  22. Connection to IllinoisNet
  23. Decorations, Displays, and Christmas Trees
  24. Department-Owned Non-Passenger Vehicles and Equipment
  25. Disaster Recovery Contract for Services Activation
  26. Disposal of Magnetic Media
  27. Distribution of Building Plan Documents and Architectural Drawings
  28. Division of Responsibility
  29. Emergency Communication Systems
  30. Emergency Plans
  31. Expressive Activity on Campus
  32. Fire Safety
  33. Fire Safety Compliance, Reports, Information, and Education
  34. Fire Safety Regulations for Scenery and Set Decorations
  35. Heating, Ventilating, and Air Conditioning (HVAC) in Campus Buildings
  36. In-Line Skates, Roller Skates, Skateboards, e-Scooters, and Self-Balancing Personal Transportation Devices
  37. Information Security
  38. Installation of Equipment Requiring Special or Controlled Climatic Conditions
  39. Lawn Signs
  40. Limited Use and Reservation of the University Quadrangle
  41. Loaned Art
  42. Low Voltage Media Installation
  43. Motor Vehicles in Buildings
  44. Net Zero Space Growth
  45. Open Flames
  46. Operating Unlicensed Motorized Vehicles on Pathways
  47. Operation of Electronic Devices While Operating University Vehicles and Equipment
  48. Organization and Responsibilities of Facilities & Services
  49. Outdoor Displays
  50. Parking Regulations
  51. Personal Property Used on Campus
  52. Personal Protective Equipment
  53. Possession of Weapons
  54. Procurement and Delivery of Construction Services
  55. Project Management Fees on Capital Construction Projects
  56. Property Security
  57. Public Health Emergency Response Policy
  58. Radio Frequency Spectra
  59. Radio Licenses, Applications and Renewals, and Federal Communication Commission Maintenance and Inspection Requirements
  60. Requesting Work Order Service
  61. Reservation of University Property
  62. Scattering of Cremated or Human Remains on University Property
  63. Security Cameras
  64. Service, Emotional Support, and Other Animals
  65. Smoke and Tobacco-Free Campus
  66. Storm Sewer Usage
  67. Three-Wheel Scooters
  68. Underground Utility Damage Prevention
  69. University Resources for Political Campaign Activities
  70. University Security Alarms
  71. University Vehicle Signage
  72. Utility Services
  73. Vehicle Accident Reporting Requirements
  74. Vehicles Using University Grounds
  75. Violence Prevention and Response
  76. Working Alone
Campus Administrative Manual
Email: campusadminman@illinois.edu
Log In