IT Policy is derived from authorities provided to the Chief Information Officer via the University of Iowa Operations Manual. IT policies inform the community as to their roles and responsibilities, as well as enforcement mechanisms for non-conformance with these expectations.  Policies are managed via the Enterprise IT Policy Development and Approval Process.

IT Standards describe technical requirements for conformance with policies; they may describe specific configurations, timelines, or processes to meet these requirements.

IT Guidelines describe best practices for an area that is not yet covered by IT Policies & Standards. As guidelines are communicated to and implemented by the community, they may evolve into policy & standards over time.

Compliance describes how the institution addresses regulatory or industry-standard control requirements. These are normally formulated as Security Management Plans.

Requests for an exception to IT Policies & Standards can be submitted via the webform link here: Request a security exception


References to the Operational Manual and relevant business policies are linked below.

Policy Number  Policy Name 
IT-01  Network vulnerability assessment and incident response
IT-02  Enterprise active directory 
IT-03  IT privacy
IT-07  Residence halls network acceptable use (ResNet)
IT-08  Network citizenship
IT-09  Mass e-mail mailings
IT-10  Domain name
IT-12  E-mail address
IT-15  Enterprise authentication, authorization, and access
IT-18  Security
IT-19  Institutional data
IT-20  Network and airspace
IT-26  IT accessibility
HIPAA General Privacy Rules and HIPAA
Operations manual - section II, Chapter 19  Acceptable use information technology resources
Operations manual - section II, Chapter 36  Social security numbers
Operations manual - section II, Chapter 45  Video surveillance
Related business policy  Computer inventory and internal control
Related business policy   Credit card policy and security standards
Related business policy   Identity theft prevention program
Related HR policy Background checks


Report a Security Incident

Device compromises or the disclosure of sensitive and or personal information must be reported to the Information Security and Policy Office.