
Endpoints | Servers | Applications
Data Classification Guidelines
These standards are intended to reflect the minimum level of care necessary for the University's sensitive data. They do not relieve the University of Iowa or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract. You are encouraged to adopt these core security standards, prioritizing your systems by risk level. As cybersecurity is a rapidly-evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly. Many of these requirements are already codified in UI Policy, but the overall Core Security Standards document will eventually become UI Policy as well.
Endpoints

An endpoint is defined as any laptop, desktop, or mobile device.
- Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
- For example, an endpoint storing Low Risk data but utilized to access a High-Risk application is designated as a High-Risk endpoint.
- Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.
Standards | Recurring Task | What To Do | Low Risk |
Moderate Risk | High Risk |
IT Policy/Standard Reference |
---|---|---|---|---|---|---|
Patching | X |
|
X | X | X |
IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards |
Inventory | X |
|
X | X | X | UI Controller's Computer Inventory & Control Policy |
Media Disposal |
|
X | X | X | IT-21 Computer Data and Media Disposal Policy | |
Whole Disk Encryption |
|
X | X | X | IT-19 Institutional Data Access & Handling Policy | |
Backups | X |
|
X | X | X | |
Incident Handling | X |
|
X | X | X | |
USR Registration | X |
|
X | X | UI Controller's Computer Inventory & Control Policy | |
Physical Protection |
|
X | X | IT-18 Information Security Framework Policy; Physical Access Controls | ||
Configuration Management | X |
|
X | X | ||
Regulated Data Security Controls |
|
X | UI Information Security Plan (08/2015) |
Servers
A server is defined as a host that provides a network-accessible service.
- Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
- For example, an application server that does not store High Risk data, but connects to a database server that does, is designated as a High-Risk server.
- Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.
Standards | Recurring Task | What To Do | Low Risk | Moderate Risk | High Risk | IT Policy/Standard Reference |
---|---|---|---|---|---|---|
Patching | X |
|
X | X | X |
IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards |
Malware Protection |
|
X | X | X | IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards | |
Inventory | X |
|
X | X | X | UI Comptroller's Computer Inventory & Control Policy |
Media Disposal |
|
X | X | X | IT-21 Computer Data and Media Disposal Policy | |
Data Encryption |
|
X | X | X | IT-19 Institutional Data Access & Handling Policy | |
Backups & Disaster Recovery | X |
|
X | X | X | |
Incident Handling | X |
|
X | X | X | |
Firewall |
|
X | X | X | IT Security Best Practices, Resources for Everyone | |
Credentials & Access Control | X |
|
X | X | X | IT-05 Enterprise Password Policy |
Centralized Logging |
|
X | X | X | Iowa Board of Regents IT Security & Network Log Retention Guidelines | |
USR Registration |
X |
|
X | X | UI Controller's Computer Inventory & Control Policy | |
Configuration Management |
|
X | X | |||
SysAdmin Training |
X |
|
X | X | IT-16 Roles and Responsibilities for Information Security; Data Custodian section | |
Vulnerability Management | X |
|
X | X | IT-01 Network Vulnerability Scanning & Penetration Testing | |
Intrusion Detection |
X |
|
X | X | UI Defense in Depth Security Strategy (12/02/2003) | |
Physical Protection |
|
X | X | IT-18 Information Security Framework Policy; Physical Access Controls | ||
Remote Access |
|
X | ||||
Security, Privacy, & Legal Review |
|
X | ||||
Two-Step Authentication |
|
X | ||||
Regulated Data Security Controls |
|
X |
Applications
An application is defined as software running on a server that is remotely accessible.
- Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
- For example, an application that processes critical business functions with high availability requirements, is designated as a High Risk application.
- Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.
Standards | Recurring Task | What To Do | Low Risk | Moderate Risk | High Risk | IT Policy/Standard Reference |
---|---|---|---|---|---|---|
Patching | X |
|
X | X | X |
IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards |
Inventory | X |
|
X | X | X | UI Controller's Computer Inventory & Control Policy |
Data Encryption | X |
|
X | X | X | IT-19 Institutional Data Access & Handling Policy |
Backups & Disaster Recovery | X |
|
X | X | X | |
Firewall |
|
X | X | X | IT Security Best Practices, Resources for Everyone | |
Software Review |
|
X | X | X | IT Security Best Practices, Resources for Everyone | |
Credentials & Access Control |
X |
|
X | X | X | IT-05 Enterprise Password Policy |
Incident Handling | X |
|
X | X | X | |
Two-Step Authentication | X |
|
X | X | ||
Centralized Logging |
|
X | X | Iowa Board of Regents IT Security & Network Log Retention Guidelines | ||
Vulnerability Management | X |
|
X | X | IT-01 Network Vulnerability Scanning & Penetration Testing | |
Secure Software Development |
X |
|
X | X | IT-18 Information Security Framework Policy, Systems & Application Software | |
Developer Training |
|
X | X | IT-16 Roles & Responsibilities for Information Security; Data Custodian | ||
Security, Privacy, & Legal Review |
|
X | ||||
Regulated Data Security Controls |
|
X |