These standards are intended to reflect the minimum level of care necessary for the University's sensitive data. They do not relieve the University of Iowa or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract. You are encouraged to adopt these core security standards, prioritizing your systems by risk level. As cybersecurity is a rapidly-evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly. Many of these requirements are already codified in UI Policy, but the overall Core Security Standards document will eventually become UI Policy as well.
An endpoint is defined as any laptop, desktop, or mobile device.
- Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
- For example, an endpoint storing Low Risk data but utilized to access a High-Risk application is designated as a High-Risk endpoint.
- Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.
Title | Recurring | What To Do | Low Risk | Moderate Risk | High Risk | Reference Link(s) |
---|---|---|---|---|---|---|
-- PDF Format | No | No | No | No | ||
Patching | Yes |
|
Yes | Yes | Yes | |
Inventory | Yes |
|
Yes | Yes | Yes | |
Media Disposal | No |
|
Yes | Yes | Yes | |
Whole Disk Encryption | No |
|
Yes | Yes | Yes | |
Backups | Yes |
|
Yes | Yes | Yes | |
Incident Handling | Yes |
|
Yes | Yes | Yes | |
Physical Protection | No |
|
No | Yes | Yes | |
Configuration Management | Yes |
|
No | Yes | Yes | |
Regulated Data Security Controls | No |
|
No | No | Yes |