Determining Risk Levels

These standards are intended to reflect the minimum level of care necessary for the University's sensitive data. They do not relieve the University of Iowa or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract. You are encouraged to adopt these core security standards, prioritizing your systems by risk level. As cybersecurity is a rapidly-evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly. Many of these requirements are already codified in UI Policy, but the overall Core Security Standards document will eventually become UI Policy as well.


An endpoint is defined as any laptop, desktop, or mobile device.

  1. Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
    • For example, an endpoint storing Low Risk data but utilized to access a High-Risk application is designated as a High-Risk endpoint.
  2. Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.
Title Recurring What To Do Low Risk Moderate Risk High Risk Reference Link(s)
-- PDF Format No No No No
Patching Yes
  • Keep all software (OS and application) up to date to the extent possible.
  • Critical updates/patches shall be applied within 5 days, normal patches within 30 days.
  • Only use actively-supported Operating Systems and applications. ┬áSystems with unsupported or outdated OS and applications may not be directly connected to the campus network.
Yes Yes Yes
Inventory Yes
  • Utilize campus, college, or unit inventory service/procedures to track all devices.
Yes Yes Yes
Media Disposal No
  • All institutional data and licensed software must be reliably erased from all devices prior to transfer within the UI, and wiped before leaving University control.
  • All end-of-life data storage hardware, after being erased, must be transferred to UI Surplus.
  • If data cannot be erased, the media must be destroyed.
  • Research data must be approved for release by the OVPR before it can be transferred out of University control.
  • UI Record data (Official and Convenience) must be destroyed in accordance with UI Records Management Policy
Yes Yes Yes
Whole Disk Encryption No
  • Whole disk encryption is required on all laptops and tablet computers, USB storage devices with Level III data, and for desktops in units that regularly handle Level III data.
  • Enable FileVault2 for Mac, BitLocker for Windows, BitLocker2Go for Windows USB devices, LUKS or similar software for Linux.
  • Systems must be domain-attached and using device management to use whole-disk encryption.
Yes Yes Yes
Backups Yes
  • Institutional data should not be stored locally.
  • If there is a business requirement to store institutional data locally, data must be backed up in accordance with the UI Records Management Program
  • System and data backups must exist to enable prompt recovery/restoration of service.
Yes Yes Yes
Incident Handling Yes
  • All suspected or confirmed security incidents must be immediately reported to the Security Office.
  • No actions, including but not limited to sensitive data scans (IdentityFinder), repairs, reimaging, copying data, or other actions, may be performed without prior direction from the Security Office.
Yes Yes Yes
Physical Protection No
  • All endpoints must be kept in a physically secure location when staff are not present.
  • Laptops and Tablets must be physically secured when not in use.
  • Location must be protected by physical access controls such as key, or proximity cards.
No Yes Yes
Configuration Management Yes
  • Automated system change control management must be utilized for devices, such as UI Casper or MS-SCCM services.
  • CM process must monitor and control hardware and software configuration changes.
No Yes Yes
Regulated Data Security Controls No
  • Implement additional requirements in accordance with applicable regulations.
No No Yes