Policies
Information Security Program
This is the University of Oregon policy that establishes the Information Security Program (ISP)
Information Asset Classification & Management
This is the University of Oregon policy that establishes data classification levels. The classifications, according to this policy, are listed in the Data Security Classification Table
Electronic Commerce Privacy Statement
This document describes the privacy principles followed by the University of Oregon while developing e-commerce websites.
Payment Card Acceptance
This policy establishes roles, responsibilities and rules for debit/credit card processing activities at the University of Oregon and is designed to safeguard Customer Card Data, reduce the risk of card data breach, and facilitate compliance with global payment card industry data security standards.
Student Conduct Code
The Student Conduct Code establishes community standards and procedures necessary to maintain and protect an environment conducive to learning and in keeping with the educational objectives of the University of Oregon.
UO Acceptable Use Policy (AUP)
This document presents policies for acceptable use of University of Oregon computing resources.
UO Acceptable Use Policy Addendum
This document presents the University of Oregon's expansion on the State of Oregon's acceptable use policy.
Governance
Information Security and Privacy Governance subCommittee (ISP GC)
The Information Security and Privacy Governance subCommittee (ISP GC) was established to ensure that the information security and privacy programs are aligned with UO academic, research, and administrative objectives. The committee covers the protection of information systems, data confidentiality, integrity and availability. The ISP GC is expected to meet at least quarterly.
Procedures
Electronic Records Access Procedure
The University of Oregon encourages the use of electronic communications and storage to share information and knowledge in support of the University’s mission and to conduct the University’s business. The University recognizes that principles of academic freedom and shared governance, freedom of speech, and privacy hold important implications for the use of electronic communications and records. This Procedure reflects the principles within the context of the University’s legal and other obligations, while also seeking to ensure that UO records are accessible for the conduct of the University’s business.
UO Third-Party Information System Security & Application Integration Assessment Procedure
This procedure seeks to ensure that third-party information systems or system components that access, process, store or transmit UO data are appropriately managed to protect the confidentiality, integrity and availability of the data. The procedure outlines the steps for conducting assessment of these systems prior to acquisition or renewal by UO units.
UO Third-Party Information System Security & Application Integration Assessment Form
This form seeks to collect information about third-party systems or system components that access, process, store or transmit UO data and serves as input to our assessment process to determine if UO Data is appropriately managed to protect the confidentiality, integrity and availability.
Storage Sanitization Before Reuse, Recycle or Disposal Procedure
This procedure seeks to ensure that the data is destroyed and removed from storage devices before they can be reused, recycled or disposed. Before this procedure is used, ensure that you have reviewed the University of Oregon Records Retention Schedule (UO RRS) for the records in the memory device. These memory devices can be hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.
Standards
Minimum Information Security Controls Standard
This standard describes the minimum information security controls necessary for all University of Oregon owned information systems.
Standard for the Use of Two-factor Authentication for Administrator Access to University Systems, Applications and Services by Privileged Accounts
This standard outlines the requirements for two-factor authentication as it applies to university owned information systems.
Endpoint Management Standard
This standard identifies the minimum requirements for university owned endpoint devices.
Vulnerability Management Standard
This standard identifies the minimum requirements for university owned information systems.
Server Management Standard
This standard identifies the minimum requirements for University of Oregon or vendor owned server devices connected to university network.
Log Management Standard
This Standard applies to all information systems or resources used by the University to process, handle or store university information; accept or control network connections; or make access control (authentication and authorization) decisions.
Guidelines
Data Security in UO Collaboration Tools Matrix
Data Security Classification Table
This table identifies all of the the high risk, or red data and the moderate risk, or amber data at the University of Oregon.