Skip to content. | Skip to navigation

Advanced Search…
Personal tools
You are here: Home Policies and Standards ISO InfoSec Policy and Standards Common Foundation

InfoSec Policy and Standards Common Foundation

Policies and Standards
A Common Foundation
[Previous]  [Next]  [Policy Home]

The university's Information Security Policies and Standards were developed as a common foundation for information security outlook, approach and practice. Primary consideration was given to the following objectives:

  1. Help the university to focus on its core missions of research and academic excellence by lowering the risk of security incidents which could distract from these missions.
  2. Define a compliance posture relative to information security statutes, regulations, contracts and good practice without duplication of effort.  (One set of policies and standards designed to address all information security compliance objectives instead of one for HIPAA, one for FERPA, one for PCI, etc.)

    Foundation of InfoSec Chart

  3. An  approach that is, where possible, technology neutral that allows for some variation given legitimate requirements so long as the risk is explicitly defined and accepted by a level of directly responsible management appropriate to the risk being assumed.
  4. An approach that accounts for the dynamic environment we are in today, an environment of changing statutory and regulatory expectations and changing technology where awareness is an integral part of everyone's job

    Scope of InfoSec Policies

What is a policy?

The definitions of what is a policy, what is a standard and what is a procedure also had to be understood. Without this understanding of related but distinct terms, policies tend to become too detailed and take on the characteristics of standards or procedures.

For the purposes of the university's Information Security Policies and Standards (as well as related procedures), the following definitions are used:

  • Policy - High level requirement statement or paragraph about a type of technology or behavior in the IT environment.
  • Standard - A required approach for conducting an activity or using technology and/or descriptive requirements for a behavior based policy.
  • Procedures - Clear steps to follow to accomplish specific tasks or behave in certain ways. Procedures should support organization, contractual, regulatory and/or statutory obligations and requirements

Once the strategic positioning of the Information Security Policies and Standards was determined, a review and comment process was initiated so university constituents would have an opportunity to voice suggestions and concerns...   [Next]

Document Actions

10/27/2008
University of Louisville Selects GuardianEdge to Protect Sensitive Data for Faculty, Staff, Doctors and Researchers

  • GuardianEdge, the leader in enterprise endpoint data protection, today announced that the University of Louisville has selected the GuardianEdge Hard Disk Encryption, Smartphone Protection and Device Control solutions to safeguard data for faculty and staff, doctors and researchers. [Click here for more information]

10/20/08
Fourth Annual Cyber-Security Awareness Week was a BIG Success!

08/25/08
Safe computing starts with knowing the rules of the road (InfoSec Bulletin #7 - August 25, 2008)

08/20/07
Information Security Policies
and Standards Approved: