Policies

Information Security Program 
This is the University of Oregon policy that establishes the Information Security Program (ISP)

Information Asset Classification & Management 
This is the University of Oregon policy that establishes data classification levels. The classifications, according to this policy, are listed in the Data Security Classification Table

Data Security Incident Response 
This is the University of Oregon policy that establishes the Data Security Incident Response (DSIR).

Electronic Commerce Privacy Statement 
This document describes the privacy principles followed by the University of Oregon while developing e-commerce websites.

Payment Card Acceptance 
This policy establishes roles, responsibilities and rules for debit/credit card processing activities at the University of Oregon and is designed to safeguard Customer Card Data, reduce the risk of card data breach, and facilitate compliance with global payment card industry data security standards.

Student Conduct Code 
The Student Conduct Code establishes community standards and procedures necessary to maintain and protect an environment conducive to learning and in keeping with the educational objectives of the University of Oregon.

UO Acceptable Use Policy (AUP) 
This document presents policies for acceptable use of University of Oregon computing resources.

UO Acceptable Use Policy Addendum 
This document presents the University of Oregon's expansion on the State of Oregon's acceptable use policy.


Governance

Information Security and Privacy Governance subCommittee (ISP GC) 
The Information Security and Privacy Governance subCommittee (ISP GC) was established to ensure that the information security and privacy programs are aligned with UO academic, research, and administrative objectives. The committee covers the protection of information systems, data confidentiality, integrity and availability. The ISP GC is expected to meet at least quarterly.


Procedures

Electronic Records Access Procedure 
The University of Oregon encourages the use of electronic communications and storage to share information and knowledge in support of the University’s mission and to conduct the University’s business. The University recognizes that principles of academic freedom and shared governance, freedom of speech, and privacy hold important implications for the use of electronic communications and records. This Procedure reflects the principles within the context of the University’s legal and other obligations, while also seeking to ensure that UO records are accessible for the conduct of the University’s business.

UO Third-Party Information System Security & Application Integration Assessment Procedure 
This procedure seeks to ensure that third-party information systems or system components that access, process, store or transmit UO data are appropriately managed to protect the confidentiality, integrity and availability of the data. The procedure outlines the steps for conducting assessment of these systems prior to acquisition or renewal by UO units.

UO Third-Party Information System Security & Application Integration Assessment Form 
This form seeks to collect information about third-party systems or system components that access, process, store or transmit UO data and serves as input to our assessment process to determine if UO Data is appropriately managed to protect the confidentiality, integrity and availability.

Storage Sanitization Before Reuse, Recycle or Disposal Procedure 
This procedure seeks to ensure that the data is destroyed and removed from storage devices before they can be reused, recycled or disposed. Before this procedure is used, ensure that you have reviewed the University of Oregon Records Retention Schedule (UO RRS) for the records in the memory device. These memory devices can be hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.

Duo Admin Console Access Procedure 
This procedure seeks to provide a mechanism for independent departments to request access to the Duo Admin Console with the Help Desk role.


Standards

Minimum Information Security Controls Standard 
This standard describes the minimum information security controls necessary for all University of Oregon owned information systems.

Standard for the Use of Two-factor Authentication for Administrator Access to University Systems, Applications and Services by Privileged Accounts 
This standard outlines the requirements for two-factor authentication as it applies to university owned information systems.

Endpoint Management Standard 
This standard identifies the minimum requirements for university owned endpoint devices.

Vulnerability Management Standard 
This standard identifies the minimum requirements for university owned information systems.


Guidelines

Data Security in UO Collaboration Tools Matrix 

Data Security Classification Table 
This table identifies all of the the high risk, or red data and the moderate risk, or amber data at the University of Oregon.

Information Security Quick Reference Sheet 

International Travel

Home Computing Security Guidelines 


Other Documents

ISO Glossary and Iconography