Policies, Procedures, and Standards

Policies

Information Security Program
This is the University of Oregon policy that establishes the Information Security Program (ISP)

Information Asset Classification & Management
This is the University of Oregon policy that establishes data classification levels. The classifications, according to this policy, are listed in the Data Security Classification Standard Table

Data Security Incident Response
This is the University of Oregon policy that establishes the Data Security Incident Responce (DSIR).

Electronic Commerce Privacy Statement
This document describes the privacy priciples followed by the University of Oregon while developing e-commerce websites.

Student Conduct Code
The Student Conduct Code establishes community standards and procedures necessary to maintain and protect an environment conducive to learning and in keeping with the educational objectives of the University of Oregon.

UO Acceptable Use Policy (AUP)
This document presents policies for acceptable use of University of Oregon computing resources.

UO Acceptable Use Policy Addendum
This document presents the University of Oregon's expansion on the State of Oregon's acceptable use policy.


Procedures

Data Security Incident Response Procedure
This procedure outlines steps, roles and responsibilities for effectively addressing cybersecurity incidents to minimize damages and maximize availability of services to support the research and academic mission of the University of Oregon (UO).

Electronic Records Access Procedure
The University of Oregon encourages the use of electronic communications and storage to share information and knowledge in support of the University’s mission and to conduct the University’s business. The University recognizes that principles of academic freedom and shared governance, freedom of speech, and privacy hold important implications for the use of electronic communications and records. This Procedure reflects the principles within the context of the University’s legal and other obligations, while also seeking to ensure that UO records are accessible for the conduct of the University’s business.

UO Third-Party Information System Security & Application Integration Assessment Procedure
This procedure seeks to ensure that third-party information systems or system components that access, process, store or transmit UO data are appropriately managed to protect the confidentiality, integrity and availability of the data. The procedure outlines the steps for conducting assessment of these systems prior to acquisition or renewal by UO units.

UO Third-Party Information System Security & Application Integration Assessment Form
This form seeks to collect information about third-party systems or system components that access, process, store or transmit UO data and serves as input to our assessment process to determine if UO Data is appropriately managed to protect the confidentiality, integrity and availability.


Standards

Minimum Information Security Controls Standard
This standard describes the minimum information security controls necessary for all University of Oregon owned information systems.

Data Security Classification Standard Table
This standard identifies all of the the high risk, or red data and the moderate risk, or amber data at the University of Oregon.

Standard for the Use of Two-factor Authentication for Administrator Access to University Systems, Applications and Services by Privileged Accounts
This standard outlines the requirements for two-factor authentication as it applies to university owned information systems.


Guidelines

Collaboration Tools Matrix

Information Security Quick Reference Sheet

International Travel

Home Computing Security Guidelines


Other Documents