Information Security Domains, Supporting Protocols, Standards, and Procedures

The University at Albany’s Information Security policy identifies ten domains which serve as a basis for protocol development and controls management. Examples of other domains include: Asset Classification, Access Control, and Incident Detection and Management. Protocols may be established for each Domain to provide direction and a framework for related companion documents.

Asset Classification

An enterprise-wide program designed to identify critical information and physical assets and develop a comprehensive approach to their protection and management.

• Protocol: Asset Classification

  • Data Classification Standard
    
    

    • View as a DOCX: Data Classification Standard

  • Category 1 Storage Standards

  • Category 1 Security Controls Standards

    • View as a DOCX:  Category 1 Security Control Standards

Risk Assessment and Analysis

Management processes conducted on a periodic basis to identify, report, and analyze reasonably foreseeable internal and external risks and vulnerabilities, likely threats, impacts, and potential losses using standard risk assessment methodologies for the purpose of recommending appropriate controls to mitigate unacceptable levels of exposure.

Identity Management

A comprehensive and unified approach to managing the identities of persons and processes issued by the University for the purpose of granting and controlling access to campus information resources. This includes exercising due care in the areas of identity assurance, issuance, authentication, authorization, revocation, and recovery of identity elements (NetIDs, tokens, etc.).

• Protocol: Protection and Use of Faculty, Staff and Student Identifiers 

  • Protection and Use of Faculty, Staff, and Student Identifiers Standards and Procedures 

    • View as PDF: Protection of Identifiers Standards Procedures

  • Protection and Use of Faculty, Staff, and Student Identifiers Glossary
    
    

    • View as PDF: Protection and Use of Faculty, Staff and Student Identifiers Glossary

Access Control

Standards and procedures governed by the principle of “least privilege” and employing industry-accepted access control and authorization frameworks to ensure that external and internal computer applications and persons have only such access as is appropriate to information resources, and to facilities and devices containing and displaying information.

• Protocol: Access to Electronic Records Held in Accounts Subsequent to Termination, Departure or Death

  • FORM: Request for Access to a University at Albany Personal Account

  • Link to online compliance: Access and Compliance Agreement

  • FORM: Third Party Management of UAlbany Website Agreement MOU

Infrastructure Management

Standards and procedures to create and maintain prioritized, reasonable, and appropriate safeguards and controls for the University’s information infrastructure (databases, storage media, workstations, PDAs, mobile and hand held devices, servers, network devices, wireless access points, firewalls, etc.), along with measures to insure compliance.

• Protocol: Media Disposal, Destruction, and Redeployment

  • NIST Guidelines for Media Sanitization (table)

  • Media Sanitization, Disposal and Redeployment Procedures
    
    

    • View as PDF: Media Sanitization, Disposal and Redeployment Procedures

• Endpoint Computing Management

  • Standards for Managing and Securing University-owned Endpoint Computing Assets 

    • View as PDF: Standards for Managing and Securing Endpoint Computing Assets

Software Assurance

Consists of appropriate reviews and controls used to validate the performance and security of software before it is purchased or developed and put into production.

Incident Response

Establishes procedures and assigns responsibilities for detecting, reporting, and responding to suspected and known information security incidents that result in unauthorized access or alteration of University business records, or attempts to deny or impede legitimate access to those records.

• Protocol: Information Security Incident Response 

Information Security Awareness Program

The Awareness Program promotes and promulgates best practices at all levels (including management), and informs and safeguards University staff.

Oversight of Service Providers

Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for sensitive information and require service providers by contract to implement and maintain such safeguards.

Documentation

Maintain, make appropriately available, and periodically review information security policies and procedures in written (which may be electronic) form; and keep written records of any action, activity or assessment that requires documentation.