PLEASE NOTE: This policy is published as binding draft while under campus review. If you would like to submit feedback on the draft policy and related documents, please use the feedback form.
A robust information security program is necessary for effective business operations and continuity, regulatory compliance and risk management. A security program includes administrative controls (institutional policy, procedures, protocols, documentation, training), technical controls (software and hardware) and physical controls (secure physical access to systems and data) to help protect institutional information and research data. This documentation maps relevant information security and privacy controls to the institutional information and research data categories established in the Information Security Policy.
The user of every device connected to the campus network or that stores or transmits institutional information and research data is responsible for adherence to security control standards.
Foundational Information Security Controls
Per the Information Security Policy, all information technology resources, regardless of ownership, that contain institutional information or research data must have the following foundational information security controls in place and functioning:
- Anti-virus software
- Patching & central management of University-owned computers
- Secure disposal
Additional controls may be required based on the categorization of the information or data, the nature of the information technology resource, the applicable regulatory or contractual requirements, or other risk management calculations.
Information Security Controls for Institutional Information and Research Data Categories
NIST Special Publication 800-53 is the collection of controls referenced in the Information Security Policy. These security and privacy controls apply to an environment based on its overall categorization (Low, Moderate, High) and risk assessment.
The university provides certain services, such as the UMass Private Cloud, Active Directory, etc., to assist areas in complying with many of these controls.
The table below is an overview of the twenty control families in NIST 800-53.
|Identifier||Control Family||Identifier||Control Family|
|AC||Access Control||MP||Media Protection|
|AT||Awareness and Training||PA||Privacy Authorization|
|AU||Audit and Accountability||PE||Physical and Environmental Protection|
|CA||Assessment, Authorization, and Monitoring||PL||Planning|
|CM||Configuration Management||PM||Program Management|
|CP||Contingency Planning||PS||Personnel Security|
|IA||Identification and Authentication||RA||Risk Assessment|
|IP||Individual Participation||SA||System and Services Acquisition|
|IR||Incident Response||SC||System and Communications Protection|
|MA||Maintenance||SI||System and Information Integrity|
- ITS-006: Information Security Policy
- Information Management
- Institutional Information, Research Data, and Information System Categorization
- Institutional Information, Research Data, and Information System Categorization Process
The UMass campuses strive to maintain consistent IT policies. The Information Security Policy and related documents have been adopted with permission from UMass Amherst.