To use the following procedures, first determine the risk level by reviewing the Data Risk Classification Policy and selecting the highest applicable risk designation.
| Standards | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
|---|---|---|---|---|---|
| Patching | Apply security patches either automatically, or within time limit. | ||||
| Whole Disk Encryption | Enable appropriate technology. E.g., BitLocker (Windows), FileVault (OSX), Unix or mobile-specific encryption. | ||||
| Malware Protection | Install antivirus . | ||||
| Access Control | Integrate device into AD or Shibboleth as appropriate, otherwise implement UB Password Policy. | ||||
| Firewall | Enable host-based firewall in default deny inbound mode and only permit necessary services. | ||||
| Backups | Backup data at least daily using Storage Protect or UB Box. | ||||
| Inventory | Register device in Lansweeper (or dept-provided tool). | ||||
| Vulnerability Management | Register for Nexpose scanning service. | ||||
| Centralized Logging | Forward logs to central logging service. | ||||
| End User Security Training | Enroll in UB EDGE training. | ||||
| Intrusion Detection | Enroll in UB EDGE training. | ||||
| Physical Protection | Place device in a datacenter or controlled location. | ||||
| Security Assessment | Request a review by the Information Security Office |
| Service | Low Risk | Moderate Risk | High Risk: Non-ePHI1 | High Risk: ePHI2 |
|---|---|---|---|---|
| Audio and Video Conferencing: Zoom | ||||
| Backups: Central Backups | ||||
| Calendar: Microsoft Exchange | ||||
| Cloud Infrastructure: Self-Selected (No official cloud partner yet) | ||||
| Content Management: UBCMS | ||||
| Content Management: Drupal, Wordpress | ||||
| Database Hosting: MSSQL, Oracle, MySQL | ||||
| Document Management: UB Box | ||||
| Document Management: UBFS (CIFS, NFS) | ||||
| Document Management: Dropbox, Google Docs, Google Drive, Office 365 OneDrive | ||||
| Document Imaging: ImageNOW | ||||
| Electronic Signature: AdobeSign, DocuSign | ||||
| Email: UBmail for students | ||||
| Email: UBmail for faculty and staff | ||||
| Email: Personal Email Services | ||||
| Encryption: BitLocker, Filevault, PGP WDE | ||||
| Instant Messaging: Jabber | ||||
| Issue Tracking: RemedyForce | ||||
| Shared Computing: UBVCL | ||||
| Voice Messaging (VOIP) | ||||
| VPN | ||||
| Web Programming Environment (Openshift) | ||||
| Wiki: Confluence |
1 Payment Card Industry (PCI) data has special requirements that preclude using the services above. Contact Financial Management for assistance with handling this type of data.
2 Protected Health Information (PHI) data has special regulatory requirements that govern using the services above. Contact the ISO for assistance handling this type of data.