University of Idaho - I Banner
students walk on University of Idaho campus

Visit U of I

Learn about the many reasons the University of Idaho could be a perfect fit for you. Schedule Your Visit

campus full of students

U of I Retirees Association

UIRA has a membership of nearly 500 from every part of the University. Learn about UIRA

Standards: Data Classifications


This document addresses the minimum standards required under data categorization and ensure the confidentiality, integrity, and availability of university data and technology resources. If at any time you are having troubles viewing the information on this page you can download a PDF copy below.
ITS Security Standards APM 30.11 - August 2016

Policy Reference

APM 30.11 Data Classifications and Standards.


These Standards are the minimum baseline for all university faculty, staff, students, and affiliates who are accessing, storing, and processing UI data or using UI technology resources at the Low, Moderate, or High risk levels.

Effective date: August 20, 2016.


Access Control Use separate privileged accounts for administrative or security access, and audit the use of privileged access.

   X  X 3.1.5,6,7
Access Control

Require authentication (or verify identity) to access non-public information and limit information access to authorized users and processes.

 X  X  X 3.1.1,3.1.2,3.5.2

Access Control

Require ITS-approved and centrally logged authentication for access to data.

     X 3.1.3

Access Control

Store data only on the ITS shared drive or ITS-approved locations.

     X 3.1.3

Access Locks

Limit unsuccessful logon attempts by locking accounts after 20 unsuccessful attempts in 10 minutes.

 X  X  X 3.1.8

Access Timeout Lock workstation or session after 5 minutes of inactivity. Automatically terminate session when appropriate.

     X 3.1.10,3.1.11

Access Timeout Lock workstation or session after 15 minutes of inactivity. Automatically terminate session when appropriate.

   X X

Antivirus All systems capable of running Antivirus must install and run with up-to-date definitions and periodic scans.  X X

Antivirus Installed antivirus must be managed or approved by the ITS Security Office (Sophos).     X 3.14.6
Audit Log system access to enable analysis, investigation, and reporting of unlawful or unauthorized activity, and ensure individual users can be uniquely identified.

 X X
Audit Ensure logs for data and systems access is centrally logged for at least 1 year. All systems should be time synchronized to assure accuracy. Logs must be protected from unauthorized access or modification, and access changes limited to a subset of privileged users.      X 3.3.7,3.3.9

Configuration Management Establish baseline configuration and hardware and software inventory through ITS configuration management. Baseline configuration must establish and enforce security settings. Inventory, control, and monitor user software.   X  X

Configuration Management

Establish least functionality, by disabling unneeded access, services, or functionality. Restrict local admin rights on workstations.


DNS All systems must use ITS-approved Domain Name System (DNS) servers.   X X
NFO SC-20,21,22

Encryption All data must be encrypted in transport, and at rest. Endpoint or mobile devices must be encrypted with ITS-managed encryption.      X 3.8.6,3.13.10,
3.13.11, 3.1.19

Encryption All authentication must happen over encrypted transport mechanisms.   X
Firewall All systems capable of running a host-based firewall, must have it turned on and configured consistent with the principles of least privilege.  X X

Identification and Authentication Identify users, user processes, or devices accessing data or systems. Require authentication before system or data modification. X X
Incident Response Report all suspected technology security incidents to the ITS Security Office and cooperate with assigned investigators. All reports will be categorized, tracked, and reported per the Technology Security Incident Response Plan. X  X
Inventory All networked devices, except on designated and restricted guest networks, must be registered in the ITS Network Management System. X
X  3.4.1
Logon Banner Where possible, provide an approved system use notification at every logon to university controlled systems. X X
X  3.1.9

Maintenance Limit maintenance on information systems to authorized personnel. Sanitize media of university data before any off-site maintenance is performed.   X X 3.7.1,3.7.2
Media Protection Protect paper and digital media from physical access except by authorized users.   X X

Media Sanitization  Sanitize or destroy by an approved method (DBAN or similar) any media with university data, before media is disposed or reused.  X
X  3.8.3
Multifactor Authentication  Use multi-factor authentication for local and network access to privileged accounts, and network access to non-privileged accounts.  
Target for 2017 3.5.3
Patching  Only run operating systems which are currently supported and patched. Apply security patches to address flaws in systems and applications automatically, or within 10 days. Alternatively, patches may be applied in a timeframe approved through a risk-based vulnerability assessment process approved by the ITS Security Office and all affected data and system owners.  X X  3.14.1
Physical Protection  All university data centers must be limited in access, that access be logged and monitored, and all visitors escorted and logged. X X

Public Data  Information to be published external to the university must be approved by an appropriate authority or process. X   X X
Remote Access Monitor and control remote workstation access, and limit to access via ITS-managed VPN.    X X 3.1.12,3.1.14,

Removable Media  Removable media or storage devices which may contain university data must be restricted from external use by mandating ITS-managed encryption.      X 3.1.21,3.8.6
Risk Assessment  All devices on the university network are subject to vulnerability scanning, and proactive measures taken (APM 30.14) by the Computer Security Incident Response Team in accordance with assessment of risk. X  X X 3.11.2,3.11.3

Security Assessment  Security controls must be periodically assessed and action plans implemented to address any vulnerabilities and to ensure continued effectiveness.    X X 3.12.1,2,3

Security Awareness  All users shall receive routine security awareness training appropriate for their role.   X  X 3.2.1,2,3
System and Communication Protection

 Incoming and outgoing communications must be monitored, controlled, and protected where it enters and leaves university controlled systems. Architecture and design shall promote effective information security. This includes email as well as interfaces with external vendors.  X X X 3.13.1,3.13.2
System and Communication Protection  Publicly accessible systems shall be on separate networks from internal-only systems.  X X X 3.13.5
Vendor Security Assessments

 A Risk Assessment must be completed by the ITS Information Security Office before the University acquires or utilizes external information systems.  X X X NFO SA-9
Wireless Access

 Limit access to university systems and data to approved wireless network that use encryption and authentication (AirVandalGold).    X X 3.1.17

Other References

NIST SP800-171 (January 2016)
NIST SP800-53r4 (April 2013)


Data at Rest  For the terms of this standard, "at rest" data will be considered to be data outside of the ITS-managed or approved data centers. 
Privileged Access Authorized access to perform security-relevant functions that ordinary users are not allowed to perform.
Remote Access Access to an information system communicating through an external network (Internet).
Local Access Access to an information system directly and not through a network. 
Multifactor Authentication Two or more factors to achieve authentication, including something you know (password); something you have (cryptographic device, hardware or software token); or something you are (biometric).
Security Functions Hardware and software of an information system responsible for enforcing system security controls or policy and supporting the isolation of code and data.

*For further glossary clarification, refer to NIST SP800-171.

Standards Owner

UI Information Technology Services (ITS) is responsible for the content and management of these standards.

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)