The purpose of this Policy is to outline the acceptable use of Information Systems at all University of Oklahoma campuses. University of Oklahoma campuses include the University of Oklahoma-Norman, the OU Health Science Center, and the University of Oklahoma-Tulsa. These rules are in place to protect each campus’ information against loss or theft, unauthorized access, disclosure, copying, use, modification, or destruction (each an “Information Security Incident”). Information Security Incidents
This policy aims to define rules and requirements for connecting to the OU network from any host. These rules and requirements are designed to minimize the potential exposure to OU from damages resulting from unauthorized use of OU resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical OU internal systems, and fines or other financial liabilities incurred because of those losses.
The Identity and Access Management Policy defines the information security requirements for the identity and access management processes relevant to university data or systems.
This Privileged Access Management Policy defines the criteria for privileged account management.
The purpose of this policy is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management.
The University of Oklahoma (OU) recognizes that Institutional Data is an asset and critically important to effectively supporting OU’s mission. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The university has an obligation to protect the integrity and quality of institutional data, privacy of data subjects, and security of institutional d
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or government-wide policy, as listed in the CUI Registry by the National Archives and Records Administration (NARA). This policy establishes a university-wide CUI Program and authorizes the Category D1 Confidential Research and Publications Information Protection Standard to define the handling, marking, protecting, sharing, destroying, and dec
The Cybersecurity Policy defines the minimum controls and safeguards to be implemented for all information technology assets, applications, hardware systems, and network resources owned or managed by OU staff or faculty.
The purpose of this procedure is to provide guidance on how to properly configure, install, and maintain a firewall.
This standard defines the minimum data protection practices for Category A - Healthcare data.
This standard defines the minimum data protection practices for Category B - Payment Card or Credit Card data.
This standard defines the minimum data protection practices for Category C - Student data.
This standard defines the minimum data protection practices for Category D1 - Controlled Unclassified Information (CUI)
This standard defines the minimum data protection practices for Category D2 - Research data.
This standard defines the minimum data protection practices for Category E - University Administrative and Financial data.
This standard defines the minimum data protection practices for Category F - Public data.
The purpose of this standard is to define the procedures and standards for identifying, assessing, and prioritizing IT risk.
The System Logging Standard outlines the minimum processes or configurations that must be in place to ensure access and activity is recorded and reviewed to maintain compliance with the System Logging Policy.
The purpose of this standard is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management.