Â鶹ÊÓƵÏÂÔØ Cybersecurity Policies
A.ÌýCybersecurity Policy (effective October 19, 2023)
B.ÌýAcceptable Use PolicyÌýÌý(effective July 1, 2022)
C.ÌýInformation Classification Policy (effective July 1, 2022)
D.ÌýPassword PolicyÌý(effective October 4, 2022)
E.ÌýPrivacy PolicyÌý(effective August 1, 2022)
Â鶹ÊÓƵÏÂÔØ Cybersecurity Standards
- Artificial Intelligence Standard (effective 30 May 2024)
- Email Security Standard (effective 31 January 2025)
- Digital Millennium Copyright Act RequirementsÌý(DMCA) (effective 30 May 2024)
- Training & Awareness Standard (effective 30 May 2024)
- Security Categorization Standard (effective 17 SeptemberÌý2024)
- Shared File Management Standard (effective 30 May 2024)
- Â鶹ÊÓƵÏÂÔØ Data Security Addendum (effective 30 May 2024)
- System Security Plan TemplateÌý (effective 30 May 2024)
- Endpoint Management Standard (effective 8 April 2025)
- Internet of Things Usage Standard (effective 30 May 2024)
- Mobile Device Security StandardÌý(effective 30 May 2024)
- Vulnerability and Patch Management Standard (effective 3ÌýAprilÌý2025)
- IT Inventory Standard (effective 17 DecemberÌý2024)
- Access Management Standard (effective 30 May 2024)
- Account Management Standard (effective 10 JanuaryÌý2025)
- Access to Password Protected Information Standard (effective 30 May 2024)
- Privileged Access Management StandardÌý (effective 30 May 2024)
- Remote Access Security Standard (effective 30 May 2024)
- Sponsored AccountsÌýStandard (effective 30ÌýMayÌý2024)
- Network Security and Management Standard (effective 30 May 2024)
- Privately Managed Network Standard (effective 30 May 2024)
- Physical and Camera Security Standard (effective 30 May 2024)
- Lab Security Standard (effective 17 DecemberÌý2024)
- Recommendations for Handling Â鶹ÊÓƵÏÂÔØ Owned IT Equipment During a Leave of AbsenceÌý(effective 6 March 2025)
- Exception Standard (effective 30 May 2024)
- Incident Response Standard (effective 30 May 2024)
- Risk Acceptance StandardÌý (effective 30 May 2024)
- Risk Management StandardÌý (effective 16ÌýAprilÌý2025)
- Configuration Management StandardÌý (effective 30 May 2024)
- Security Monitoring and Log Management Standard (effective 30 May 2024)
- Third-Party Information Security Standard (effective 30 May 2024)
- Â鶹ÊÓƵÏÂÔØ Written Information Security ProgramÌý(effective 10 September 2024)
Standards
In Force:
- Cybersecurity Exception Standard (effective 15ÌýFEB 2021)
- Cybersecurity Risk Management StandardÌý(effective 15ÌýFEB 2021)
- Cybersecurity Risk Acceptance StandardÌý(effective 15ÌýFEB 2021)
- Security Categorization StandardÌý(effective 15ÌýFEB 2021)
- Endpoint Management Standard (effective 10ÌýAUG 2021)
- Access Management Standard (effectiveÌý19 AUG 2021)
- Cybersecurity Awareness & Training Standard (effectiveÌý19 AUG 2021)
- Privately Managed Network Standard (effectiveÌý19 AUG 2021)
- Vendor Cloud Service Security Standard (effectiveÌý19 AUG 2021)
- Access to Password Protected Information Standard (effectiveÌý6 JAN 2022)
- Digital Millennium Copyright Act StandardÌý(DMCA) (effective 29 JAN 2022)
- Network Security and Management Standard (effectiveÌý29 JAN 2022)
- Sponsored Accounts Standard (effective 10 FEB 2022)
- Ìý
Ìý
ET&S PolicyÌý& StandardÌýInitiative
Technology/Cybersecurity Policies & Standards
ProvideÌýFeedback on Proposed Policies
Sign-up to Receive Policy & Standard Initiative Updates via Email
- Endpoint Management Standard (effective 6 AUG 2021)
- Cybersecurity Awareness and Training (effectiveÌý6 AUG 2021)
- Vendor Cloud Service Security (effectiveÌý6 AUG 2021)
- Privately Managed Network (effectiveÌý6 AUG 2021)
- Access Management (effectiveÌý6 AUG 2021)
Policies
In Force:
- Â鶹ÊÓƵÏÂÔØ Use of Technological Resources PolicyÌý
- Â鶹ÊÓƵÏÂÔØ Password PolicyÌý(effective 20 JAN 2020)
- Â鶹ÊÓƵÏÂÔØ Privacy PolicyÌý(effective AUG 2018)
Proposed
Targeted effective date 01 MAY 2021
- Â鶹ÊÓƵÏÂÔØ Acceptable Use Policy
- Â鶹ÊÓƵÏÂÔØ Cybersecurity Policy
- Â鶹ÊÓƵÏÂÔØ Information Classification Policy
Feedback on or questions about these Proposed Policies can be submitted .
Standards
In Force
- Cybersecurity Exception Standard (effective 15ÌýFEB 2021)
- Cybersecurity Risk Management StandardÌý(effective 15ÌýFEB 2021)
- Cybersecurity Risk Acceptance StandardÌý(effective 15ÌýFEB 2021)
- Security Categorization StandardÌý(effective 15ÌýFEB 2021)
Proposed
TargetedÌýeffective date 01 MAY 2021
- Access Management Standard
- Cybersecurity Awareness & Training Standard
- Identity Management Standard
- Privately Managed Network Standard
- Privileged Access Management Standard
- Vendor Cloud Service Security Standard
Feedback on or questions about these Proposed Standards can be submitted .
Planned
Phase 1 Remaining Standards, targeted to become effective 01 May 2021, will be available for review byÌýearly March 2021
- Access to Password Protected Information Standard
- Public and Sensitive Information Handling StandardÌý
- Protected Information Handling StandardÌý
- Restricted Information Handling StandardÌý
- Confidential Information Handling StandardÌý
- Endpoint Management StandardÌý
Phase 2 Standards, targeted to become effective late summer/early fall 2021
- Account Management Standard
- Institutional Email Security and Use Standard
- Network Security and Management Standard
- Server Security and Management Standard
- Sponsored/Guest Access Management Standard
Phase 3+ Standards, planned for late 2021 and 2022
- Application Administration Standard
- Contingency Planning Standard
- Cybersecurity Roles and Responsibilities Standard
- Data Breach Notification Standard
- Data Center Facility Security, Access, and Use Standard
- Data Administration and Management Standard
- Information Technology Resource Secure Disposal Standard
- Information Technology Inventory Management Standard
- Non-Primary Identity Management Standard
- Password Management Standard
- Personnel Security Standard
- Physical Information Technology Asset Access and Management Standard
- Remote Access and VPN Standard
- Security Assessment and Testing Standard
- Security Configuration Management Standard
- Security Logging and Monitoring Standard
- Shared File Storage Standard
- System Acquisition, Development, and Maintenance Lifecycle Standard
- Vulnerability and Patch Management Standard
- Wireless Network Security and Management Standard
Ìý
Ìý
Ìý
Ìý
Contact Information
The Ìýform can be used to ask questionsÌýor raise concerns about any of the published Standards.Ìý
You can also contact the Cybersecurity GRC team atÌýCybersecurity.GRC@usnh.edu. However, unless specifically noted as being open for Public Comment, Standards published to this site are final, approved versions provided to allow administrative, academic, and business units an opportunity to review prior to their effective date and, if needed, request exceptions.
All other requests can be submitted here:Ìý
Failure to comply with the Â鶹ÊÓƵÏÂÔØ Cybersecurity Standards puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action. Disciplinary procedures will be proportionally appropriate for the individual responsible for noncompliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies). Non-compliant technology and/or activities may be mitigated as deemed necessary by the CISO and/or CIO. Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.
Â鶹ÊÓƵÏÂÔØ has established comprehensive cybersecurity policies, standards, guidelines, and procedures to protect university data and technology resources. While exceptions to these policies or standards can weaken the protection of Â鶹ÊÓƵÏÂÔØ Information Technology Resources, exceptions are necessary in some instances. Requests for exceptions to any of the Â鶹ÊÓƵÏÂÔØ Cybersecurity Standards may be submitted and approved according to the requirements provided in the Cybersecurity Exception Standard. More information regarding exceptions can be found ÌýYou can review the Cybersecurity Exception Standard from the link above and fill out a Cybersecurity Exception Request Form
Glossary
For terms and definitions, please refer to the
