Change Log: Information Resources Use and Security Policy

4/5/2007

• Section 23: Minimum Security Standards for Application Development and Administration.
• Section 26: Minimum Security Standards for Data Stewardship

4/5/2007

Fixed typo in section 26, #4.

"Ensure appropriate backup and retention of that data."

"Ensure appropriate backup and retention of that data, and"

3/28/2007

Changed references from "ITS Telecommunications and Networking" to "ITS Networking."

Changed reference in section 6 from "Data Classification Guidelines" to "Data Classification Standard" to reflect correct document title.

Corrected typo in section 12.3

"ITS Telecommunications and Networking."

"Data Classification Guidelines"

"Tthe University"...

11/20/2006

Changed references from "Data Classification Guidelines" to "Data Classification Standard" to reflect correct document title.

"Data Classification Guidelines"

10/20/2006

Numbered individual standards within each category for easier reference.

New.

10/20/2006

Section 12.5, replaced "Information Technology Services" with Information Security Office."

"All confidential, personally identifiable, protected health information, certain financial data, or certain student data transmitted over any network must be encrypted in accordance with Data Classification Guidelines published by Information Technology Services."

10/20/2006

Section 14, replaced "ITS" with Information Security Office."

To ensure compatibility with The University of Texas at Austin network, all computers, PDAs and office productivity software purchased by The University of Texas at Austin should adhere to system standards endorsed by ITS.

10/20/2006

Section 15.3, moved bullet 3 to follow the bulleted list.

"All registered hosts attached to the university network may be scanned by the Information Security Office for potential vulnerabilities." incorrectly appeared within bulleted list.

10/20/2006

Corrected an indentation problem in Section 16.

Last 5 bullets incorrectly nested under main bullet 2.

10/20/2006

Corrected a typo in Section 16.

"Be at least between 6 characters in length."

10/20/2006

Section 18, replaced "Information Technology Services" with Information Security Office."

"All remote users must comply with the Minimum Security Standards for Systems as published by Information Technology Services."

10/20/2006

In Section 19.6, removed "ITS" from sentence.

"Any security issues discovered will be reported to the ITS Information Security Office and appropriate executive officials (see Section 25)."

10/20/2006

Section 20, Replaced "Information Technology Services" with Information Security Office" where appropriate. Removed "(training to be arranged by Information Technology Services)." Security awareness training has been developed by the Information Security Office and is now available through the Compliance Office.

"Recurring security awareness training for all faculty and staff will be offered annually (training to be arranged by Information Technology Services)."

10/20/2006

In Section 20.7, removed "ITS" from sentence.

"The ITS Information Security Office is responsible for communicating new issues or vulnerabilities to vendors as needed, and for working with the vendors to eliminate or mitigate the vulnerabilities."

10/20/2006

Changed the title of Section 23 to "Secure Development and Administration."

"Enterprise Development and Deployment."

10/20/2006

Section 24, reworded subsections 4.a, 4.e, and 4f to make more clear.

• The University of Texas at Austin information the vendor may access.
• The University of Texas at Austin, or respective department, right to audit and otherwise verify the security of university information and other resources in the possession of or being managed by the vendor and the university’s right to investigate any security breaches involving these resources.
• The University of Texas at Austin, or respective department, right to require background checks for vendors working with security sensitive university information.

10/20/2006

Corrected typo in section 25.3.

"If it is determined that a misuse violation has occurred by a student, faculty, or staff member, this should be brought to the attention of the Information Security Office. The Information Security Office with consult with either the Human Resource Services or Student Judicial Services, as needed, and in the case of criminal violations, the University Police Department."

10/20/2006

Added Section 26, "Sensitive Data Classification."

New.

7/11/2006

Changed title to "IT Security Operations Manual" in this and all documents referencing the title.

"Information Technology Resources Security Operations Manual."

7/11/2006

Rearranged Change Log to list most recent changes first.

New

5/2/2006

Sec. 18: Added link to Minimum Security Standards for Systems.

"All remote users must comply with the Minimum Security Standards for Desktop and Portable Computing as published by Information Technology Services (forthcoming)."

3/13/2006

Changed reference from System Hardening Procedure to "Minimum Security Standards for Systems."

"System Hardening Procedure"

2/20/2006

Added link to Security Exception Request form.

"(forthcoming)"

1/20/2006

Removed inline glossary and referred to ISO Technical and Security Glossary and Usage Guide.

Various corrections to language errors, acronym use, and references.

Added "Last reviewed" and "Last updated" dates.

Added links to newly published supporting documents.

None.

12/13/2005

Sec. 25: Added "Issues of departmental non-compliance may be reported to the respective executive management, the Office of Internal Audit, or the Office of the President."

None.

12/13/2005

Sec. 7, paragraph 1: Added "The following change management procedures are required in proportion to the respective data classification category, the availability requirements of the data, and the impact of the change on the user community:"

"The following change management procedures are required:"

10/31/2005

Sec. 5: Corrected form name to "Security Sensitive" form, per ISO office.

"Position of Special Trust form."