Home / Policy / Security Standards

Security Standards

What is a Standard?

The traditional definition of standard is a basis for comparison, a reference point against which other things can be evaluated. In the case of information security a standard is a document that is based on a governance area that is more specific than a policy and typically high level. A standard is specific but not detailed; the detailed aspect of governance is typically called a guideline or a procedure. At ASU our definition of a standard is any document that sets a level for which a bare minimum of requirements are to be met. It should be noted that a standard is not a step-by-step manual on how to complete a task. Documents below will open in PDF format.

The Access to University Technology Resources Standard documents the process of granting, and revoking, access to the ASU’s technology resources and services.

The Anti-Malware Standard is designed to meet security requirements regarding protection of ASU against malware on devices and servers.

The Courtesy Affiliate Standard documents the process of granting and administering Courtesy Affiliates of ASU with an appropriate ASURITE User ID and the process used to grant Courtesy Affiliates’ access to ASU’s computing, Internet, and communications resources.

ASU's Information Security Policy requires controls to manage risks to the confidentiality, availability and integrity of University information. The Data Handling Standard defines the controls required for handling all University managed information in any form. These required controls represent a minimum standard for protection of University information. Additional controls required under applicable laws, regulations or standards governing specific forms of data (e.g. health information, credit cardholder data) may also apply. The goals of this document are to (1) identify classifications of information handled at the University, and (2) define requirements for handling Sensitive and/or Highly Sensitive Data. 

Enterprise System Change Management Standard establishes the standard for Information Technology (IT) change management across the Arizona State University (ASU) IT environment. The goal of the Enterprise System Change Management Standard is to establish uniform guidance and prescribe a framework for managing change within the ASU IT environment.

The Incident Response Standard outlines the workflow, roles and responsibilities, and escalation provisions with respect to identifying and handling information security incidents at Arizona State University. A correct, complete, and consistent response is essential to ensure the protection of critical information and systems as well as University compliance with applicable laws, rules, and regulations. 

The Incident Response Summary is a quick reference guide for incident response. It is meant to be an aid to assist during an incident response.

The objectives of the ASU Technology Employee Code of Ethics standard establishes criteria in order to create a culture that fosters trust and a commitment to responsibility, excellence, and institutional and personal integrity.

Peer to Peer File Sharing Standard/Copyright Infringement Standard describes acceptable and prohibited uses of P2P software and protocols on ASU's network, University sanctions for prohibited uses, and responsibilities for compliance.

The Password Standard governs the methods and requirements for changing online or digital identification (ID) account passwords in order to ensure appropriate security measures and provides a reasonable method to change passwords.

Patch Management Standard covers reasonable patch management for systems, software, and Devices required to maintain the security and integrity of the ASU network.

 Privileged Accounts Standard established acceptable practices that support ACD125 as it applies to system administrator accounts.

Secure Development Life Cycle (SDLC) is essential to implementing and integrating a comprehensive strategy for managing risk for all information assets at ASU. Information security requirements
must be integrated into new application and systems development from their inception and throughout the development lifecycle.

Secure Web Development Standard establishes guidelines and standards for the preservation of the confidentiality, integrity and availability of ASU information resources associated with web sites. Additionally, this minimum standard provides for the integrity of institutional processes and records, and supports ASU's compliance with state and federal laws, rules and regulations.

Server Security Standard covers the base configuration of Server equipment that provides services to ASU or its constituents. Effective implementation of this standard will minimize unauthorized access to ASU’s computing, internet and communication resources.

This document established minimal standards for ASU’s system audit requirements..

The IT Risk Assessment Standard outlines our approach for identifying and analyzing risk areas and taking corrective action in an effort to provide the most strategic, available, and secure IT environment possible.

The Web Application Security Standard establishes the frameworks for maintaining appropriate security of ASU Web applications by establishing appropriate security testing and threat modeling requirements based on Web application criticality.