Policy & Standards

It is your responsibility to become familiar with UT Arlington policy, procedures, and standards, especially any that are specific to your job duties. Ignorance of policy does not excuse any behaviors or actions that are outside the scope of these established standards. University policies are published on the UTA Policies and Procedures website at  https://policy.uta.edu/.  Policies and Standards dealing with Information Security are listed below.  Please contact the UT Arlington Information Security Office if you have any questions regarding information security policy or standards. 817.272.5487 security@uta.edu

Summary of Recent Changes

• Prohibited Technologies Security Policy
  • See this new state required policy published below under the UTA heading for information security policies.
• Information Security Risk Management Program Standard
  • Information Resource Owners are responsible for ensuring that resources receive all required risk assessments and mitigations are implemented in accordance with relevant risk treatment plans. Mission critical systems and systems containing confidential information must be assessed annually. To request a risk assessment for an application, visit https://go.uta.edu/isoappassessment.
  • Information Resource Custodians are responsible for implementing and maintaining Information Resource required security controls.
• Information Security Procedures for Procurement of Software and Cloud-Based Services - This procedure has been combined from both the Software and Cloud-Based Procurement and Services Guidelines, which have been retired.
• Minimum Server Security and Hardening Standards (this replaces the IT-PO1 Server Management Policy)
  • Server Custodians (administrators) are responsible for ensuring compliance with applicable standards. (This includes Custodians of servers in decentralized areas, outside of OIT’s control.)
  • Server Custodians must also have a license to the ticketing system as part of following documented procedures. 
  • All existing and new servers must be registered with OIT. The Decentralized Resource Registration Request form is available in ServiceNow. This must be performed to adhere to state regulations and to remediate audit findings. 
  • Any server that does not meet the minimum security requirements outlined in the standard may be removed from UTA’s network.
• Data Classification Examples - examples of data types that are considered confidential or controlled are periodically updated.  Please check back often to review and ensure you are using the proper controls based on the types of data you are handling.
• Network Security Standards
  • OIT is responsible for deploying and managing network equipment, internet domains related to UTA and network services.
  • Network traffic containing confidential or controlled data must be encrypted when transmitted over an unprotected or public network. SSL and older TLS versions are not approved for use.
  • OIT reserves the right to quarantine or disconnect any endpoints that pose unacceptable risk to the University.
• Remote Access – outlines the use of devices for working remotely. Users are strongly encouraged to use UTA-owned encrypted devices when accessing University resources. Any personally owned non-UTA device must meet minimum security standards.

UTA Policy and Standards

• Application Standards
• Approved Data Storage
• Configuration Guidelines
• Data Classification
  ↳Data Classification Standard
  ↳Data Classification Examples
• Incident handling
• Information Security Risk Management Program Standard
• Minimum Security Standards for Workstations
• Minimum Server Security and Hardening Standards
• Mobile Device Standards and Guidelines
• Network Security Standards
• Password Security
• Remote Access
• Secure Data Transfer
• Secure Media Destruction
• SSN Use
• Two Factor Authentication
• Vulnerability Management Standard

Procedures

• Information Security Procedures for Procruement of Software and Cloud-Based Services
• Information Security Risk Assessment Procedure
• Policy and Standards Exception Procedure

UTA

• Information Security & Acceptable Use Policy
• Prohibited Technologies Security Policy
• Server Management Policy - (Retired, see "Minimum Server Security and Hardening Standards" above)

UT System

• UT System Policy 165

Texas

• TAC-202
• Texas Business and Commerce Code 521: Identity Theft Enforcement and Protection Act
• Texas Government Code 559: State Government Privacy Policies

Federal

• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm Leach Bliley Act (GLBA)
• Digital Millennium Copyright Act (DMCA)
• Federal Copyright Laws (Title 17)