The main purpose of defining Minimum Security Standard is to assist IT resource users and owners in determining the right level of protection. These standards also serve as checklists for periodic compliance monitor at the unit level. Currently, Minimum Security Standard is defined for the following IT Resources:

• Endpoints
• Servers
• Application Systems
• Cloud applications running as Software as a Service (SaaS)

For the proper protection of individuals, units and the University, the Minimum Security Standard is mandatory for all University members. It should also be noted that users handling sensitive data should follow the Acceptable Practices for Handling High Risk Data. In order to comply with the University’s Personal Data Privacy Policy.

Cyber security is a broad topic and a set of more comprehensive guidelines in terms of recommended practices in different areas can be referenced as in need. Currently, the following recommended practices are defined:

• Recommended Practices for Access Control
• Recommended Practices for Sites and Physical Security
• Application Development Guidelines

It should be noted that some of these recommended practices can become mandatory requirement depending on the risk classification of the particular use case, as defined in the Minimum Security Standard.