Information System Standards 2.0

The Information Security Standards represent the minimum expectation for a server or service at the University when no other specific data regulations (such as HIPAA, NIST 800-171, etc.) are applicable. These standards are referenced by the University’s Information Security Policy. According to this policy, the Program is required to implement information security controls as set forth in the University of Chicago Information Security Standard.

Aligning with NIST 800-171 provides an opportunity to adopt reusable and broadly supported security practices. NIST 800-171 was originally developed to safeguard Controlled Unclassified Information (CUI)—which includes any data received from a federal agency, regardless of sensitivity. Furthermore, this standard underpins other frameworks such as GLBA and CMMC.

During the revision process, the University included any NIST 800-171r3 control that had a clear counterpart in ISS 1.0. The Department of Defense’s CMMC, which is an implementation of 800-171, requires 17 specific controls for CMMC 1 qualification; these 17 controls were also incorporated into the new standards

The standards are used as a benchmark whenever a University user wishes to determine if their infrastructure is “secure.” They are also referenced when an attestation from the Office of the CISO is required for a system in the absence of more specific standards (such as HIPAA, 800-53, etc.). Additionally, when funders, auditors, insurers, or University leadership request confirmation that servers adhere to a recognized standard, the ISS are invoked.

Faculty members may be required to provide official attestation regarding the security of their infrastructure, especially if mandated by contracts or data use agreements. In such instances—when no explicit standard is specified—the ISS will be used as the foundation for attestation. Producing such attestations is a collaborative process involving the faculty member, their staff, the unit IT team, and Information Assurance.

If a system is unable to meet the standards for legitimate business reasons, it may be eligible for an exception through the IT exception process by taking the appropriate mitigating actions. Such exceptions are subject to annual review.

Anyone tasked with this review should make a copy of the detailed appendix to the standards and fill out key columns as instructed by itrisk@uchicago.edu It is advisable to contact itrisk@uchicago.edubefore filling out the appendix to avoid extra work.

Not all standards are solely an individual’s responsibility. The standards may fall under:

• University Standard: Where the University sets an explicit expectation.

• University Tool Available: Where the University provides a tool to help fulfill the requirement.

• System Owner Responsibility: Where, due to the variability of systems, the University does not prescribe a specific approach or tool, and the system owner must document extenuating circumstances and propose sufficient alternatives if the standard cannot be implemented.

The system owner should consult the University’s definition of restricted data to determine whether this applies to their system.

When the documentation prompts for variable values (e.g., “[Assignment: frequency]”), the system owner must specify how the system addresses the requirement, providing relevant examples. In some cases, the University specifies certain values (for instance, the Web Properties Management Standards mandate server patching within a set timeframe). Absent a specific value, the most appropriate answer is typically the shortest period of time that end users can comfortably tolerate, and the IT Risk team can help evaluate these selections.