2.1 Information Security Standards

Why

Utah State University (USU) relies on Information Technology Resources and Institutional Information to support academic, research, and administrative functions. Ensuring the responsible and ethical use of these resources is critical to safeguarding sensitive data, maintaining compliance with regulatory requirements, and preserving the university’s operational integrity. Unauthorized or inappropriate use of IT resources can lead to security breaches, data loss, reputational harm, and legal consequences. This policy establishes a framework that aligns resource usage with assigned roles, compliance obligations, and security best practices, ensuring that all users understand their responsibilities in protecting university data and systems.

USU must also stay aligned with an evolving regulatory landscape, including FERPA, HIPAA, GDPR, GLBA, the Utah Governmental Data Privacy Act (GDPA), PCI DSS, and the Utah Protection of Personal Information Act. Compliance with these regulations ensures that student, faculty, and institutional data remain protected from misuse, unauthorized access, and security threats.

How

We are adopting the NIST Cybersecurity Framework (NIST CSF) as the primary foundation for the development and continuous improvement of our Security Program. The NIST CSF provides a comprehensive structure that helps us assess and enhance our cybersecurity risk management practices across five key functions: Identify, Protect, Detect, Respond, and Recover. By utilizing the NIST CSF, we ensure our approach is flexible, scalable, and aligned with organizational objectives while meeting industry standards and regulatory requirements. This framework serves as the basis for our strategic decision-making and guides the prioritization of our security initiatives.

Additionally, we leverage the Center for Internet Security (CIS) Controls to implement a more granular, action-oriented approach, as mandated by the USHE R345 Policy. The CIS Controls offer a prioritized set of cybersecurity best practices that help us address the most prevalent and impactful threats. These controls enable us to operationalize the NIST CSF effectively, providing detailed steps to safeguard systems, networks, and data. By aligning CIS Controls with the broader NIST framework, we ensure a consistent and comprehensive approach to managing and mitigating risk.

Our Security Program will continue to incorporate components of other frameworks, such as the Cybersecurity Maturity Model Certification (CMMC) version 2, as necessary to meet compliance and business requirements. This adaptive approach allows us to meet regulatory obligations, align with evolving standards, and adopt best practices as they emerge, ensuring a holistic and forward-looking security strategy.

Utah State University is committed to maintaining a security program that not only aligns with industry best practices but also meets all legal, regulatory, and contractual obligations. Compliance is a foundational component of our security strategy, ensuring that university data, research, and critical systems are protected from legal risk, security threats, and operational disruptions. By adhering to established laws and policies, we safeguard the privacy of students, faculty, and staff while maintaining the trust of our academic and research partners.

USU complies with the following regulations and standards, among others.