Explainer: IT Resources and Information System Security and Vulnerability Management Rule (4-004G)
The University of Utah’s IT Resource and Information System Security and Vulnerability Management Rule (4-004G) supports the Information Security Policy (4-004). The U’s IT security policy, rules, and procedures aim to protect the university’s IT resources, systems, and data, including that of students, patients, faculty, staff, guests, vendors, and others.
What does it say?
Rule 4-004G focuses on detecting and remediating IT security vulnerabilities and ensuring that the U’s IT resources and information systems are available for authorized use. An IT security vulnerability is a weakness that could be used to endanger or cause harm to an asset, such as the university’s data and devices.
A few key items from the rule include:
- Users may not install or use unauthorized software on university-owned devices.
- Anti-malware and other IT security tools must be installed on U-owned devices and set up to automatically scan and update them.
- IT staff must follow specific vulnerability and patch management procedures.
- The university must prevent unauthorized access to its IT systems and resources using a secure log-in procedure that includes verifying user credentials, limiting unsuccessful login attempts, and automatically locking devices or logging out users due to inactivity.
Why should I care?
The rule protects university IT systems and resources from myriad threats, such as ransomware, that could interrupt service or compromise the university’s IT security.
A service interruption could affect instruction, patient care, research, and other university activities.
If cybercriminals gain access to the university’s IT systems and resources, they could potentially steal confidential information and deploy ransomware. IT security breaches can also harm the U’s finances and reputation, and the privacy of U students, patients, faculty, and staff.
Who does it apply to?
The rule applies to all university students, faculty, staff, patients, and business partners, although the university and its IT staff are primarily responsible for compliance. Additionally, 4-004G applies to all devices, regardless of ownership, that are used to transmit, store, or process university data.
Up next in the April Node 4 newsletter — Remote Access Rule (4-004H)
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.