Information security policies underpin the security and well being of information resources. They are the foundation, the bottom line, of information security within any institution. The Information Security policies are formal statements that specify a set of rules that all users must follow when gaining access to UC’s information and information systems.

Policies are high-level management directives, and they are mandatory. A policy has four parts: purpose, scope, responsibilities, and compliance. The purpose will describe the need for that policy. The scope will describe what systems, people, facilities, and organizations are covered by the policy. The responsibilities are those of the information security staff, policy and management teams, and of the whole organization. In order to be in compliance, a policy will be judged on how effective it is and what happens when it is violated.

The University of Cincinnati Information Security Policy and Compliance Framework allows for a formal process to develop and review policies that support the confidentiality, integrity, availability, and accountability of university data and critical technology resources.




Approved Policies

 Policy  Number  Policy Name Link


Policy 9.1.1 Data Governance & Classification Policy
(Formerly known as the Data Protection Policy)
Data Classification and Data Types
Minimum Safeguards
Roles and Responsibilities
Compliance and Remediation
Cloud Based File Storage
Data Classification Examples


Policy 9.1.2 Vulnerable Electronic Systems Policy PDF Approved
Policy 9.1.3
Acceptable Use of Information Technology Policy PDF
Policy 9.1.4 Electronic Mail Policy
Electronic Mail Partners


Policy 9.1.6 Risk Acceptance Policy
Risk Acceptance Form
PDF Approved
Policy 9.1.7 Clean Desk Policy PDF  Approved
Policy 9.1.23 Password Policy PDF Approved
Policy 9.1.25 Data Center Visitor Policy PDF Approved
Policy 9.1.27 Information Security Review Policy
Data Security Rider
Information Security Review Form
Information Security Review Process   
PDF Approved
Policy 9.2.1 Electronic and Information Technology (EIT) Accessibility Policy
PDF Approved

Draft Policies in the Governance Process   

These policies are currently in the draft stage and should be used for reference only.

They are currently going through the Governance approval process.

 Policy  Number  Policy Name Link Status
Policy Infrastructure, Platform, and Software as a Service Policy PDF Draft
Policy Information Security Incident Management & Response Policy
Information Security Incident Response Procedure
Information Security Incident Escalation Guideline
PDF Draft
Policy Privileged Access Policy PDF Draft


Other UC Policies


To view PDF files, you will need Adobe Acrobat Reader, a free download.