ITS

Multi-Factor Authentication (MFA) Policy

Posted on by
Title: Multi-Factor Authentication (MFA) Policy
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: All Workforce Members, Students
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu  or security@uconn.edu
Official Website: https://security.uconn.edu/

PURPOSE

To help prevent unauthorized access to University information systems.

DEFINITIONS

Hardware Token: A small hardware device that serves as a second authentication mechanism either in place of or in addition to the an MFA mobile app.

University Information System: Devices and/or components managed or contracted by the University for collecting, storing, and processing data and for providing  information, knowledge, and/or digital products. For purposes of this policy, information technology devices and components managed exclusively by UConn Health are not considered University Information Systems.

Multi-Factor Authentication (MFA): MFA is a method of system access control in which a user is granted access only after successfully providing at least two pieces of authentication, usually including knowledge (something the user knows such as a password), possession (something the user has such as a token generator), or inherence (something the user is such as the use of biometrics).

POLICY STATEMENT

Users of University Information Systems must adhere to Multi-Factor Authentication (MFA) requirements, where available, to ensure authorized access to University Information Systems and protected or confidential data.

University Information Systems must include effective MFA protections for authentication unless granted an exception from this policy by the Information Security Office (ISO). The Information Security Office (ISO) may mandate implementation of MFA for any University Information System.

The Information Security Office is authorized to publish and maintain any necessary standards, procedures, and guidelines to effectuate and enforce this policy.

MULTI-FACTOR AUTHENTICATION PROCEDURES

User Requirements

  1. Users must maintain a device that can receive MFA authentication requests in a secure manner via a University approved mobile app or another mechanism, such as SMS, phone, or Hardware Token.
  2. When an attempt is made to access a MFA protected system or application, the system will challenge the user by requesting a second factor of authentication which may include an acknowledgement of a push notification via a University approved MFA mobile app, a code via SMS, or a Hardware Token.
  3. If users receive an MFA notification when not conducting a recent authentication, the authentication shall be denied and immediately reported to the Technology Support Center. Users shall update their NetID password, or credential associated with the authentication, if they reasonably believe their password is compromised.
  4. Users may not approve MFA requests for another user’s account or register a device for MFA which is not within their individual control.

Frequency or Type of User Challenges

The frequency with which a user may be challenged, or the type of challenge depends both on policy and use.

  • Policy based – depending on information being accessed, more frequent authentications may be required.
  • Usage based – While user challenges may be “remembered” for a period of time, use of other hardware, browsers, or other behaviors may trigger additional verification using a second factor.

Lost or Stolen Devices

If a user’s registered multi-factor device is lost, stolen, or the user has reason to suspect their UConn NetID has been compromised, the user must contact the Technology Support Center immediately. As a precaution, they should change their NetID password at netid.uconn.edu.

Off-Hours and Emergency Access to Systems and Applications

UConn Information Technology Services will maintain internal procedures for processing emergency access requests if issues arise with the multi-factor authentication process. Users should contact the Technology Support Center for additional information.

Use of Automated Systems

Automated systems that intend to interfere with the approval component of multi-factor authentication are hereby prohibited.

ENFORCEMENT

Users may not attempt to circumvent login procedures, including multi-factor authentication, on any computer system or otherwise attempt to gain unauthorized access. Attempts to circumvent login procedures may subject individuals to disciplinary action. Financial losses incurred due to the use of multi-factor circumvention techniques are the responsibility of the user, and the University may seek financial restitution from users who violate this policy.

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

EXCEPTIONS

ITS will review and document any requests for exceptions to this standard. ITS will also have available solutions for the intermittent failure of various second factors, which may include the allowance of temporary access codes upon verification of an individual’s identity.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: March 29, 2023 (Approved by Senior Policy Council)

Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)

Endpoint Device Security Policy, Information Technology

Posted on by
Title: Endpoint Device Security Policy, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: All faculty, staff, student employees, affiliates, and volunteers
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

BACKGROUND

Endpoints are important tools for the University, and their use is supported to advance the mission of the university. Endpoints also represent a significant risk to information and data security. If appropriate security measures and procedures are not applied, endpoints can serve as a conduit for unauthorized access to University data and IT resources that can subsequently lead to data leakage and a path for compromise of other systems.

PURPOSE

To ensure data and information systems security by establishing requirements for endpoint devices.

APPLIES TO

This policy applies to all University faculty, staff, student employees, and volunteers who use endpoint devices to access any non-public IT resources owned or managed by the University.

DEFINITIONS

IT Resources: Includes systems and equipment, software, and networks. Systems and equipment include but are not limited to computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers, and other related devices. Software includes but is not limited to computer software, including open-source and purchased software, and all cloud-based software, including infrastructure-based cloud computing and software as a service. Networks include but are not limited to all voice, video, and data systems, including both wired and wireless network access across the institution.

Endpoint: Physical device that connects to and exchanges information with a computer or telecommunications network, often acting as the interface between a human user and the network, including but not limited to, desktops, laptops, tablet computers, and smartphones. Endpoints do not host services for other endpoints.

Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies.

POLICY STATEMENT

University of Connecticut faculty, staff, student employees, affiliates, and volunteers who use endpoints, whether University-owned, externally owned, or personally owned, are responsible for any institutional data that is stored, processed, and/or transmitted via an, endpoint, mobile, or remote device and for following the security requirements set forth in this policy.

To adequately protect the data and information systems of the University, all individuals covered under this policy are expected to meet the following requirements:

Endpoint Security Requirements

  • Configure the device to require a password meeting the requirements set forth in the University Password Standard (https://security.uconn.edu/password-standards/), biometric identifier, PIN (minimum of 6 characters), or swipe gesture (minimum of 6 swipes) to be entered before access to the device is granted. Device must automatically lock and require one of the authentication methods after no more than 15 minutes of idle time.
  • Keep devices on currently supported versions of the operating system and remain current with all published operating system and software patches.
  • Enable and appropriately secure the device’s remote wipe feature to permit a lost or stolen device to be securely erased.
  • Securely store the device when not in use to minimize loss via theft or accidental misplacement.
  • Ensure internal hardware and external peripherals, including but not limited to USB devices, external storage, scanners, input devices, and displays, are manufacturer supported and compatible with the installed operating systems and other installed software.
  • Except when being actively used, confidential information on endpoint devices must at all times be encrypted through a mechanism approved by the University. Whole drive or whole device encryption may be deployed to meet this requirement.
  • Endpoints must have software enabled and running to identify, protect, and respond to any threats to the data or operating systems of the devices. University owned endpoints must be enrolled in the university-supported endpoint detection and response (EDR) platform.
  • University owned endpoints must have Mobile Device Management software installed and enabled to facilitate device protection, including remote wipe and, if possible, device location technology for recovery. Personal devices should be configured to enable these features where possible.

Wherever practical, elements of these requirements will be enforced via centrally administered technology controls.University owned devices that are unable to meet these requirements must go through a security assessment prior to their use.

STORAGE OF CONFIDENTIAL DATA

In general, Confidential Data should not be stored on endpoints. However, in certain instances and depending on job responsibilities, this may be unavoidable. In these instances, Confidential Data must be stored ONLY on university-owned devices configured in compliance with this policy.

DEVICE DECOMMISSION OR SEPARATION FROM THE UNIVERSITY

When endpoints, including personally owned devices that may have had access to University resources or data, are no longer used, and sold, donated, given, placed in the control of or otherwise transferred to anyone else, the device owner is responsible for ensuring that any University information is securely deleted from the device, including University-related e-mails/accounts, user ID and password, or other cached credentials used to access University systems.

In the event of separation from the University, it is the employee’s responsibility to delete any University-related e-mail accounts or University licensed software that may have been installed on personal endpoints, devices, or computers.

EXCEPTIONS

In certain instances, there may be a justifiable business need to operate a device that is not in compliance with this policy. In these instances, users must work with the Information Security Office to request evaluation of an exception to this policy. Exceptions are reviewed on a case-by-case basis and are approved at the discretion of the Chief Information Security Officer based on justifiable business need and assessed risk. Exceptions must be reviewed and approved prior to implementation of any solution that does not fully comply with this policy.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.
Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

REFERENCES

Data Classification Policy

POLICY HISTORY

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)

System and Application Security Policy

Posted on by
Title: System and Application Security Policy
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: University Workforce Members
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

PURPOSE

To ensure the security of university data and systems by establishing requirements for the proper maintenance and oversight of systems and applications used by university constituents.

APPLIES TO

This policy applies to all workforce members responsible for operating or overseeing any University system or application, whether on premise or in the cloud.

DEFINITIONS

Academic / Research System: A system whose primary responsibility relates to individual academic work or research.

Administrative System: Any system that is used in support of the operation of the university excluding individual Academic / Research Systems.

ISO: Information Security Office

ITS: Information Technology Services

IT Professional: An individual (staff) who is trained and skilled in using technology to solve business problems coupled with assigned job duties in support of technology at the university. This must be a defined responsibility within the position job description and may not fall under “other duties as assigned.” Appropriate training, support, and budget must also be available in support of the IT Professional role.

Local Network: Network of computers and devices logically located on the same subnet.

Software as a Service (SaaS): Cloud-based service that is delivered via the web based on either a monthly or annual subscription.

Platform as a Service (PaaS): Cloud-based service that provides a platform allowing for the development of software using an established framework to improve development time and management of cloud services.

Personally Identifiable Information (PII): Information that either singularly or in conjunction with other data elements could reasonably lead to the identification of specific individuals.

System Owner: The individual – such as a faculty member, department head, manager, or other employee – who is responsible for the planning and operation of the service. All systems must have a designated system owner.

Vendor Risk Management (VRM): The process of identifying, assessing, and mitigating risks associated with third-party suppliers and service providers. It ensures that vendors meet security, compliance, and operational standards before and during their engagement with the University.

POLICY STATEMENT

The proper management, maintenance, and support of systems and applications is critical to protecting the data they store or process from a confidentiality, integrity, and availability perspective.

System Ownership

All systems, including cloud-based systems, supporting any aspect of the University must have an identified owner and responsible party for ensuring the implementation and operation of the controls specified in this policy.

All software and services used to process University information are subject to an Information Security review and sign off prior to their purchase or development. Information security reviews will evaluate specific risks and controls available and necessary based on the information being processed. The System Owner will be responsible for the deployment of the agreed upon security controls prior to enabling the production capability of the system or application. Maintaining security best practices is an ongoing and evolving responsibility; the System Owner shall implement additional security controls consistent with best practice, regulatory requirements, or as directed by the Information Security Office during the lifecycle of the system, server, software, or service.

System Access

Access to information in the possession of or under the control of the University must be provided on a need-to-know basis. Information must be disclosed only to individuals who have a legitimate and approved need for the information. Access to functionality shall be configured on the basis of least privilege and granted only where approved for a legitimate business purpose.

Systems and applications shall employ best practices for authentication and authorization. System Owners are responsible for maintaining documentation of their system access controls. The use of University Single Sign On (SSO) is required unless impractical or impossible.

Information may only be used for its intended purpose, and other uses of University information without the approval of the data owner is prohibited.

System access shall be reviewed and altered (if applicable) as soon as possible when a relevant change in an individual’s status occurs, including but not limited to, change of role, transfer, promotion, termination, or separation.

When an individual requires continued access to an existing system following a change of status, any access that is no longer required must be removed.

Any shared/service accounts, encryption keys, or shared secrets that the individual had access to must have their passwords or private keys rotated following the status change unless the System Owner determines that continued access is required.

User Management

Information Technology Services (ITS) provides a centralized user identity and access management platform (IAM) that supports identity validation and access management using a NetID and password. UConn NetID provides for single sign on (SSO) across multiple systems. Systems and applications that rely on the University IAM platform to authenticate individuals may rely on UConn NetID for user management. System Owners are always responsible for assigning and managing roles within the system or application.

Owners of systems and applications that cannot use the central IAM solution shall develop a formal, written plan which, at minimum, defines or identifies the following:

  • The individual(s) responsible for creating, modifying, and deleting user accounts.
  • Process and responsibility for regularly reviewing system access. System access reviews must be performed when configured users separate from the University, and not less than annually.
  • Password/multi-factor authentication requirements and reset procedures. Multi-factor authentication is required for all systems.
  • Process for validating a person’s identity when password or multifactor reset or account changes are requested.

The authentication management plans and any plan revisions must be submitted to the Information Security Office for review and approval.

Software Maintenance

Only necessary software should be loaded on systems, and old versions of software removed. The use of web browsers and other individual productivity tools should be limited to the management of the system only.

Patching, Maintenance, and Vulnerability Management

System Owners must ensure the timely implementation of patches and required maintenance in accordance with the University’s vulnerability management standards and vendor provided guidance in order to provide for the confidentiality, integrity, and availability of the systems or data. Maintenance is considered required when the change is necessary to remediate a vulnerability, maintain the availability of a system, or align with updated industry best practices. The ongoing maintenance of systems and applications, including software and configuration maintenance, must be minimally scheduled on a quarterly basis. This includes on-premises, vendor-hosted, and cloud-hosted applications. It is the UConn System Owner’s responsibility to ensure that systems under their control remain in compliance with this policy, even when the system is managed or hosted externally.

System and Application Lifecycle Management

System Owners are responsible for the planning of and budgeting for system maintenance and obsolescence. Any system or application that is no longer supported by the vendor or is replaced by newer technology should be decommissioned as soon as possible.  The decommissioning process must include the proper retirement of any physical hardware or virtual images and the proper destruction of any media (e.g., hard drives, tapes, etc.) that may have data. Cloud services that are decommissioned should ensure the proper handling of any data (return and/or destruction) in the cloud vendor’s possession as part of the contract cancellation.

Software as a Service (SaaS) / Platform as a Service (PaaS)

Patching and maintenance of cloud-based SaaS and PaaS systems is typically handled by the contracted vendor. System Owners are responsible for proper security configurations and user management associated with providing the service. A Vendor Risk Management review is necessary for all newly procured cloud-based services.

Infrastructure as a Service (IASS)

IaaS provides a significant amount of flexibility in the configuration and use of the platform. This requires specific expertise and management by an IT Professional. Where applicable, IaaS solutions must meet the same requirements as Administrative Systems.

Administrative System and Application Security

Administrative systems, due to their complexity, must be managed by an IT Professional. System Owners are responsible for ensuring they have the administrative and technical resource capacity to support this requirement.

Administrative Systems will be required to adhere to all regulatory requirements and meet security controls and  standards as set forth by the Information Security Office based on institutional requirements.

Encryption

All systems housing administrative data shall be configured to provide encryption for all data in transit and all data at rest. Where possible, the encryption keys necessary to decrypt the data should reside outside of the system and/or application.

Auditing of Systems and Application Logs

System and application logs shall be reviewed for inappropriate access on a regular basis (at least monthly) or via automated systems capable of detecting misuse through the analysis of frequent password failures, geographic anomalies, or inappropriate access attempts. ITS maintains a centralized logging and reporting platform, which can assist in the analysis of large amounts of data often associated with system and application logs. All Administrative Systems (regardless of hosting platform) and all centrally hosted systems must be configured to log both application and security events to the centralized logging and reporting platform.

Mandatory Reporting

All suspected policy violations, system intrusions, and other conditions that might jeopardize University information or information systems must be immediately reported to the Information Security Office.

EXCEPTION MANAGEMENT

The Information Security Office shall maintain a risk-based exception management program and shall review and document any requests for exceptions to this policy. The Information Security Office shall, in its sole discretion, approve or deny requested exceptions and may require mitigating controls for any approved exception.

System and application owners shall contact the Information Security Office to initiate the exception review process when it is not possible to comply with this policy.

ENFORCEMENT

Systems and applications found to be non-compliant with this policy may be administratively shut down or have their access restricted. Systems maintained at the departmental or individual level may incur costs in association with enabling the proper protections or in the event of data exposure.

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) or UConn Reportline (1-888-685-2637)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions:
August 30, 2023 (Approved by the Senior Policy Council and the President)
March 4, 2026 (Approved by the Senior Policy Council and President)

Network Access Policy, Information Technology

Posted on by
Title: Network Access Policy, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: Workforce Members, Students, and Guests
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

PURPOSE

The University invests significantly in maintaining a secure network that meets the academic, research, residential, and administrative needs of the institution. To ensure compliance with applicable Federal and State laws and regulations and  protect the campus network , certain security, performance, and reliability requirements must govern the operation of these networks.

APPLIES TO

This policy applies to all University workforce members,  students, and guests who have access to University Networks.

DEFINITIONS

University Network: The university network is comprised of the network hardware and infrastructure and the services to support them, from the data jack or wireless access point to the University’s Internet Service Provider’s (ISP) connection. The university network begins at the connection to the network (wired or wireless) and ends where we connect to the Internet.

Wired Network: The wired network consists of the physical cabling, infrastructure, and management systems that provide physical network access via an ethernet or fiber optic cable.

Wireless Network:  The wireless network consists of access points (connected to the wired network), wireless spectrum, and management systems that provide services via the UConn provided wireless networks, including UConn Secure, Guest, EDUROAM, and other specialty networks.

POLICY STATEMENT

The University Network (wired & wireless) is an essential resource for the University of Connecticut students, faculty, staff, and guests. The University Network provides a variety of critical services that meet the academic, administrative, research and residential needs of the University. Due to the complex nature of the University’s network, Information Technology Services (ITS) is responsible for the overall design, installation, coordination and operation of the University’s network environment.

Wired Networks

  • The wiring and electronic components of the network are deemed part of the basic infrastructure and utility services of the University. Installation and maintenance of that network are to be considered part of the “up front” basic required building and renovation costs and are not considered discretionary options in construction and renovation design.
  • Standards for the network wiring, electrical components, and their enclosures are defined by Information Technology Services (ITS), subject to Building and Grounds (B&G) oversight and are considered part of the University’s “building code” to which installations must conform.
  • Upgrades to our campus network will be done as part of a university-wide Network Master Plan.  This Network Master Plan will be coordinated with the University’s Building Master.
  • UConn Information Security and ITS Network Engineering operate the network security layer through firewalls, VPNs and other technologies. Units are required to work with these groups when implementing solutions involving secured networks or network segments. Units operating local firewalls and/or VPNs must give UConn Information Security and ITS Network Engineering administrative access to these devices and access into protected networks for visibility, security and diagnostic purposes. Information Security and ITS Network Engineering retain discretionary disconnect authority over all network connections.
  • Units proposing to design, install, maintain, or extend data or telecommunications networks must give ITS Network Engineering and Information Security access to/through these devices into the active network segments. This will give Network Engineering the ability to see beyond the secure points of the network for diagnosing problems potentially affecting the overall network.
  • Units wishing to design, install and maintain their own network must have their designs reviewed by ITS Network Engineering. All installations must conform to the standards set forth in the Telecommunications Design Standards published on the University Planning, Design and Construction Resources and Information page (https://updc.uconn.edu/contractors-working-at-uconn/). The requesting entity must submit technical specifications of the equipment to be used in the project, along with the logical and physical design maps, for ITS approval to ensure network compatibility and service conformance. ITS Network Engineering will provide the department with an approval letter, which can be submitted to Purchasing with the purchase request.  This requirement extends to all data and telecommunications networks operated or to be operated on any UConn campus or property (except those under the oversight of the Health Center), or operated or to be operated for any UConn purpose, whether or not the proposal includes connecting to or interconnecting with the main UConn networks or telecommunications systems

Wireless Networks 

  • The addition of new wireless access points on the University Network must be coordinated and approved by ITS.  Wireless performance is impacted by the architectural features, building materials, and furnishings of a contemporary workspace.  Construction and renovation projects must be coordinated with ITS and include funding for additions or adjustments required to optimize performance and serviceability of impacted wireless access points and systems.
  • On an exception basis, departments and individual faculty may install and manage wireless access points for specific programmatic needs. These locally administered wireless access points must be registered and coordinated with ITS prior to deployment to prevent radio frequency (RF) interference on either wireless network.  At least one individual in the requesting department must be designated as the official contact for the access point.  The official contact is responsible for the data and network traffic that traverses through the access point and appropriate access control and security configuration, as well as the regular maintenance, software updates, and replacement.
  • Any devices either not part of or that cause significant RF interference with the University wireless network will be considered a “rogue” access point or device.  ITS will pursue all reasonable efforts to contact the owner of the rogue device, and if necessary, may disable or disconnect them from the University Network. This includes devices and equipment that operate in the frequency ranges occupied by the University Wi-Fi network.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Technology Services CIO – https://cio.uconn.edu

POLICY HISTORY

This policy replaced the Wireless Network Policy (05/15/2006) and Physical Network Access Policy (11/18/2008).

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)

Firewall Policy

Posted on by
Title: Firewall Policy
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: All students, faculty, and staff responsible for configuring firewalls
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: February 20, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

PURPOSE

To ensure a common set of firewall configurations across the organization to maximize their protection and detection capabilities in support of the University’s information security. Firewalls provide a valuable protection and detection capability for the organization when properly configured, managed, and monitored.

APPLIES TO

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have responsibility for controlling or configuring firewalls.

DEFINITIONS

EOL: End of Life

EOS: End of Support

IANA: Internet Assigned Numbers Authority

POLICY STATEMENT

The University operates in a highly flexible and adaptive security environment to meet its academic, research, and administrative missions. While the ability to adapt to meet the ever-changing needs of the University is important, oversight and reporting of firewall activities are critical to the successful protection and operation of the University environment. The following firewall requirements must be satisfied:

Firewall Configuration Standards

  • All firewalls must be properly maintained from a hardware and software perspective. This includes proper lifecycle planning for EOL and EOS software/hardware and regular review (at least annually) of firewall rulesets.
  • All dedicated firewalls used in production must follow the University firewall management standard, which includes the ability to review currently configured firewall rules across the organization, identification of shadow or redundant rules and rules in conflict, and standardization of device/object names.
  • Firewall rulesets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets, configurations and backup media must be restricted to those responsible for administration and review.

Firewall Rules

Firewall rules specify (either allow or deny) the flow of traffic through the firewall device. Firewall rules are typically written based on a source object (IP address/range, DNS Name, or group), destination object (IP address/range, DNS Name, or group), Port/Protocol and action.

  • All firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default. The ruleset should be opened incrementally to only allow permissible traffic.
  • Outbound traffic should be enumerated for data stores, applications, or services
  • Overtly broad rules may be allowed for specific groups of individuals (not systems). Approval must be granted by the Chief Information Security Officer or their designee.
  • The use of overly permissive firewall rules is prohibited (i.e., ANY/ANY/ALL rules).
  • Protocols defined in services and in the firewall must utilize Service Name and Protocol/Port information as assigned by IANA, unless there is a technical reason to do otherwise other than “security through obscurity” and must be commented appropriately in the ruleset.

Firewall Logging

Firewall log integrity is paramount to understanding potential threats to the network. Firewall devices must log the following data to a system outside of the physical firewall itself and must be regularly reviewed at least monthly or programmatically through automated means. Firewall logs may be forwarded to the ISO SIEM for retention and analysis.

The following items must be logged as part of the operation of the firewall:

  • All changes to firewall configuration parameters, enabled services, and permitted connectivity
  • Any suspicious activity that might be an indicator of either unauthorized usage or an attempt to compromise security measures

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

REFERENCES

Internet Assigned Numbers Authority

POLICY HISTORY

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions: February 20, 2026 (Approved by the Senior Policy Council)

Secure Web Application Development, Information Technology

Posted on by
Title: Secure Web Application Development, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability: Storrs and Regionals
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

Departments will ensure that development, test, and production environments are separated. Confidential Data must not be used in the development or test environments.

Production application code shall not be modified directly without following an emergency protocol that is developed by the department, approved by the Data Steward, and includes post-emergency testing procedures.

Web servers that host multiple sites may not contain Confidential Data.

All test data and accounts shall be removed prior to systems becoming active in production.

The use of industry-standard encryption for data in transit is required for applications that process, store, or transmit Confidential Data.

Authentication must always be done over encrypted connections. University enterprise Central Authentication Service (CAS), Shibboleth, or Active Directory services must perform authentication for all applications that process, store, or transmit Confidential or Protected Data.

Change sentence to “Web application and transaction logging for applications that process, store, or transmit Confidential Data or Regulated Data must submit system-generated logs to the ITS Information Security Office. For more information please view UConn’s Logging Standard.

Departments implementing applications must retain records of security testing performed in accordance with this policy.

Policy Created: May 16, 2012

Business Continuity & Disaster Recovery, Information Technology

Posted on by
Title: Business Continuity & Disaster Recovery, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: All University Departments, System Owners, and Data Owners
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: February 20, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

PURPOSE

To establish requirements for business continuity and disaster recovery planning to protect and recover university systems and data from disruptive events or disasters.

APPLIES TO

All University Departments, System Owners, and Data Owners

DEFINITIONS

Business Continuity Plan (BCP): A strategic framework that outlines procedures and safeguards to ensure the University, department or unit can continue operations and recover quickly from disruptive events or disasters.

Disaster Recovery Plan (DRP): A documented strategy that outlines how the University, department or unit will respond to unplanned incidents, ensuring the recovery of IT systems and data. It typically includes policies, procedures, and responsibilities to restore access to compromised systems after disasters such as cyber-attacks or natural events. The plan serves to protect critical assets and promote business continuity in the face of disruptions.

POLICY STATEMENT

Each University department will maintain a current, written and tested Business Continuity Plan (BCP) that addresses the department’s response to unexpected events that disrupt normal business (for example, fire, vandalism, system failure, and natural disaster).

The BCP will be an action-based plan that addresses critical systems and data. Analysis of the criticality of systems, applications, and data will be documented in support of the BCP.

Emergency access procedures will be included in the BCP to address the retrieval of critical data during an emergency.

The Business Continuity Plan (BCP) will include a Disaster Recovery  Plan (DRP) that addresses maintaining business processes and services in the event of a disaster and the eventual restoration of normal operations. The BCP and DRP will contain a documented process for annual review, testing, and revision. Annual testing of the BCP will include desk audits, and should also include tabletop testing, walkthroughs, live simulations, and data restoration procedures, where appropriate. The BCP will include measures necessary to protect Confidential Data during emergency operations.

Data Administrators are responsible for implementing procedures for critical data backup and recovery in support of the BCP. The data procedures will address the recovery point objective and recovery time objectives determined by the Data Steward and other stakeholders.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

POLICY HISTORY

Policy created: May 16, 2012

Revisions: February 20, 2026 (Approved by the Senior Policy Council)

Security Awareness Training Policy, Information Technology

Posted on by
Title: Security Awareness Training Policy, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: University Workforce Members
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

PURPOSE

The Information Security Office (ISO) maintains an active Security Awareness Training program available to all faculty, staff, and student employees. This policy establishes the authority of the ISO to mandate Security Awareness training as needed and outlines the expectations for individuals and departments in assisting with ensuring the confidentiality, integrity, and availability of university systems, services, and data.

APPLIES TO

This policy applies to all University workforce members who regularly interact with or have access to confidential or protected information within the university.

DEFINITIONS

Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of the Data Classification Policy.

Protected Data: Institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public.

POLICY STATEMENT

While the Information Security Office maintains an active information security program, faculty and staff members’ knowledge of the threats and risks to the University’s systems and data is a critical component in helping to defend the University from attack.

The ISO maintains an Information Security Awareness program that supports University employees’ and students’ needs for regular training. Training on important information security topics is available or communicated in multiple ways including:

  • Online training systems with a variety of topics relevant to Information Security.
  • Communications to targeted groups of ongoing or imminent threats
  • Postings on various web-based systems across the university.
  • Availability of ISO staff for in-person discussions on information security.

As part of their ongoing operations and employee development, all academic and administrative departments must identify opportunities to engage faculty, staff, and student employees in Security Awareness training. These opportunities may include those offerings from the ISO or a tailored program for specific threats against departments or systems, which may also be included in procedural manuals or scheduled as group training opportunities.

The ISO is authorized to mandate Security Awareness training. In some areas, Security Awareness training may be mandatory based on federal or industry regulations. Training for these programs must be coordinated with the ISO to ensure regulatory requirements are met.

ENFORCEMENT

Failure to comply with mandatory Security Awareness training, or to coordinate training with the ISO, may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

REFERENCES

Compliance Training Policy
Data Classification Policy

POLICY HISTORY

Policy created: May 16, 2012

Revisions:
August 30, 2021 (Approved by the President’s Senior Team)
March 4, 2026 (Approved by the Senior Policy Council and President)

Risk Management, Information Technology

Posted on by
Title: Risk Management, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: System Owners and IT Professionals
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: February 20, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

PURPOSE

As technology and its capabilities change our environment, threats against these technologies also evolve. To provide the highest level of protection for the University, department and system owners are responsible for regular assessments of risks to their technology platforms. The Information Security Office is responsible for overseeing the evaluation of IT risks across the organization.

APPLIES TO

This policy applies to all System Owners, from University departments and schools/colleges, and IT Professionals.

DEFINITIONS

Risk Assessment: Part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.

Risk Assessment Tool: Risk assessment tools are available to department and school/college system owners and IT professionals to collect information about systems, services, and data that will inform efforts to continuously strengthen UConn’s information security.

System Owner: The individual – such as a faculty member, department head, manager, or other employee – who is responsible for the planning and operation of the service. All systems have a designated system owner.

IT Professional: An individual (staff) who is trained and skilled in using technology to solve business problems coupled with assigned job duties in support of technology at the university. This must be a defined responsibility within the position job description and may not fall under “other duties as assigned.” Appropriate training, support, and budget must also be available in support of the IT Professional role.

POLICY STATEMENT

The Information Security Office (ISO) is authorized to administer the University’s risk management process, which includes the delegation of responsibility for ensuring that information systems are assessed for risk.

Due to the size and complexity of the UConn environment, each department and system owner is responsible for conducting a regular and ongoing risk assessment of the Information Technologies they are responsible for overseeing.

In conducting a risk assessment, departments/individuals should evaluate risks to Information Technology based on a People, Process, Technology (PPT) methodology. Using this methodology and leveraging ISO policies, including the Acceptable Use Policy, Data Classification Policy, Data Roles and Responsibilities Policy, Security Awareness Training Policy and System and Application Security Policy (available at https://security.uconn.edu), departments must evaluate opportunities to reduce risk to the confidentiality, integrity, and availability of information technology assets.

Some University organizations will be required to do regular risk assessments as a regulatory or industry requirement.  This policy does not reduce or relieve the responsibility of System Owners to complete regulatory and industry‑required assessments.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: May 12, 2016

Revisions:
August 30, 2021 (Approved by the President’s Senior Team)
February 20, 2026 (Approved by the Senior Policy Council)

Data Classification Policy

Posted on by
Title: Data Classification Policy
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All students, faculty, staff, volunteers, and contractors  
Campus Applicability:  All Campuses except UConn Health
Effective Date: August 30, 2021
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

This policy defines the classifications of institutional data (i.e., the categories of data that the University is responsible for safeguarding) and the associated measures that are necessary to safeguard each classification. Institutional data commonly exists in many forms, including electronic, magnetic, optical, and traditional paper documents. Common types of electronic data include email messages, spreadsheets, word processing documents, PDF reports, and university managed databases and file storage systems. 

APPLIES TO 

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to protected or confidential information. This policy covers data that is stored, accessed, or transmitted in all formats, including electronic, magnetic, optical, paper, or other non-digital formats. 

DEFINITIONS  

Cloud: Any environment not operated by UConn. This includes cloud-based services that provide basic infrastructure including operating system and storage or services that provide a full software stack for an intended purpose or platform offering multiple services. 

Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of this policy. 

Protected Data: Institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public. 

Public Data: Institutional information that may or must be freely available to the general public. Such information has no local, national, international, or contractual restrictions on access or usage. 

POLICY STATEMENT  

Through the normal course of business, many individuals at the University of Connecticut collect, maintain, transmit, and/or have access to personal information, financial data, and other information which is protected or confidential in nature. The protection of some types of data is governed by industry or governmental regulations. While other types of information may not be covered by specific legal requirements, it is in the University of Connecticut’s best interest to take steps to safeguard all university information reasonably and responsibly. 

Except for those classes of data expressly protected by statute, contract, or industry regulation, the data classification examples presented in this policy are guidelines. Ultimate responsibility for the classification in the university environment is determined by the Data Steward, as defined in the University’s Data Roles and Responsibilities Policy, and the Office of General Counsel for any given set of data. 

Data Protection 

The University of Connecticut has established the following requirements and guidelines in order to protect each classification of data. 

Public Data 

While there are few restrictions on public data, such data should be properly secured to prevent unauthorized modification, unintended use, or inadvertent/improper distribution. It should be understood that any information that is widely disseminated within the university community is potentially available to the public at large. 

The following guidelines are for information systems that are used to store and share the University’s public data. 

  • When practical, public data should only be shared via systems over which the University maintains full administrative control, which includes the ability to remove or modify the data in question. 
  • Information systems, such as web servers or cloud services that are used to share public data, must be properly secured to prevent the unauthorized modification of published public data. 
  • Interactive access to databases containing public data, such as online directories or library catalogs, should be properly secured using query rate limiting, CAPTCHA’s or similar technology to impede bulk downloads of entire collections. 

    Protected Data 

    Protected data requires additional levels of protection because its unauthorized disclosure, alteration, or destruction could cause damage to the University or its constituents.  

    In addition to the requirements outlined for public data, protected data must also meet these requirements: 

    • If stored in the cloud, stored only on cloud-based information systems managed or contracted by the University. 
    • Protected through the use of authenticated access in order to prevent loss, theft, or unauthorized access, disclosure or modification. 
    • Printed sensitive data including reports must be stored in a secure manner (file cabinet, closed office, or department where electronic/physical access control systems are in place) when not in use. 

    Confidential Data 

    Confidential data (see Appendix A) requires the highest level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration, or destruction of the data. Certain types of information, such as health information, may have additional requirements for protection. Wherever possible, confidential information should remain in source systems and not propagated through saved files, spreadsheets, or other file formats. Whenever storage of confidential data is required outside the source system, it should be limited to the minimum amount, and for the minimum time, required to perform the business function, or as required by law and/or State of Connecticut Data Retention requirements. 

    In addition to the requirements for protected data, confidential data must be: 

    • Protected with strong passwords and should leverage Multi-Factor Authentication whenever such capabilities exist.  
    • Stored on devices that have appropriate protection, monitoring and encryption measures in order to protect against theft, unauthorized access and unauthorized disclosure. 
    • Transmitted using approved encryption methods. 
    • Accessed via approved remote access services such as VPN when accessed remotely.  
    • Stored on university-owned devices. Confidential data is not permitted to be stored on any personally owned devices including mobile phones, laptops, or home computers. 
    • Stored, if printed material, only in a locked drawer; a locked room; an area where access is controlled by a guard, cipher lock, and/or card reader; or an area that has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis. 

      The University’s Confidential Data may not be accessed, transmitted, or stored using public computers or via email. 

      Encryption 

      To maintain its confidentiality, all data shall be encrypted while in transit across communication networks or when stored. Stored data may only be encrypted using current encryption methodologies. To ensure that data is available when needed, each department or user of encrypted University data will ensure that encryption keys are adequately protected and that procedures are in place to allow data to be recovered by another authorized University employee. In employing encryption as a privacy tool, users must be aware of, and are expected to comply with, Federal Export Control Regulations. 

      Service Providers  

      Departments shall take steps to ensure that third-party service providers understand the University’s Data Classification Policy and protection of the University’s Data. No user may give a third-party access to the University’s Protected or Confidential Data or to systems that store or process Protected or Confidential Data without permission from the Data Steward and a standard Confidentiality Agreement from University Procurement in place.  

      Disposal 

      Systems administrators will ensure that all data stored on electronic media is properly destroyed or wiped to current Department of Defense Data Wipe standards prior to the disposal or transfer of the equipment.  

      Confidential Data maintained in hard copy form will be properly disposed of when no longer required for business or legal purposes. 

      ENFORCEMENT 

      Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

      Questions about this policy or suspected violations may be reported to any of the following: 

      Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

      Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

      Information Security Office – https://security.uconn.edu 

      REFERENCES 

      Data Roles and Responsibilities, Policy On 

      POLICY HISTORY 

      Policy created:  May 16, 2012 

      Revisions: August 30, 2021