This document lists significant changes that have been made to the Minimum Security Standards for Systems.
| Date | Change description | Original text |
|---|---|---|
| 9/14/2007 | Changed reference from BPM 53 to UTS 165 | "BPM 53" |
| 4/5/2007 | Added "(See Data Encryption Guidelines.)" to System Hardening standards 5.6 and 5.7. | No reference previously. |
3/6/2007 |
Changed Section I, first sentence to read "These minimum standards serve as a supplement to the IT Security Operations Manual, which was drafted in response to Texas Administrative Code 202 and UT System BPM 53." Added "This minimum standard exists in addition to all other university policies and federal and state regulations governing the protection of the university's data." to the end of the same paragraph. Also revised all references to "standard" to read "standards." |
"This minimum standard serves as a supplement to the IT Security Operations Manual, The University of Texas at Austin’s implementation of UT-System BPM 53." |
12/02/2006 |
Added practice 5.14: "Apply the principle of least privilege to user, administrator, and system accounts." Cat I: Required; Cat II/III: Recommended |
New |
| 11/02/2006 | Edited Practice 5.7 to say "Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate." | Systems will provide secure (that is, encrypted) storage for Category I data as required by confidentiality and integrity needs. |
| 10/20/2006 | Edited Practice 5.6 to say "Services or applications running on systems manipulating Category I data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs." | "Services or applications running on systems manipulating Category I data should implement secure (that is, encrypted) communications to ensure Category I data does not traverse the Internet in clear text." |
| 10/20/2006 | Added Practice 5.13, "Strong password requirements shall be enabled, as technology permits, based on the category of data the account is allowed to access." Required for all data categories. | New |
7/11/2006 |
Changed title to "Minimum Security Standards for Systems" in this and all documents referencing the title. The phrase "Associated with Category I, II, or III Data" relates to all IT Security policies, and the change will make it easier to incorporate "Minimum Security Standards" documents for other IT resource types. Added links to appropriate definitions in the ISO Technical and Security Glossary. Added Change Log for transparency. |
"Minimum Security Standards for Systems Associated with Category I, II, or III Data." |
7/11/2006 |
Added the Exception Reporting Process to this sentence... "If products are not available from reputable commercial or reliable open source communities for a specific requirement, then the specific requirement is waived until an appropriate solution is available. In such cases a security exception report shall be filed. |
"If products are not available from reputable commercial or reliable open source communities for a specific requirement, then the specific requirement is waived until an appropriate solution is available." |
| 7/11/2006 | Changed "Primary Investigators" to "Lead Researchers," per BPM-75 language. | "IT owners and custodians, Primary Invesigators (PIs), and/or systems administrators are expected to use their professional judgment in managing risks to the information and systems they use and/or support." |
