Minimum Security Standards

As part of the UH Data Classifications Policy (EP 2.214) technical guidelines for each data classification category shall be followed to prevent the inadvertent exposure and inappropriate disclosure of Institutional Data that are considered protected data.

University of Hawaiʻi Data Classification

Public Data Protected Data
Public (No Risk) Restricted (Low Risk) Sensitive (Medium Risk) Regulated (High Risk)
No privacy considerations. Data used internally within the UH community but not released to external parties without a contract or memorandum of agreement. Data subject to privacy considerations. Highly sensitive data that is subject to state breach notification requirements, financial fines, or other penalties.
Institutional Data where access is not restricted and is subject to open records requests
Institutional Data used for UH business only. Restricted data will not be distributed to external parties except under the terms of a written memorandum of agreement or contract. Data is maintained in a physically secured location.
Institutional Data subject to privacy or security considerations or any Institutional Data not designated as public, restricted, or regulated. Data is maintained in a physically secured location.
Institutional Data where inadvertent disclosure or inappropriate access requires a breach notification in accordance with HRS §487N or is subject to financial fines. Social Security Number (SSN) and personal financial information fall within this category. Data is maintained in a physically secured location.
[UH Login Required] Examples of Data / Information by Category

Minimum Security Standards by Device [UH Login Required]

Below are links to the minimal standards based on the type of UH Institutional Data Category (Public, Restricted, Sensitive, and Regulated) and device type (Endpoints, Servers, and MFD/IoTs).

The standards listed below are adapted from a subset of the Center for Internet Security’s (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The subset of CIS Controls were chosen based on their applicability to the University of Hawaiʻi.

Cyber Hygiene Best Practices

Cyber Hygiene is a set of best practices users should follow to improve the safety and security of their devices.

Implementation Guides [UH Login Required]

The following link provides implementation guides which are a set of guides intended to help members of the UH community implement the Minimum Security Standards: Implementation Guides

Minimum Security Standard Mappings [UH Login Required]

ITS has performed analysis mapping the following standards against the ITS Minimum Security Standards (MSS):

  • Cybersecurity Maturity Model Certification (CMMC) Levels 1 and 2
  • NIST 800-171
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standard (PCI DSS)

Please visit the specific ITS MSS device type (Endpoints, Servers, Multi-Function Devices and Internet-of-Things) for any additional guidance.

  • When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
  • When comparing Standards, Acts, or Policies to the ITS Minimum Security Standards, the more stringent standard takes precedence.
  • Standard, Act, or Policy requirements still apply when there is no equivalent ITS Minimum Security Standard.

General Information Security Practices