Minimum Security Standards

As part of the UH Data Classifications Policy (EP 2.214) technical guidelines for each data classification category shall be followed to prevent the inadvertent exposure and inappropriate disclosure of Institutional Data that are considered protected data.

University of Hawaiʻi Data Classification

Public Data Protected Data
Public (No Risk) Restricted (Low Risk) Sensitive (Medium Risk) Regulated (High Risk)
No privacy considerations. Data used internally within the UH community but not released to external parties without a contract or memorandum of agreement. Data subject to privacy considerations. Highly sensitive data that is subject to state breach notification requirements, financial fines, or other penalties.
Institutional Data where access is not restricted and is subject to open records requests
Institutional Data used for UH business only. Restricted data will not be distributed to external parties except under the terms of a written memorandum of agreement or contract. Data is maintained in a physically secured location.
Institutional Data subject to privacy or security considerations or any Institutional Data not designated as public, restricted, or regulated. Data is maintained in a physically secured location.
Institutional Data where inadvertent disclosure or inappropriate access requires a breach notification in accordance with HRS §487N or is subject to financial fines. Social Security Number (SSN) and personal financial information fall within this category. Data is maintained in a physically secured location.
[UH Login Required] Examples of Data / Information by Category

Minimum Security Standards by Device [UH Login Required]

Below are links to the minimal standards based on the type of UH Institutional Data Category (Public, Restricted, Sensitive, and Regulated) and device type (Endpoints, Servers, and MFDs).

The standards listed in the respective tables are based on the Center for Internet Security’s (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.

The standards listed below are a subset of the CIS Controls based on its applicability to the University of Hawaiʻi.

Cyber Hygiene Best Practices

Cyber Hygiene is a set of best practices users should follow to improve the safety and security of their devices.

Configuration Guides [UH Login Required]

The following link provides configuration guides for commonly used systems: Configuration Guides

Minimum Security Standard Mappings [UH Login Required]

ITS has performed analysis mapping the following standards against the ITS Minimum Security Standards (MSS):

  • Cybersecurity Maturity Model Certification (CMMC) Levels 1 to 3
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standard (PCI DSS)

Please visit the specific ITS MSS device type (Endpoints, Servers, Multi-Function Devices) for any additional guidance.

  • When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
  • When comparing Standards, Acts, or Policies to the ITS Minimum Security Standards, the more stringent standard takes precedence.
  • Standard, Act, or Policy requirements still apply when there is no equivalent ITS Minimum Security Standard.

General Information Security Practices