Policies and Standards

What is a Policy, Standard and Guideline? How are they different?

Policies are high level statements of management intent, expectations and direction relating to the protection of information across the business.  These are produced and approved by senior leadership at the University.

Standards provide specific low level mandatory controls required to enforce and support the information security policy.

Standards help to ensure security consistency across the business and usually contain security controls relating to the implementation of specific technology, hardware or software. For example, a password standard may set out rules for password complexity and a Windows standard may set out the rules for hardening Windows clients.

Guidelines provide recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.

Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended. They could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence.

Procedures provide step by step instructions to assist workers in implementing the various policies, standards and guidelines.

Whilst the policies, standards and guidelines consist of the controls that should be in place, a procedure gets down to specifics, explaining how to implement these controls in a step by step fashion. For example, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines.


Information Security Policies and Standards

Information Security Policy The policy governing the use, protection, and preservation of computer-based information at the University.

Data Protection Standards The standards for data protection are intended to help the University more easily meet the legal, regulatory and best practice requirements that apply to our environment

BU Health Insurance Portability and Accountability Act (HIPAA) Security Policies Policies related to the use and storage of electronic Protected Health Information (ePHI) at Boston University. Text of Law

See also:

HIPAA Data Security Incident & Breach Policy


HIPAA Privacy Checklist

HIPAA Security Checklist

BU Family Educational Rights and Privacy Act (FERPA) This is the Federal law that protects the privacy of a student’s education records. In compliance with FERPA, Boston University does not disclose personally identifiable information contained in student education records, except as authorized by law. Text of Law

BU Gramm-Leach-Bliley Act Safeguarding Program (GLBA) The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some – but not all – sharing of their information. Text of Law

Personal Information Protection Program From the Office of the Executive Vice President, this program describes specific steps members of the University community should take to safeguard personal information.  See the Personal Information Protection page for more information


Conditions of Use and Acceptable Use Policies

Conditions of Use and Policy on Computing Ethics Conditions of use for all users of the University’s computing facilities & policies for exercising responsible, ethical behavior when using the University’s computing facilities

BU Google Apps Acceptable Use and Data Security Policy for using BU Google Apps to ensure compliance of your school, department or unit requirements established regarding email and data storage


Information Security Guidelines and Procedures

BU’s Copyright Violation Notification Process It is illegal and a violation of Boston University policy to download or upload copyrighted materials unless you have permission from the copyright holder or one of the limited exceptions under the U.S. Copyright Act applies (e.g., fair use). It is copyright infringement.

BU Google Drive Security Guide for using the BU version of Google Drive to ensure secure storage of confidential information, including FERPA Data

BU OneDrive Security Guide for FERPA and HIPAA for using the BU version of OneDrive to ensure secure storage of Confidential and Restricted Use information, including FERPA and HIPAA data

BU Best Practices easy-to-use guides that describe best practices for securing your computer resources quickly and effectively

Social Media Guidelines These Guidelines are addressed to employees who use social media as part of their jobs to promote their schools, programs, and departments.and also include general considerations for social media use that should be important to everyone

BU InfoSec Guideline -Security Hardening of iOS (iPad & iPhone) In order to provide the proper protection of information, these devices must be properly configured.  This document provides the steps require to properly secure an iPad or iPhone.

Policy Violation Notification Procedure Procedure for violations of Information Security Policy or Non-Disclosure Agreement