University of Idaho - I Banner
A student works at a computer


U of I's web-based retention and advising tool provides an efficient way to guide and support students on their road to graduation. Login to VandalStar.

System and Information Integrity


This updated standard is to help align existing IT practices around System and Information Integrity to the requirements in NIST 800-171 (SI | 3.14.x) as well as industry best practices. This document does not give full coverage of 3.14.x controls within 171 due to existing limitations and other requirements that are specific to CUI.

What is in this document:

  • Patching requirements
  • Requirement to report flaws to Office of Information Technology (OIT) Security
  • AV configuration requirements

What is NOT in this document:

  • Patching process (testing, deployment, logging)
  • System hardening requirements 

Policy Reference

APM 30.11 University Data Classification and Standards

APM 30.12 Acceptable Use of Technology Resources

APM 30.14 Cyber Incident Reporting and Response


This Audit and Accountability standard supports APM 30.11 University Data Classification and Standards, and other relevant university policies.


These Standards are the minimum baseline for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.


To help ensure system and application flaws are detected and resolved in a reasonable timeframe:

  1. Apply security patches to address flaws in systems and applications automatically, or within 10 business days.
    1. Patches may be applied in a timeframe approved through a risk-based vulnerability assessment process approved by OIT Security and all affected data and system owners.
  2. U of I employees who discover flaws or vulnerabilities must report them to within 4 hours of discovery.
    1. Discovery does not include validation.
    2. Self-investigation of cybersecurity issues is discouraged, if you feel you need to investigate something prior to reporting to OIT Security, report it anyway.

To help ensure malware is unable to establish, spread and impact systems:

  1. All capable systems with university data must have OIT-managed AV/EDR.
    1. Systems not capable of running OIT-managed AV/EDR must have mitigating controls approved by OIT Security
  2. Systems with malware detected must be reformatted or rebuilt unless otherwise approved by OIT Security.
    1. University technology resources must be reimaged by OIT or as specified by OIT.

To help ensure malware is unable to establish, spread and impact systems:

  1. Updates to signatures need to be applied within 1 day of release.
  2. Full system scans must occur on at least a weekly basis unless an exception is documented by OIT Security.
  3. Real-time protection must be enabled unless an exception is documented by OIT Security.

OIT Security, as a part of participation in information sharing and analysis centers, vendor advisories and other alert feed tools, will respond to alerts with investigation under APM 30.14.

Other References

1. NIST SP800-171r2 (February 2020)

2. NIST SP800-53r5 (September 2020)

5. CMMC Glossary


1. System Flaws

An issue within a system that may result in the system not working as intended. This may include process failures, software vulnerabilities or design gaps.

2. Security Patch

Updates or fixes released by vendors to resolve a security vulnerability.

3. Anti-Virus (AV)

“A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.” (CMMC Glossary)

4. Endpoint Detection and Response (EDR)

Software that runs on endpoint that reviews system behavior for malicious activity and takes action accordingly.

Standard Owner

OIT is responsible for the content and management of these standards.

To request an exception to this standard.


Revision History

3/1/2024 — Minor updates

  • Minor formatting/wording/reference changes.

6/23/2023 — Original standard

  • Full re-write to align with NIST 800-171r2

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)