Purpose

The University System of Maryland Board of Regents' Information Technology policy, X-1.00(A), establishes that those using university information technology resources are responsible for complying with IT security standards set forth by the Vice President and Chief Information Officer (VP/CIO). Since the original publication of IT-1 in 2007, a number of additional IT standards have been produced. The structure and format of these standards have varied widely, resulting in inconsistencies and ambiguities.

The purpose of this IT-0 Standard on IT Standards is to set forth a common format for University of Maryland IT standards that will be clear in requirements and recommendations.

Top

Scope

This standard applies to all IT standards approved by the VP/CIO in consultation with the university IT Council. As existing standards come up for review, they shall be reformatted to adhere to the requirements set forth by this Standard on IT Standards.

Top

Statement

All university IT standards will declare the following in plain language:

• The rationale for why it is needed and the desired outcome(s);
• When and to whom it does and doesn’t apply;
• Definitions (if any);
• The rules, regulations, and/or directions that must be followed in order to accomplish the desired stated outcome(s) set forth in the rationale;
• The compliance exception process;
• The consequences for compliance failure;
• Those who are responsible for implementation, compliance, and exceptions;
• References (such as cost analysis and cost sharing as appropriate, and Frequently Asked Questions); and
• Dates of effectiveness and deadlines for implementation.

A standard can be accompanied by Frequently Asked Questions or other documents that assist the reader in understanding the standard. These additional documents are not part of the standard and shall not prescribe requirements unless the requirements are described in the associated standard document. Such documents should be identified in the Reference section of the standard.

Approved IT Standards are assigned a number of the form IT-XXX. This number should not be assigned prior to approval. This will prevent the potential for multiple drafts becoming associated with the same number.
 
All standards and associated documentation must be reviewed every two years unless an alternative timeline is explicitly stated within the standard in question. The IT Security Working Group shall be responsible for monitoring the need for update and performing the review.

The IT Compliance unit within the DIT IT Security Office shall maintain an archive of all standards and accompanying documents. Prior released versions will be retained for reference. Copies can be published in the DIT Knowledge Base but must be updated whenever the original document is updated.

Top

Compliance

An IT standard or standard revision will not be formally released unless the requirements of this Standard on IT Standards have been met.

Top

Version history

Version 1.0
Approved by CIO and IT Council, July 2025
This standard must be reviewed within two years of its approval.

Top