Information Technology Security

  • Responsible Oversight Executive:ÌýVice President for Administration and Finance
  • Date of Current Revision or Creation:ÌýFebruary 2, 2023
  • Download Policy PDF

The purpose of this policy is to state the codes of practice with which the University aligns its information technology security program and to establish that the University aligns its security activities with internationally recognized best practices.

, grants authority to the Board of Visitors to make rules and policies concerning the institution. Section 7.01(a)(6) of theÌýÌýgrants authority to the President to implement the policies and procedures of the Board relating to University operations.

Restructured Higher Education Financial and Administrative Operations Act,Ìý

Ìý- The international standard that defines guidelines and general principles for the effective management of information security within an organization. It is a risk-based framework widely used to guide establishment of security standards and management practices.

Ìý- A nonprofit association dedicated to the advancement of higher education through the effective use of information technology. Members include representatives from institutions of higher education, higher education technology companies, and other related organizations.

Ìý- A Federal law enacted to protect access to student records and provide control over the disclosure of information from these records.

Ìý- A Federal law enacted to control how financial institutions deal with the private information of individuals.

Ìý- A Federal law enacted to set national standards for the security of electronic-protected health information.

Information SecurityÌý- The concepts, techniques, technical measures, and administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use.

Information Security Officer (ISO) -ÌýThe ¹ÏÉñÍø employee, appointed by the President or designee, who is responsible for developing and managing ¹ÏÉñÍø's information technology (IT) security program.

Information Technology Security ProgramÌý- Provides a high-level view of the University's security controls and elements used to satisfy the laws and regulations relevant to information security. The Information Security Officer has delegated authority for the selection and implementation of security controls and manages the overall security program.

Ìý- A global organization that develops and publishes standards addressing electrical, electronic, and related technologies. Membership comes from government, the private sector, consumer groups, professional associations, and others.

Ìý- The world's largest developer of standards. The organization is made up of representatives from governmental and private sector standard bodies, e.g. the American National Standards Institute.

Ìý-ÌýA comprehensive set of payment application security requirements designed to ensure the confidentiality and integrity of customer information.

Ìý- An organization formed to help strengthen information technology security programs within Virginia. The Alliance was organized and is operated by security practitioners and researchers from several Virginia higher education institutions.

This policy applies to all users, decision makers, developers and planners of campus systems and operations related to the design, acquisition, maintenance, and use of information technology.

Ìý

The University's information technology security program is based on nationally and internationally recognized standards and frameworks appropriately tailored to the specific circumstances of the University, including but not limited to those recommended in the Code of Practice for Information Security Management published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27002:2013).

The program also incorporates security requirements of applicable regulations including, but not limited to, the Family Educational Rights and Privacy Act, Payment Card Industry Data Security Standard, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking, serve as resources for additional effective security practices.

The ISO/IEC 27002:2013 Code of Practice and other sources noted above are used to guide development and ongoing enhancement of additional information technology security policies as needed

Ìý

The specific standards to be utilized for compliance with this policy are published on theÌýInformation Technology Services Computing Policies and StandardsÌýwebsite. For security purposes, procedures and guidelines are maintained internally and are available upon request to relevant parties as authorized by the Information Security Officer.

Applicable records must be retained and then destroyed in accordance with theÌý.

Chief Information Officer

Policy History

Policy Formulation Committee (PFC) & Responsible Officer Approval to Proceed:

/s/ÌýRusty Waterfield


Responsible Officer


January 4, 2023


Date


Policy Review Committee (PRC) Approval to Proceed:

/s/ÌýDonna W. Meeks


Chair, Policy Review Committee (PRC)


August 18, 2022


Date


Executive Policy Review Committee (EPRC) Approval to Proceed:

/s/ÌýChad A. Reed


Responsible Oversight Executive


January 27, 2023


Date


University Counsel Approval to Proceed:

/s/ÌýAllen T. Wilson


University Counsel


January 31, 2023


Date


Presidential Approval:

/s/ÌýBrian O. Hemphill, Ph.D.


President


February 2, 2023


Date

Previous Revisions: October 1, 2007; April 9, 2010; April 26, 2011; March 15, 2017; February 2, 2023

Scheduled Review Date: February 2, 2028