Information Technology Security Program

I. Scope

This policy applies to all employees, students, visitors, and contractors, in all academic and operational departments and offices at all George Mason University locations.

This policy applies to all university information technology and data, whether owned and operated by the university, or used for university business through contractual arrangements.

II. Policy Statement

All University employees, students, visitors and contractors shall comply with the Information Technology Security Standard.

III. Definitions

Information Security Incident means an adverse event or situation, whether intentional or accidental, that poses an enterprise impact or threat to the integrity, availability, or confidentiality of university data or systems or requires reporting based upon regulatory requirements.

IV. Responsibilities

The Vice President of Information Technology and CIO is authorized to establish information security controls and requirements for all members of the university community. The Vice President of Information Technology and CIO, along with the Executive Director and Chief Information Security Officer, are responsible for developing and maintaining Mason’s information security program.

System administrators must comply with the Information Technology Security Standard, and are responsible for implementing controls commensurate with system risk.

All users of university IT resources are required to promptly report information security incidents to the university’s Information Technology Security Office or the Information Technology Services (ITS) Support Center.

In responding to any information security incidents, individuals or departments may not release University information, electronic devices or electronic media to any outside entity, including law enforcement organizations, before notifying the Information Technology Security Office or the ITS Support Center.

The Information Technology Security Office (ITSO) is responsible for responding to information security incidents. In addition to following up on reported incidents, the ITSO may monitor IT resources for potentially malicious and/or harmful activity and take action deemed necessary based on detected activity, or to enforce a university policy.

V. Other Information

The university’s information security program aligns with guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-53, and is tailored to the university’s environment and unique needs.

VI. Compliance

Any misuse of data or IT resources may result in the limitation or revocation of access to University IT resources. In addition, failure to comply with requirements of this policy may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies, and may violate federal, state, or local laws.

 A. Exceptions:

Exceptions to this policy must be documented in writing and approved by the Vice President/Chief Information Officer and the Chief Information Security Officer.

VII. Dates

 A. Effective Date:

 This policy will become effective upon the date of approval by the Senior Vice President for Administration and Finance and the Provost and Executive Vice President. Revisions will become effective at the beginning of the University’s fiscal year, unless otherwise noted.

B. Date of Most Recent Review:


 VIII. Timetable for Review

 This policy, and any related procedures, shall be reviewed annually and revised as needed.

IX. Signatures


Senior Vice President for Administration and Finance

Provost and Executive Vice President

Date Approved: October 31, 2008

Revised: January 29, 2013

Revision Approved: October 7, 2019 (effective immediately)