I. Scope
This policy applies to all faculty, staff, students, visitors, and contractors, in all academic and operational departments and offices at all George Mason University locations.
II. Policy Statement
All university faculty, staff, students, visitors and contractors shall comply with the Information Technology Security Standard.
III. Definitions
Information Security Incident An adverse event or situation, whether intentional or accidental, that poses a threat to the integrity, availability, or confidentiality of an IT system.
Process Owner: A process owner is responsible and accountable for a particular process within an organization. This individual or team is responsible for the design, implementation, monitoring, and continuous improvement of the process, ensuring it operates seamlessly and delivers the expected results. A Process Owner may be a business or technology or functional process owner.
System Owner: A person who is responsible for the operation and maintenance of a George Mason IT system.
IV. Responsibilities
The Vice President and Chief Information Officer (CIO) is authorized to establish information security controls and requirements for all members of the university community. The Vice President and CIO, along with the Chief Information Security Officer (CISO) or equivalent leading the information security function, are responsible for developing and maintaining George Mason’s Information Security Program.
For purposes of compliance with the requirements within the Gramm–Leach–Bliley Act (GLBA), the policy is supported by the Information Technology Security Standard which articulates the control areas and requirements in alignment with the Standards for Safeguarding Customer Information along with its Elements under § 314.4 within Title 16 Chapter 1 Subchapter C Part 314. Additionally, this policy establishes the CISO or equivalent staff leading the information security function at George Mason as the Qualified Individual per Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., 15 C.F.R. § 314.4 (a).
George Mason System Owners, Process Owners, system administrators, database administrators, application administrators, and users with elevated privileges, are responsible for implementing controls and processes to comply with the requirements within this Policy.
All users of university IT resources are required to promptly report information security incidents to the university’s Information Technology Security Office (ITSO) or the Information Technology Services (ITS) Support Center.
In the event of an information security incident, -faculty, staff or departments must not disclose any university information—including the circumstances, scope, context, impact, or any other related details—or release any electronic devices or media to external entities, including law enforcement, without first notifying the ITSO or the ITS Support Center.
ITSO is responsible for responding to information security incidents. In addition to following up on reported incidents, the ITSO may monitor IT resources for potentially malicious and/or harmful activity and take action deemed necessary based on detected activity, or to enforce a university policy.
V. Other Information
The university’s Information Security Program aligns with guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-53, and is tailored to the university’s environment and unique needs.
VI. Compliance
Any misuse of data or IT resources may result in the limitation or revocation of access to university IT resources. In addition, failure to comply with requirements of this policy may result in employee and/or student disciplinary action up to and including termination or expulsion.
Exceptions:
Exceptions to this policy must be documented in writing and approved by the Vice President and CIO or the CISO or equivalent leading the information security function.
VII. Dates
A. Effective Date:
This policy will become effective upon the date of approval by the Executive Vice President for Finance and Administration and the Provost and Executive Vice President.
B. Date of Most Recent Review:
December 4, 2024
VIII. Timetable for Review
This policy, and any related procedures, shall be reviewed every three years or more frequently as needed.
IX. Signatures
Approved:
__/S_____________________
Executive Vice President for Finance and Administration
__/S______________________
Provost and Executive Vice President
Date Approved: October 31, 2008
Revised: January 29, 2013
Revision Approved: October 7, 2019
Reviewed: December 15, 2020
Revised: December 4, 2024
Page last updated: December 9, 2024