Information Technology Security Program
University Policy Number 1311
Responsible Office: Vice President of Information Technology/CIO
Related Law & Policy:
- Policy 1114: Data Stewardship
- Policy 1301: Responsible Use of Computing
- Policy 1304: Public Internet Address
- Policy 1305: Reporting Electronic Security Incidents
- Policy 1306: Banner and Related Administrative Systems Security
This policy applies to all academic and operational departments and offices at all George Mason University (Mason) locations owned and leased. The policies and procedures provided herein apply to all University faculty, staff, students, visitors and contractors.
II. POLICY STATEMENT
The University has a highly complex and resource-rich information technology environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Safeguarding the institution’s computing assets in the face of growing security threats is a significant challenge requiring a strong, persistent and coordinated program that leverages widely accepted, effective security practices appropriate for the higher education environment. This policy states the codes of practice with which the University aligns its information technology security program.
The University’s information technology security program is based upon best practices recommended in the “Code of Practice for Information Security Management” published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27002:2005), and appropriately tailored to the specific circumstances of the University. The program also incorporates privacy requirements of applicable regulations, such as the Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act (HIPAA). Professional organizations, such as the national association EDUCAUSE and the Virginia Alliance for Secure Computing and Networking (VA SCAN), and state agencies, such as Virginia Information Technologies Agency (VITA) serve as resources for additional effective security practices.
The ISO/IEC 27002:2005 Code of Practice and other sources noted above are used to guide development and ongoing enhancement of additional information technology security policies as needed. All related policies governing information technology security can be found at the web site for University policies. http://itsecurity.gmu.edu/Resources/policies.cfm.
Code of Practice for Information Security Management (ISO/IEC 27002:2005) – This international standard defines guidelines and general principles for the effective management of information security within an organization. It is a risk-based framework widely used to guide establishment of security standards and management practices.
EDUCAUSE – EDUCAUSE is a nonprofit association dedicated to the advancement of higher education through the effective use of information technology. Members include representatives from institutions of higher education, higher education technology companies, and other related organizations.
International Organization for Standards (ISO) – The world’s largest developer of standards, the organization is made up of representatives from governmental and private sector standard bodies, e.g. the American National Standards Institute.
International Electrotechnical Commission (IEC) – The IEC is a global organization that develops and published standards addressing electrical, electronic and related technologies. Membership comes from government, the private sector, consumer groups, professional associations, and others.
Virginia Alliance for Secure Computing and Networking (VA SCAN) – VA SCAN was formed to help strengthen information technology security programs within Virginia. The Alliance was organized and is operated by security practitioners and researchers from several Virginia higher education institutions, including George Mason University, which was one of the four founders of the organization.
Virginia Information Technologies Agency (VITA): The Virginia Information Technologies Agency (VITA) is the Commonwealth’s consolidated, centralized information technology organization. VITA’s responsibilities fall into three primary categories: Operation of the IT infrastructure, Governance of IT investments, and Procurement of technology for VITA and on behalf of other state agencies and institutions of higher education.
The Vice President of Information Technology and CIO, along with the Director, IT Security, will monitor changes and revisions to the standards, regulations and best practices and make appropriate modifications to policies and procedures for the University’s IT Security Program.
V. OTHER INFORMATION
The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations, on condition that certain commitments to the Commonwealth are met. Furthermore, HB1390, effective July 1, 2008, allows institutions of higher education to enter into a memorandum of understanding with the appropriate Cabinet Secretary or Secretaries, for additional operating authority in two of the following three areas: information technology, procurement, and capital projects (Higher Education Restructuring Level II).
The university’s memorandum of understanding with the Commonwealth provides full delegated responsibility for management of the institution’s information technology security activities. This delegation includes the authority to conduct these activities in accordance with industry best practices appropriately tailored for the specific circumstances of the University, in lieu of following Commonwealth-determined specifications. This policy documents the industry best practices with which the University will align its security activities.
Any changes, modifications or revisions to policies related to the University’s IT Security Program will be reviewed in light of the latest versions of the standards upon which this program is based.
VII. EFFECTIVE DATE AND APPROVAL
The policies herein are effective October 20, 2008. This Administrative Policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: October 31, 2008
Revised: January 29, 2013