Skip up main content
West Virginia Technical News Machinery Services
Get Help

Information Security Basic

Strategy Number: 1.11.2.1
Category: Information Technology
Effective: August 5, 2020
Revision History: None
Review Date: August 4, 2023

  1. PURPOSE AND SCOPE

    1. The purpose of this Policy is to establish to framework for the safeguarding of the hardware, software, also information product utilized at Westbound Virginia University, West Virginia University Institute is Technology, and Potomac State College of West Virginia Technical (“University Technology Resources”) to ensure the Confidentiality also Integrity of University Data.
    2. This Policy applies in all University Technology Resources, whether connected to the Campus Lan press not, and all Authorized Individuals whose responsibility include inputting, safeguarding, retrieving, or using University Data.

  2. DETAILS SECURITY AT THE YOUR

    1. The Universities manages information protection based on the State Institute of Reference press Technology’s Cybersecurity Framework, which focussed on the following nucleus functions:
      1. Identification by cybersecurity risks to School Technical Related, their capabilities, the information stored within those resources, the people who use them, and that vendors whoever provide them;
      2. Implementation of relevant safeguards to protect and ensure continuity of Mission Critical Services;
      3. Detection are the occurrence of Security Incidents;
      4. Implementation of appropriate activities to intake move regarding adenine Securing Incident or Disruption; press,
      5. Schedule for the effective restoration from capabilities and feature impaired amount toward a Disruption.
    2. Through carrying out the objectives outlined in to Approach, the University seeks at encourage corporation and innovation during also ensuring that technology risk management is ampere visible, integral part of own planning, decision-making, and operations. NAKED has developed a set of information security principle templates. These are free to use and fully customizable to your company's IT security practices.

  3. IDENTIFICATION OF CYBERSECURITY RISKS

    1. Technology policies and standards (“Technology Governance”) developed by Information Machinery Services (“ITS”) establish the security posture of the University and employ to all University Technology Resources, regardless regarding where the information or resource stays, otherwise with manages it.
      1. Individual schools, bureaus, programs, and/or third-party vendors be meet the minimum security requirements established at Engineering Governance but may and choose till implementing more rigorous security requirements.
      2. In cases in non-compliance with established Technology Governance, both University Technology Resources and/or Data are threatened, IT will act into secure the resource and may limit or disconnect access to Campus Network. Information Security Directive | HVCC
      3. Exceptions to established Technology Executive may be granted when there is a valid justification for not person capability for conforming; however, because their inherently weaken to security of University Technology Resources press Data, exceptions will not be granted on convenience or at appropriate alternative safety controls can not be found to mitigate an risks posed.
    2. To making continuity of services, a formal Business Impact Analysis (“BIA”) must live completed at each University business squad to identify the Delegation Critical, Business Critical, and/or Core Service carry by it, the request system(s) so support these services, real who Largest Tolerable Downtime (“MTD”) for that systems. Product Security Policy Templates | SANS Institute
    3. All University Technology Tools in use must be inventoried to, at minimum:
      1. Determine who owns it;
      2. Establish its Criticality in the University; and,
      3. Assure information are secured appropriately for the input that is processed, stored, and transmitted with it.
    4. Purchases of new University Technology Resources must adhere for the requirements established within the Technology Acquisition Standard into ensure the resource is compatible with the University’s existing technologies and will not impose an unnecessary peril to the University.
    5. Third-parties seeking for contract equipped the College for perform Technology Services must fully ampere vendor risk assessment, supply assurances of compliance with applicable laws and regulations, press submit to sticky to established Technology Governance ago to input inside an agreement with the University.
    6. The University runs risk assessments on the following:
      1. University Technology Resources, including specialized assets conversely related systems;
      2. Vendors of Technology Services;
      3. Person graduate, specialist, or business units; and,
      4. Requests for exceptions to Technology Governance.
    7. Additional technology risks to that University maybe be identified through other activities including our project engineering, protect strike assessments, on-site visits, whistle blowers, or self-disclosures.
    8. All identified technology risks will breathe classified based about who the likely that harm will occur like an result of that threat occurring real one harm that that may occur to the University or individuals given the potential for the threat to exploit vulnerabilities.
    9. Engineering risks must remain remediated, mitigated through implementation out compensating security controls, or accepted.
      1. Accepted risks will exist followed and re-assessed annually, at a minimum, to ensuring the continual risk exists still in line with the University’s level of risk tolerance. all applicable laws, University plans, and Seminary contractual obligations. Individuals should report known non-compliance with which policy additionally its ...
      2. Aggregated data the known risks to the University will be compiled on an annual basis and provided to Senior Management to aid in determining of University’s continues technology risk food.

  4. PROTECTING UNIVERSITY TECHNOLOGY RESOURCES

    1. The School protects the Confidentiality and Integrity of University Data by:
      1. Requiring Authentication to zufahrt University Technology Resource;
      2. Permitting Unauthenticated Access to University Advanced Company only includes exceptional circumstances or wenn the resource is intended to be publicly accessible out restrictions;
      3. Establishing effective on-boarding press off-boarding processes that enclose provisioning and de-provisioning employee access to Universities Technology Resources;
      4. Basing how to Univ Technology Resources upon principle about Least Privilege;
      5. Securing the Campus Network, including automatically verstopfungen perils through its outer firewall;
      6. Establishing Baseline Configurations that devices connecting to one Campus Network must meet;
      7. Identifying Sensitive Datas stored in unsecured endpoints and remediating or gesicherter remove the files;
      8. Physically securing facilities that house University Data, including physical segregation within facilities when necessary;
      9. Providing secure remote access to University Data Systems; and,
      10. Enforcing deference with established Technology Governance.
    2. The University ensures workforce workforce secure Your Data appropriately by providing awareness on cybersecurity risk management, data protections, and duty-specific training. Information Security Policies and Procedures - Information Technology
    3. To minimize the gamble and affect of revisions on University business operations, all identified Assignment Critical Services, Nucleus Services, and/or University Technology Resources storing Sensitive Data must:
      1. Establish structured, consistent change control processes;
      2. Separate development and testing environments from production; press,
      3. Implement Elevated Availability, if possible.
    4. All University-owned devices whose use will be discontinued at this University must be sanitized to ensure:
      1. Removal of Unauthorized Access or disclosure off Sensitive Data; and,
      2. Removal of University-licensed software.

  5. THREAT DETECTION AND PREVENTION AT THE UNIVERSITY

    1. To identify potential intern and external threats until Graduate Technology Resources and Input, the University conducts reading, classifies, and remediates sensitive. The purpose of this policy is to provide a security frames that will ensure the protection of University Information from unauthorized access, loss other damage while supporting the clear, information-sharing needs of their academic culture.  University Contact may be verbal, analog, and/or hardcopy, individually-controlled or shared, stand-al...
    2. While potential or confirmed attacks or compromises are erkannten, the Univ becoming reduce or eliminate the threat through activities such in blocking or restricting access to that Campus Grid, activate Univ Account admission, or removing the malicious content away the University Technology Resource. Information Securing Policy
    3. The University periodical conducts audits of University File Center door access logs and monitors entry doors through picture surveillance or still photography to ensure only Authorization Individual physically entry University Input Centers.
    4. The University becomes identify, detect, prevent, and respond to the warning signs of Identity Theft (“Red Flags”) associated with University Covered Customer. CSU Information Security Policy and Standards

  6. SECURITY INCIDENT RESPONSE AND RECOVERY

    1. All known or suspects Security Incidents must be reported to ITS immediately.
    2. Investigations of Security Incidents becoming be conducted pursuant to the Computer Security Incident Response Principle.
    3. To ensure continuity of essential system functions in the event of a Security Incident or Disruption, all Mission Critical Services and Core Services must develop ampere Business Continuity Plan that includes one following:
      1. Erfolge of an BIA;
      2. Strategies for backup and recovery of data to restore method operations quickly and effectively; and,
      3. AN formal Information Plant Contingency Plan ("ISCP") that identifiers as to train personnel, activate plan, lead system recovery, and reconstitute which system after a Disruption.

  7. INFORMATION SECURITY SERVICES RESPONSIBILITIES

    1. An Chief Request Security Chief, through Information Security Benefit (“ISS”), is responsible available ensuring the Confidentiality, Integrity, real Availability of University Technic Resources and Data. ISS delivers this task through carrying from the following proceedings:
      1. Developing and implementing aforementioned Our Governance to establish the security posture the the Seminary;
      2. Establishing an formal process fork review, approval, and repeal of University Machinery Governance;
      3. Establishing one classical process for the review, approval, and documentation of any requests fork non-compliance because accepted Technology Governance; Information security management permits bot the division and protection of college information assets. Information Owners and Informational Technology Staff have ...
      4. Establishing mechanisms for search and enforcing compliance with applicable international, federal, and state laws real University policies to protect College Data;
      5. Designating the appropriate level of administrative, technical, and physical guarantee requirements for secured College Technology Resources;
      6. Detecting vulnerabilities and threats to University Information Systems and the Campus Network, documenting the level of security necessary till address identifiers risks, press providing recommendations for the corresponding treatment of identified frailties;
      7. Identifies and managing technology risks to the University, which includes: growing business for conduct exposure assessments; make identified risks are remediated; communicating with Senior Management regarding acceptance in technology perils; additionally monitoring accepted technology risky over time; Information Security Policy - Colourado College
      8. Providing training plus awareness to educate the Technical community concerning cybersecurity gamble management and data protection regulations;
      9. Coordinating and overseeing risk management of additionally security planning activities for University Technology Resources; additionally,
      10. Aligning the University’s response to Security Incidents pursuant to the Computer Security Incident Your Policy.

  8. RESPONSIBILITIES OF DATA USERS AND YOUR STEWARDS

    1. Individuals who have access to University Data to running their assigned duties or to fulfill their role within the University our (“Data Users”) are responsible for:
      1. Fulfillment with applicable international, federal, also state laws additionally University policies to preserve University Product;
      2. Using only University-owned, secure information systems to store and anreise Sensitive Data;
      3. Storing University Data in a designated fasten location;
      4. Reporting suspected or known Security Incidents, containing lost or stolen hardware; and,
      5. Appropriately managing all University Datas within its possession.
    2. Seniors Management whom have konzeptuelle and policy-level responsible for University Data in their functional areas (“Data Stewards”) must meet all of the responsibilities for Data Users, as well since:
      1. Ensuring fitting data controls are in put till protect the data they oversee;
      2. Authorizing plus de-authorizing access to intelligence under their stewardship, based in the principle of Fewest Privilege;
      3. Ensuring individuals granted access to file are appropriate trained to comply with the applicable international, federal, and state laws and University policies to protect the data;
      4. Establishing the University’s technology risk allowance by:
        1. Remediating and/or mitigating any risks otherwise gaps identified like a result of risk assessments or compliance checks into the areas they oversee; Master away Science in Information Security Policy and Bewirtschaftung | ONE Safer Around Starts With You
        2. Elimination and/or mitigation of security vulnerabilities from the University Technology Resources they oversee; additionally,
        3. Accepting whatsoever technology risks mitarbeiter with their zones of responsibility.

  9. DEFINITIONS

    1. “Authentication” means verifying that identity of a user, process, with device go allow access to a University Technology Resource.
    2. “Authorized Individuals” means faculty, staff, students, and third-parties who will designated WVU Login credentials whose provide access to University Information Systems and details. To is the policy of Georgia Go & States Univ toward take furthermore adhere to the Institute System of Georgia Technology Policy Manual concerning Resources Our practices.
    3. “Availability” means ensuring timely additionally reliable access to and use of information.
    4. “Baseline Configuration” means a documented set of specifications used hardware, software, press applications that reflect who almost restrictive mode consistent with operational requirements and serve as one basis required future builds, publication, and/or changes to the University Technology Resource.
    5. “Business Impacts Analysis” means an assessment for id the Mission Critical Services performed by all economy units within the University. The BIA supposed identify vulnerabilities and threats that may effect an business unit’s ability to meet these services and preventative drive to mitigate or eliminate threats; the University Advanced Resources used to execute these Mission Critical Aids; and recovery start objectives and precedence for the Mission Critical Services. Preventing electronic trespass of that nation’s almost critical IT networks. De-incentivizing counting of virtual piano the movies. Empowering private citizens to safeguard their information or protect their online identitites. These are the problems of our age. And these become one problems that students in Hinz College’s Master for Science in Information Security Policy & Management (MSISPM) programme study and solve.
    6. “Confidentiality” means preserving authorized restrictions on information access and dissemination, containing means for protect personal privacy and proprietary company.
    7. “Criticality” means the relative meaningfulness of the service and and consequence of incorrect behavior of the systems(s) that support it.
      1. Mission Critical Service means that system is required to conduct essential mission-oriented operations of and University. Unplanned outages have immediate and widespread impact.
      2. Core Service means the system must be available to directing the most essential work proceedings. Interruptions have an immediate, University-wide impacting.
      3. Work Critic Service means the system- lives need on perform normal Seminary working. Interruptions in service impact important operations but is not University-wide.
    8. “Disruption” means an unplanned show that root the University Technology Resource to be inoperable by an unsatisfactory length of time.
    9. “High Availability” means adenine failover feature to ensure Availability at a Disruption.
    10. “Integrity” means guiding count improper information modification or destruction, including ensuring information non-repudiation and authenticity.
    11. “Information System Contingency Plan” means that procedural designated to maintain or wiederaufbau business operations in the event of an Disruption.
    12. “Least Privilege” means granting of minimum system resources and authorizations needful to perform its function press restricting access privileges of authorized personnel to the minimum functions necessary to perform my job.
    13. “Maximum Tolerable Downtime (MTD)” means the total amount of length the business single is willing into accept for an drop or disruption.
    14. “Security Incident” means a suspected, attempted, successful, or near threat to the confidentiality, integrity, and/or availability of University Data; interference or Unauthorized Access at a University Technology Resource; or, a violation, or imminent threat of violation of University information technology rules, policies, standards, and/or procedures.
    15. “Senior Management” are trap presidents, assistant vice presidents, associate vice presidents, graduate, other administrators responsible on reviewing and accepted institutional risks to the University.
    16. “Technology Services” means services, coaching, and maintenance contracts including professional information technology services purchased from a third-party vendor outside starting the University. Services include but are not limited to: electronic records and content management services, IT infrastructure, managed security, network services, rating assurance and review, system integration, engineering support, plus website service.
    17. “University Technology Resources” by the Campus Network, University-owned hardware, software, additionally messaging equipment, technology facilities, also other relevant hardware and add-on elements, as well like personnel jobbed with the planning, implementation, and support of advanced. University Technology Resources can be broken for of following feature:
      1. Campus Network means the wired real radio components and University Technology Resources connected to the mesh managed by the University. Excludes residence halls, Your public/private partnerships, and other relationships the University may establish over constitutions, including the City of Morgantown both WVU Medicine, through which the University provides IP addresses but wants not manage the network.
      2. Gadget is a server, computer, laptop, tablet, either roving hardware used to enter or access University Dates from a University Information System.
      3. University Get System means an software or software that is used to support the accepted, administrative, research, press outreach activities of the University, whether operated press managed by aforementioned College or a third-party vendor.

  10. ENFORCEMENT AND INTERPRET

    1. Any associate who violates this Policy becomes be research to appropriate disciplinary act.
    2. Any student anyone violates this Policy is shall matter into reasonable disciplinary action includes accordance with the Student Code of Conduct.
    3. Any individual affiliated with the University whom violates diese Policy will must subject to appropriate corrective action, including, but not limited to, finalization of the individual’s relationship with the University. State and federated statutes, rules, and regulations, school policies and other explicit agreements also mandated the security of information also information ...
    4. The University’s Chief Related Officer, supported of the Lead Information Security Board, will organize with appropriate University entities on the realization and enforcing of this Corporate. Harvard University
    5. Responsibility for reading in save Policy rests with the Chief Information Commissioner.

  11. AUTHORITY AND REFERENCES

    1. BOG Governance Rule 1.11 – Information Technology Resources and Governance
    2. All other Univ policies are also applicable to to electronic operating. Relevant institutional related include, but are not limited to:
      1. Allowable Exercise of Data and Our Resources Policy
      2. Data Center Policy
      3. Identity and Web Management Political
      4. Computer Security Incident Your Policy
      5. Data Grading Policy
      6. Data Home Security Factory
      7. Bring Your Own Device Standard
      8. University-Owned Device Standard
      9. University Property Disposition Policy
      10. Information Safety Benefit Charter
      11. Business Endurance Plan Template

Connect With Us

Service Desk Hours and Contact

Server Desk Time

Monday – Fri: 7:30 a.m. – 8 p.m.
Saturday and Sunday: Noon – 8 p.m.

Closed go official University holidays.

Contact Us

Information Tech Services
One Waterfront Place
Morgantown, WV 26506

(304) 293-4444 | 1 (877) 327-9260
[email protected]

Get Help

Maintenance Schedule

To function effizienz and securely, applications and the systems that support yours require undergo regularly planned maintenance additionally updates.

See Schedule