Information Security Management Program

Mission

The mission of the VCU Information Security Management Program is to provide and foster an environment that will secure and maintain the confidentiality, integrity and availability of information technology resources that are central to the University's mission critical operations of education, research, service and administration.

Goals

The VCU Information Security Management Program is based on the Commonwealth of Virginia's Information Technology Security Policy (SEC500-02) and the Information Technology Security Standard (SEC501-01). Both of these documents became official as of July 2007. The components of the program are listed below.

The program is also shaped by the security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act and by practical and effective security practices such as those advocated by the EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking. In compliance with these standards, regulations and best practices, the goals of the program are:

• to identify confidential, sensitive and propriety and information resources, determine appropriate uses of the resources, and protect the resources from unauthorized access and/or disclosure.
• to ensure the accuracy, validity and completeness of information by protecting resources from unauthorized, both intentional or accidental, access and modification.
• to provide the assurance that University information resources are accessible and operational to support designated educational, research, service and administrative operations.

Objectives

The objectives of the VCU Information Security Management Program are subject to update and adjustment due to the dynamic nature of the information technology environment and the current state of security vulnerabilities and threats. The current objectives are listed below.

Information Security Program

Approved Security Standards:

• Confidential Information and Privacy
• Computer Classroom
• Computer Lab
• Computer Public Lab
• Email Transmission of Confidential Data
• Encryption Standard
• Password Standard
• Remote Access
• Research Data and Intellectual Property
• Web Servers and Applications
• Wireless Network
• Use of the Person Database

Guidelines:

• Crosswalk Mapping SEC 501-01 and VCU Security Standards/Policies/Procedures
• VCU Data Classification Guidelines
• VCU Security Standards Implementation of SEC 500-02 and SEC 501-01

Forms:

• VCU Security Standard Request for Exception (Word)
• VCU System Security Plan Template (Word)

VCU Information Security Management Program Components

1. Risk Management
• IT Security Roles and Responsibilities
• Business Impact Analysis
• It System and Data Sensitivity Classification
• IT System Inventory and Definition
• Risk Assessment
• It Security Audits
  
2. IT Contingency Planning
• Continuity of Operations Planning
• IT Disaster Recovery Planning
• IT System and Data Backup and Restoration
  
3. IT Systems Security
• IT System Hardening
• IT Systems Interoperability Security
• Malicious Code Protection
• IT Systems Development Life Cycle Security
  
4. Logical Access Control
• Account management
• Password Management
• Remote Access
  
5. Data Protection
• Data Storage Media Protection
• Encryption
  
6. Facilities Security
7. Personnel Security
• Access Determination and Control
• IT Security Awareness and Training
• Acceptable Use
  
8. Threat Management
• Threat Detection
• Incident Handling
• IT Security Monitoring and Logging
  
9. IT Asset Management
• IT Asset Control
• Software License Management
• Configuration Management and Change Control

VCU Information Security Management Program Objectives

• Identify and secure all sensitive data including personally identifiable data
• Utilize central LDAP (eID) for authentication
• Conduct risk assessment surveys of all critical units
• Implement secure method for remote access
• Provide checklists for desktop and server operating system hardening
• Recommend housing servers in the University Computer Center
• Segment network into security domains
• Implement secure wireless network
• Encrypt sensitive data in transit and at rest
• Provide security training for technical staff and for end-users
• Implement security appliances for network monitoring, vulnerability scanning and web application scanning to proactively identify issues
• Enable communication via technical listservs, monthly IT Professional Forums, etc.
• Develop and maintain security website as role-best repository of security information
• Define and document incident handling procedures
• Promote best practices for securing desktops, servers and networking gear
• Define new security standards and procedures as they become necessary
• Provide security consulting