Information technology enables more accurate, reliable, and faster information processing with information more readily available to administration, faculty, staff, and students. However, information technology has also brought new administrative concerns, challenges, and responsibilities. Information assets must be protected from natural, technological and human hazards. Policies and practices must be established to ensure that hazards are reduced or their effects minimized.
The focus of information security is ensuring reasonable and proportionate protection of information and continuation of program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining information systems.
This policy sets forth the elements of VCU’s Information Security Program, including its associated information classification and protection requirements, and the procedure for reporting, investigating and resolving suspected violations. This policy is part of VCU’s Information Technology Policy Framework referenced in the Related Documents section. The information technology standards and baselines associated with this policy that are included in the Information Technology Policy Framework must be followed in conjunction with this policy. Information technology guidelines are also included in the framework as recommendations and best practices.
Noncompliance with this policy may result in disciplinary action up to and including termination. VCU supports an environment free from retaliation. Retaliation against any employee who brings forth a good faith concern, asks a clarifying question, or participates in an investigation is prohibited.
All employees, contractors, students and affiliates who generate, process, transmit, store or access VCU information are responsible for knowing this policy and familiarizing themselves with its contents and provisions.
An information technology baseline is a set of technical requirements that define the minimum required standard practices. Information technology baselines are used in conjunction with information technology standards and policies.
An information technology guideline is a recommended practice that allows some discretion or leeway in its interpretation, implementation, or use.
An information technology standard is a formal document for an established norm of methods, criteria, and processes for technology subjects.
Within the context of this document, an organizational unit is a school, a department, or division that reports directly to a vice president. Examples of organizational units include School of Engineering, College of Humanities and Sciences, School of Medicine, Office of Technology Services, Enrollment Services, and Facilities Management.
Payment Card Industry Data Security Standard is a set of comprehensive requirements for enhancing payment card data security. Compliance with the PCI-DSS helps to alleviate vulnerabilities that put cardholder data at risk.
Within the context of this document a server refers to a computer system or a collection of computer systems designed to provide services that process, store, or transmit data and information for one or multiple clients; where the client may be another computer system or programs that are used by individual users. A server may be hosted by VCU inside of its networks, or hosted by a third party on the Internet or other external networks. Examples include file, print, Web, application and database servers.
A unit head is the administrative employee responsible for the operations of an organizational unit. A unit head can be a dean of a school or the director of a department or division.
Information in paper, electronic or oral form that is collected, generated, transmitted, processed or stored by a VCU employee, consultant, contractor or other affiliate in the course of their work and is used to support the academic, research, patient care or administrative operations in VCU.
VCU Office of Technology Services officially interprets this policy. VCU Office of Technology Services is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures
The VCU Information Security Program addresses information security from three distinct perspectives:
In order to successfully implement a risk-based Information Security Program, VCU must classify its information based on sensitivity and risk. VCU must then apply reasonable and proportionate security protection to safeguard the confidentiality, integrity and availability of this information.
Anyone who suspects a violation of this policy is expected to report the suspected violation to the office or department where the suspected violation occurs; to the VCU [Compliance] Helpline; or to the Chief Information Officer in accordance with the VCU Policy: Duty to Report and Protection from Retaliation and the Computer and Network Resources Use policies.
All violations of this Information Security policy are subject to the same investigation and resolution procedures documented in the Computer and Network Resources Use policy.
All requests for exception(s) to this policy are evaluated by the Information Security Office on a case-by -case basis. Exception requests should be made using the Information Security Exception Request Form. The completed exception request form is automatically emailed the unit head listed in the request. After the unit head approves the request, the Information Security Office will provide the secondary review and approval as appropriate. Evaluation criteria for exception include the requirement to which an exception is requested, the sensitivity of the information affected, compensating controls in place to mitigate additional risks, and business processes affected by the exception. The Information Security Office will send the exception request review decision and any additional correspondence to the requestor’s and the unit head’s email addresses.
The VCU Information Technology Policy Framework contains VCU Information Technology policies, standards and baseline requirements, all of which must be followed in conjunction with this policy. The framework also includes information technology guidelines as recommendations and best practices. The standards, policies and other documents specifically discussed in this policy are listed below.
This policy supersedes the following archived policies:
Information Security Policy
Information Security Policy
Information Security (minor revision to note that VCU’s Information Technology Policy Framework encompasses this policy)
Minor change in verbiage to specify that VCU utilizes a risk-based information security program.
The VCU Information Security Policy and associated information technology standards apply to VCU information. Therefore, any personnel who handle VCU information must read, understand and abide by the information security policies and standards.
Yes. VCU provides an interactive VCU Data Classification Tool that can be used by individuals to understand the sensitivity of specific datasets. Additionally, VCU Data Management System is designed to provide VCU personnel with guidance on the handling, transmission and storage of information, including specific requirements related to the handling of various types of information, IT resources and services offered by the university that can assist in handling of such information, and specific precautions one should take in handling various types of information. Links to both tools are provided in the “Related Documents” section above, and they can both be found within the VCU Information Security Office website.
For possible security incidents such as an email scam, possible hacking, or a lost / stolen device containing sensitive data, you may report the incident directly through the links on the home page of the VCU Information Security Office website. For potential policy violation, aside from the aforementioned reporting links on the VCU Information Security Office homepage, you may report to the VCU Helpline.