Information Security Policy

Policy Number: 1.11.2.1
Category: Information Technology
Effective: August 5, 2020
Revision History: None
Review Date: August 4, 2023

1. PURPOSE AND SCOPE

   1. The purpose of this Policy is to establish the framework for the safeguarding of the hardware, software, and information systems utilized at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure the Confidentiality and Integrity of University Data.
   2. This Policy applies to all University Technology Resources, whether connected to the Campus Network or not, and all Authorized Individuals whose responsibilities include inputting, safeguarding, retrieving, or using University Data.

2. INFORMATION SECURITY AT THE UNIVERSITY

   1. The University manages information security based on the National Institute of Standards and Technology’s Cybersecurity Framework, which focuses on the following core functions:
      1. Identification of cybersecurity risks to University Technology Resources, their capabilities, the data stored within those resources, the people who use them, and the vendors who provide them;
      2. Implementation of appropriate safeguards to protect and ensure continuity of Mission Critical Services;
      3. Detection of the occurrence of Security Incidents;
      4. Implementation of appropriate activities to take action regarding a Security Incident or Disruption; and,
      5. Planning for the efficient restoration of capabilities and functions impaired due to a Disruption.
   2. Through carrying out the objectives outlined in this Policy, the University seeks to encourage enterprise and innovation while also ensuring that technology risk management is a transparent, integral part of its planning, decision-making, and operations.

3. IDENTIFICATION OF CYBERSECURITY RISKS

   1. Technology policies and standards (“Technology Governance”) developed by Information Technology Services (“ITS”) establish the security posture of the University and apply to all University Technology Resources, regardless of where the information or resource resides, or who manages it.
      1. Individual colleges, departments, programs, and/or third-party vendors must meet the minimum security requirements established by Technology Governance but may also choose to implement more rigorous security requirements.
      2. In cases of non-compliance with established Technology Governance, and University Technology Resources and/or Data are threatened, ITS will act to secure the resource and may limit or disconnect access to Campus Network.
      3. Exceptions to established Technology Governance may be granted when there is a valid justification for not being able to comply; however, because they inherently weaken the security of University Technology Resources and Data, exceptions will not be granted for convenience or when appropriate alternative security controls can not be found to mitigate the risks posed.
         
   2. To ensure continuity of services, a formal Business Impact Analysis (“BIA”) must be completed by each University business unit to identify the Mission Critical, Business Critical, and/or Core Services performed by it, the information system(s) that support those services, and the Maximum Tolerable Downtime (“MTD”) for those systems.
   3. All University Technology Resources in use must be inventoried to, at minimum:
      1. Identify who owns it;
      2. Establish its Criticality to the University; and,
      3. Ensure it is secured appropriately for the data that is processed, stored, and transmitted by it.
   4. Purchases of new University Technology Resources must adhere to the requirements established within the Technology Acquisition Standard to ensure the resource is compatible with the University’s existing technologies and will not impose an unnecessary risk to the University.
   5. Third-parties seeking to contract with the University to perform Technology Services must complete a vendor risk assessment, provide assurances of compliance with applicable laws and regulations, and agree to adhere to established Technology Governance prior to entering into an agreement with the University.
   6. The University conducts risk assessments on the following:
      1. University Technology Resources, including specific assets or information systems;
      2. Vendors of Technology Services;
      3. Individual colleges, departments, or business units; and,
      4. Requests for exceptions to Technology Governance.
   7. Additional technology risks to the University may be identified through other activities including technology project planning, privacy impact assessments, on-site visits, whistle blowers, or self-disclosures.
   8. All identified technology risks will be classified based on the the likelihood that harm will occur as a result of the threat occurring and the harm that that may occur to the University or individuals given the potential for the threat to exploit vulnerabilities.
   9. Technology risks must be remediated, mitigated through implementation of compensating security controls, or accepted.
      1. Accepted risks will be tracked and re-assessed annually, at a minimum, to ensure the continual risk is still in line with the University’s level of risk tolerance.
      2. Aggregated data of known risks to the University will be compiled on an annual basis and provided to Senior Management to aid in determining the University’s ongoing technology risk appetite.

4. PROTECTING UNIVERSITY TECHNOLOGY RESOURCES

   1. The University protects the Confidentiality and Integrity of University Data by:
      1. Requiring Authentication to access University Technology Resources;
      2. Permitting Unauthenticated Access to University Technology Resources only in exceptional circumstances or when the resource is intended to be publicly accessible without restrictions;
      3. Establishing effective on-boarding and off-boarding processes that include provisioning and de-provisioning employee access to University Technology Resources;
      4. Basing access to University Technology Resources on principle of Least Privilege;
      5. Securing the Campus Network, including automatically blocking threats through its outside firewall;
      6. Establishing Baseline Configurations that devices connecting to the Campus Network must meet;
      7. Identifying Sensitive Data stored in unsecured endpoints and remediating or securely deleting the files;
      8. Physically securing facilities that house University Data, including physical segregation within facilities when necessary;
      9. Providing secure remote access to University Information Systems; and,
      10. Enforcing compliance with established Technology Governance.
   2. The University ensures workforce personnel secure University Data appropriately by providing awareness on cybersecurity risk management, data protections, and duty-specific training.
   3. To minimize the risk and impact of changes on University business operations, all identified Mission Critical Services, Core Services, and/or University Technology Resources storing Sensitive Data must:
      1. Establish structured, consistent change control processes;
      2. Separate development and testing environments from production; and,
      3. Implement High Availability, when possible.
   4. All University-owned devices whose use will be discontinued at the University must be sanitized to ensure:
      1. Removal of Unauthorized Access or disclosure of Sensitive Data; and,
      2. Removal of University-licensed software.

5. THREAT DETECTION AND PREVENTION AT THE UNIVERSITY

   1. To identify potential internal and external threats to University Technology Resources and Data, the University conducts scans, classifies, and remediates vulnerabilities.
   2. When potential or confirmed attacks or compromises are detected, the University will reduce or eliminate the threat through activities such as blocking or restricting access to the Campus Network, disabling University Account access, or removing the malicious content from the University Technology Resource.
   3. The University regularly conducts audits of University Data Center door access logs and monitors entry doors through video surveillance or still photography to ensure only Authorized Individuals physically access University Data Centers.
   4. The University will identify, detect, prevent, and respond to the warning signs of Identity Theft (“Red Flags”) associated with University Covered Accounts.

6. SECURITY INCIDENT RESPONSE AND RECOVERY

   1. All known or suspected Security Incidents must be reported to ITS immediately.
   2. Investigation of Security Incidents will be conducted pursuant to the Computer Security Incident Response Policy.
   3. To ensure continuity of essential system functions in the event of a Security Incident or Disruption, all Mission Critical Services and Core Services must develop a Business Continuity Plan that includes the following:
      1. Results of the BIA;
      2. Strategies for backup and recovery of data to restore system operations quickly and effectively; and,
      3. A formal Information System Contingency Plan ("ISCP") that identifies how to train personnel, activate plan, lead system recovery, and reconstitute the system after a Disruption.

7. INFORMATION SECURITY SERVICES RESPONSIBILITIES

   1. The Chief Information Security Officer, through Information Security Services (“ISS”), is responsible for ensuring the Confidentiality, Integrity, and Availability of University Technology Resources and Data. ISS accomplishes this mission through carrying out the following activities:
      1. Developing and implementing the Technology Governance to establish the security posture of the University;
      2. Establishing a formal process for review, approval, and repeal of University Technology Governance;
      3. Establishing a formal process for the review, approval, and documentation of any requests for non-compliance with established Technology Governance;
      4. Establishing mechanisms for tracking and enforcing compliance with applicable international, federal, and state laws and University policies to protect University Data;
      5. Designating the appropriate level of administrative, technical, and physical security requirements for securing University Technology Resources;
      6. Detecting vulnerabilities and threats to University Information Systems and the Campus Network, documenting the level of security necessary to address identified risks, and providing recommendations for the appropriate treatment of identified vulnerabilities;
      7. Identifying and managing technology risks to the University, which includes: developing processes to conduct risk assessments; ensuring identified risks are remediated; communicating with Senior Management regarding acceptance of technology risks; and monitoring accepted technology risks over time;
      8. Providing training and awareness to educate the University community about cybersecurity risk management and data protection regulations;
      9. Coordinating and overseeing risk management of and security planning activities for University Technology Resources; and,
      10. Coordinating the University’s response to Security Incidents pursuant to the Computer Security Incident Response Policy.

8. RESPONSIBILITIES OF DATA USERS AND DATA STEWARDS

   1. Individuals who have access to University Data to perform their assigned duties or to fulfill their role within the University community (“Data Users”) are responsible for:
      1. Complying with applicable international, federal, and state laws and University policies to protect University Data;
      2. Using only University-owned, secure information systems to store and access Sensitive Data;
      3. Storing University Data in a designated secure location;
      4. Reporting suspected or known Security Incidents, including lost or stolen devices; and,
      5. Appropriately managing all University Data within their possession.
   2. Senior Management who have planning and policy-level responsibilities for University Data in their functional areas (“Data Stewards”) must meet all of the responsibilities of Data Users, as well as:
      1. Ensuring appropriate security controls are in place to protect the data they oversee;
      2. Authorizing and de-authorizing access to data under their stewardship, based on the principle of Least Privilege;
      3. Ensuring individuals granted access to data are appropriate trained to comply with the applicable international, federal, and state laws and University policies to protect the data;
      4. Establishing the University’s technology risk tolerance by:
         1. Remediating and/or mitigating any risks or gaps identified as a result of risk assessments or compliance checks within the areas they oversee;
         2. Elimination and/or mitigation of security vulnerabilities from the University Technology Resources they oversee; and,
         3. Accepting any technology risks associated with their areas of responsibility.

9. DEFINITIONS

   1. “Authentication” means verifying the identity of a user, process, or device to allow access to a University Technology Resource.
   2. “Authorized Individuals” means faculty, staff, students, and third-parties who have assigned WVU Login credentials which provide access to University Information Systems and data.
   3. “Availability” means ensuring timely and reliable access to and use of information.
   4. “Baseline Configuration” means a documented set of specifications for hardware, software, or applications that reflect the most restrictive mode consistent with operational requirements and serve as a basis for future builds, releases, and/or changes to the University Technology Resource.
   5. “Business Impact Analysis” means an assessment to identify the Mission Critical Services performed by all business units within the University. The BIA should identify vulnerabilities and threats that may impact the business unit’s ability to fulfill these services and preventative controls to mitigate or eliminate threats; the University Technology Resources used to perform these Mission Critical Services; and recovery time objectives and priorities for the Mission Critical Services.
   6. “Confidentiality” means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
   7. “Criticality” means the relative importance of the service and the consequences of incorrect behavior of the systems(s) that support it.
      1. Mission Critical Service means that system is required to conduct essential mission-oriented operations of the University. Unplanned interruptions have immediate and widespread impact.
      2. Core Service means the system must be available to conduct the most basic business activities. Interruptions have an immediate, University-wide impact.
      3. Business Critical Service means the system is required to conduct normal University operations. Interruptions in service impact important operations but is not University-wide.
   8. “Disruption” means an unplanned event that causes the University Technology Resource to be inoperable for an unacceptable length of time.
   9. “High Availability” means a failover feature to ensure Availability during a Disruption.
   10. “Integrity” means guiding against improper information modification or destruction, including ensuring information non-repudiation and authenticity.
   11. “Information System Contingency Plan” means the procedures designated to maintain or restore business operations in the event of a Disruption.
   12. “Least Privilege” means granting the minimum system resources and authorizations needed to perform its function or restricting access privileges of authorized personnel to the minimum functions necessary to perform their job.
   13. “Maximum Tolerable Downtime (MTD)” means the total amount of time the business unit is willing to accept for an outage or disruption.
   14. “Security Incident” means a suspected, attempted, successful, or imminent threat to the confidentiality, integrity, and/or availability of University Data; interference or Unauthorized Access to a University Technology Resource; or, a violation, or imminent threat of violation of University information technology rules, policies, standards, and/or procedures.
   15. “Senior Management” means vice presidents, assistant vice presidents, associate vice presidents, deans, or directors responsible for reviewing and accepting institutional risks to the University.
   16. “Technology Services” means services, consulting, and maintenance contracts including professional information technology services purchased from a third-party vendor outside of the University. Services include but are not limited to: electronic records and content management services, IT infrastructure, managed security, network services, quality assurance and testing, system integration, technical support, and website service.
   17. “University Technology Resources” means the Campus Network, University-owned hardware, software, and communications equipment, technology facilities, and other relevant hardware and software items, as well as personnel tasked with the planning, implementation, and support of technology. University Technology Resources can be broken into the following categories:
       1. Campus Network means the wired and wireless components and University Technology Resources connected to the network managed by the University. Excludes residence halls, University public/private partnerships, and other relationships the University may establish with institutions, including the City of Morgantown and WVU Medicine, through which the University provides IP addresses but does not manage the network.
       2. Device means a server, computer, laptop, tablet, or mobile device used to enter or access University Data from a University Information System.
       3. University Information System means an application or software that is used to support the academic, administrative, research, and outreach activities of the University, whether operated and managed by the University or a third-party vendor.

10. ENFORCEMENT AND INTERPRETATION

    1. Any employee who violates this Policy will be subject to appropriate disciplinary action.
    2. Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
    3. Any individual affiliated with the University who violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
    4. The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
    5. Responsibility for interpretation of this Policy rests with the Chief Information Officer.

11. AUTHORITY AND REFERENCES

    1. BOG Governance Rule 1.11 – Information Technology Resources and Governance
    2. All other University policies are also applicable to the electronic environment. Relevant institutional documents include, but are not limited to:
       1. Acceptable Use of Data and Technology Resources Policy
       2. Data Center Policy
       3. Identity and Access Management Policy
       4. Computer Security Incident Response Policy
       5. Sensitive Data Policy
       6. Data Center Security Standard
       7. Bring Your Own Device Standard
       8. University-Owned Device Standard
       9. University Property Disposition Policy
       10. Information Security Services Charter
       11. Business Continuity Plan Template