Information Security Services Charter
Approved by the IT Oversight Committee, Feb. 2013
The mission of Information Security Services, within Information Technology Services (ITS), is to ensure the confidentiality, integrity, and availability of the University’s information technology resources and data by safeguarding them from compromise, misuse, loss or damage caused intentionally or unintentionally. This assurance will allow the University to continue its mission critical operations of education, research, service, and administration.
This charter applies to all students, staff, faculty members, officers, and employees of West Virginia University including regional campuses, Extended Learning sites, WVU Research Corporation, guests, tenants, visitors, and individuals authorized by affiliated institutions and organizations, contractors, consultants, vendors and all others granted use of and/or access to WVU technology resources and data.
Information Security Services will fulfill its mission by accomplishing the following goals:
- Establish a comprehensive information security program based on the “Information Security Guide: Effective Practices and Solutions for Higher Education” published by EDUCAUSE to coordinate and facilitate the delivery of information security best practices and services throughout the University, its regional campuses, and affiliates. The program also incorporates security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.
- Promote the cultural changes necessary to integrate information security standards and best practices into the University’s mission critical operations of education, research, service and administration.
- Collaborate with information technology resource owners and providers to construct
and sustain a secure and scalable environment that:
- Accommodates emerging technologies,
- Responds to a diverse and dynamic customer base
- Maintains regulatory compliance, and
- Minimize the University’s information security risk exposure
- Collaborate with the Deans, Department Heads, and other administrative officers on security and compliance issues. The collaboration does not abdicate the unit head’s responsibility for compliance with information security policies, standards, and procedures within their respective areas of responsibility.
The Information Security Officer, through the Information Security Services Office has responsibility for:
- Implementation of effective and practical technology groups and processes to secure the network and computing infrastructure of the University. This includes, but is not limited to, conducting security assessments of vendor supplied and in-house developed applications prior to being purchased, put into production, and after maintenance has been performed.
- Development and implementation of a security awareness program to be offered periodically to all University faculty, staff and students.
- Development of a risk assessment procedure to be used for ongoing monitoring of all University systems.
- Development of global, effective and practical University policies, procedures, guidelines and best practices related to information assurance and security.
- Implement a process to expeditiously and effectively address information security incidents in coordination the unit leads and appropriate WVU officials.
- Have authority to disconnect any device or disable any account if it is believed that either is involved in compromising the information security of the University or integrity of the technology infrastructure until such time it is demonstrated that the device or account no longer poses a threat. Devices will not be disconnected without consultation with agreed upon departmental or unit officials, unless a critical situation exists (i.e., release of sensitive data, serious vulnerability, denial of service, worm or virus attack) and organization officials cannot be contacted quickly.
- Have authority to stop application development or deployment efforts if it is found during a Risk Assessment that the impact of a particular threat will compromise the information security of the University until a remedy is implemented to reduce or eliminate the impact of that threat.
In all instances, administration and approvals shall be in accordance with existing laws, policies and regulation of the University as set forth in the West Virginia statutes, the University Code, the Business Procedures Manual and the Bylaws and actions of The West Virginia University Board of Governors. Deviation from these policies will require advance written approval by the President of the University.
Security Policy and Compliance Governance
The Information Security Office is charged to create and maintain a Security Policy and Compliance Governance oversight committee. This multi-disciplinary group will:
- Review and endorse information security policy objectives, strategies, policies, standards and procedures proposed by the ISO
- Promote and provide business support for information security initiatives throughout the university
- Provide guidance and support in matters of compliance and enforcement when violations of security policies, standards, and procedures are discovered and investigated.
Security Policy and Compliance Governance is led by executive management and includes representatives from University functional areas:
- Internal Audit
- Human Resources
- University Communications
- University Police Department
- CIO/Associate Provost Office
- IT departments
- IT governance /steering / leadership committee