• Home
• Information Security Awareness
• Guidance
• Tips
• Tools
• Other Useful Sites
• IS(3)PACE

WVU Information Security Program Charter & Interim Policy

---

Goals, Mission, and Service (January 2006)
View PDF

West Virginia University (WVU) is a student-centered learning community meeting the changing needs of the people of West Virginia and our nation through learning, research, service and technology.

The WVU Strategic Plan uses the academic mission as a centerpiece for growth in other areas of the University – from enrollment to research dollars – and identifies five goals. Those goals are: to attract and graduate high-quality students; recruit and retain high-quality faculty; enhance the educational environment for student learning; promote discovery and exchange of knowledge and ideas; and improve West Virginia’s health, economy and quality of life.

The Information Security Program Goals

The WVU Information Security Program will support the University Vision and Strategic Plan through the accomplishment of the following goals:

• Establish a mature, enterprise-wide information security infrastructure to facilitate the delivery of information security services, as well as ensure the continued availability, confidentiality and integrity of information resources and services.
• Drive the cultural changes required to construct and sustain a strong, impermeable, security framework to accommodate advancing technologies, respond to a diverse, mobile customer base and ensure the protection of the information resources supporting educational programs, research and other services.
• Balance the academic tradition of open information exchange and collaboration with the administrative requirements for efficient, proactive and cost-effective measures to ensure regulatory compliance and to protect information resources belonging to WVU and WVU customers.
• Integrate information security into the operation and delivery aspects of WVU academic, research, service and technology products

The Information Security Program Mission

West Virginia University (WVU), recognizing the vital role that information resources play in the mission critical operations of education, research, service and administration, has established an Information Security Program to foster an environment that will protect and preserve the availability, confidentiality and integrity of these resources. Information resources include numerous forms of data as well as the media, software, hardware, facilities and personnel that support the collection, recording, processing, transmission, storage and presentation of the data. The WVU Information Security Program cultivates this protective environment by following three basic tenets of information security:

• Availability provides the assurance that University information resources are accessible and operational to support designated educational, research, service and administrative operations.
• Integrity helps to ensure the accuracy, validity and completeness of information by protecting resources from unauthorized, either intentional or accidental, modification.
• Confidentiality addresses measures to identify confidential, propriety and sensitive information resources, determine appropriate uses of the resources, and protect the resources from unauthorized access and/or disclosure.

Organization
All members of the WVU community share in the responsibility for protecting University information resources. Accordingly, the Information Security Program forms partnerships with WVU community members to achieve information security objectives. To ensure a coordinated, enterprise-wide application of information security policies, standards and guidelines, while maintaining a position of independence and objectivity, the Information Security Program Director reports to both the Provost and Vice President for Academic Affairs and Research, and the Director of Internal Audit.

Services
To advance the information security objectives, the Information Security Program will:

1. Maintain an information resource risk management program to identify critical information resources, determine and evaluate information security threats and vulnerabilities within the University environment, and recommend effective and economical strategies to manage the risks associated with these threats and vulnerabilities.
2. Provide direction for information security policies, standards and guidelines to ensure the consistent and comprehensive implementation of information security controls throughout the University.
3. Lead efforts to institute an information security awareness, education and training program to help WVU community members understand the importance of information security, as well as their responsibilities related to the protection of information resources.
4. Coordinate and or lead information resource assessment and monitoring activities to identify vulnerabilities and threats within the University environment and make recommendations to address those threats and vulnerabilities.
5. Provide security-related guidance for the development/acquisition, design, implementation, maintenance and retirement of information systems to ensure the incorporation of security controls concurrently with the system development life cycle phases and provide definitive reference points for validation, verification and audit activities.
6. Collaborate with WVU Internal Audit to establish an information security compliance program to ensure that departments implement and maintain procedures that are consistent with University polices and standards, and comply with external regulations.
7. Participate in investigations of information security incidents and violations, and evaluations of the WVU incident response to incidents to assist WVU information resource stewards with the evolution of a formal incident response process. In addition, deliver recommendations to enhance the University’s state of preparedness and ability to respond effectively to information security incidents and violations.
8. Sponsor forums for communication of information security related activities, concerns and regulations that could impact University operations, as well as making recommendations to implement new and / or revise existing university policies to provide a secure environment for WVU information resources.
9. Serve on University committees responsible for the oversight of administrative and academic information management systems and projects impacting those systems.

Contents

---

Interim Policy (2003)

---

Executive Summary
View PDF

West Virginia University (WVU) acknowledges that information resources are vital assets requiring protection commensurate with their value. Information assets such as verbal, written and electronic communications, data, applications, systems, networks and data centers must be actively managed to ensure the continued confidentiality, integrity and availability of these resources.

In recognition of the critical role that information resources play at WVU and its regional campuses, this policy offers an initial framework or foundation for constructing a comprehensive information security infrastructure. The development and maintenance of an information security function is a dynamic, evolving, iterative process. Therefore, WVU information security policies, standards, and procedures must be evaluated and updated on an ongoing basis to reflect the current information systems environment, combat the growing number of information security threats and meet prevailing requirements imposed by external agencies.

The WVU Information Security Policy incorporates the Institution’s polices, standards and procedures in the area of information security. Activities, actions or behaviors in this area must comply not only with the above-mentioned policy, but also with any other institutional policies and procedures, as well as any federal and state laws and regulations governing the use of information resources, including all records of customer information.

Why Do We Need An Information Security Policy?

First, a strong information security infrastructure, supported by comprehensive policies, standards, and procedures, provides mechanisms that help ensure the continued availability of mission critical services to our customers, which includes, but is not limited to students, faculty members, researchers, employees and state constituents. If information resources were unreliable or unavailable for an extended period, the University could suffer damage to its reputation, as well as incur serious financial and operational losses.

Second, polices and standards provide a clear and definitive way for the University administration to demonstrate and communicate that information security is vital for the protection of information assets. Accordingly, formal policies and standards provide employees with instructions and guidelines to reference as they fulfill their responsibility to safeguard mission critical information resources.

Third, liability for data and privacy losses due to enterprise security breaches are potential risks for all organizations. If information were disclosed or published in an inappropriate, unauthorized manner, University customers could incur substantial harm or inconvenience. In the event of litigation, the establishment of information security polices and standards can serve as influential evidence that management is concerned about and is promoting sound information security practices throughout the organization. Also, information security policy and standards provide direction for the collection, publication and maintenance of confidential customer information.

Fourth, formal policies and standards will assist in the achievement of a consistent and complete information security infrastructure. The lack of clear and consistent direction for information security could lead to disparate and competing policies and standards, which could potentially weaken security rather than strengthen it.

Finally, the initial efforts to establish an information security policy should provide a “return on investment” by helping the University define an information security infrastructure and prioritize current and future investments in information security efforts. An information security infrastructure provides a relatively inexpensive approach to preventing and minimizing the effects of a major information security breach.

The Information Security Infrastructure

This information security policy framework recognizes seven components, which are essential to an effective information security infrastructure:

• Both technical and functional information resource architecture(s)
• Information security program operating structure or organization
• Information security policies, standards and procedures
• An information services / service provider procurement oversight program
• An information security risk management program
• An information security awareness and education program
• An information security compliance program

One of the most critical and dynamic components of information security is the technical and functional information architecture that details the specific information resources employed throughout the organization. The architecture is critical because it identifies all information resources, assesses threats to and vulnerabilities of those resources, and evaluates the contribution of specific resources to the overall information security function. As WVU moves forward with establishment of a comprehensive information security function, the information resource owners and providers should develop and maintain technical and functional information resource architecture diagrams and narratives.

The information security function requires the necessary resources and organizational structure or infrastructure to maintain the information security plan. These resources include individuals, departments and councils responsible for developing, approving, and implementing information security policies, standards, procedures and programs. New information security roles and responsibilities will need to be defined throughout the organization. Existing roles and responsibilities must be evaluated and restructured or redefined to support the information security infrastructure. At a minimum, this policy recommends an infrastructure supporting the following roles and responsibilities:

• Information Security Officer
• Information Security Liaisons (within departments and regional campuses)
• Information Security Council
• Information Resource Users
• Administration and Management
• Internal Audit

To establish a comprehensive information security infrastructure, WVU needs formal information security directives that include policies, standards and procedures.

Additionally, the infrastructure must provide vehicles or programs to promote information security awareness and education, perform periodic risk assessments, conduct compliance reviews, provide oversight for the procurement of service providers, and present guidelines for managing information security issues. These programs are necessary to implement the directives issued through policy and standard statements.

In this document, polices are considered to be mandatory business rules, management instructions, or guiding principles to direct employees in the decision making process. Although policies vary from organization to organization, they typically include general statements of scope, objectives, and employee responsibilities. Standards provide specific requirements or levels of performance necessary to achieve policy directives. Procedures are the detailed steps, both automated and manual, required to achieve a standard or comply with policy. The Information Security Officer will approve and issue information security policies and standards. WVU entities will develop procedures and recommend polices and standards to achieve university-wide information security objectives.

As stated above, this policy document offers a foundation for building a comprehensive information security infrastructure by providing recommendations for the formation of an information security function; roles and responsibilities within that function; guidelines for the development of information security risk management, education and compliance programs; and some general standards for common WVU information resources.

Contents

---

I. Introduction
View PDF

West Virginia University (WVU) relies on numerous, diverse information resources to support the mission critical operations of administration, education, research and service. If information resources were unavailable, unreliable or disclosed in an inappropriate manner, the University could suffer damage to its reputation and incur serious financial and operational losses. Accordingly, WVU acknowledges that information resources are vital assets requiring protection commensurate with their value. Information assets such as verbal, written and electronic communications, data, applications, systems, networks and data centers must be actively managed to ensure the continued confidentiality, integrity and availability of these resources.

The obligation to protect information resources is shared by every member of the University community. The WVU Information Security Policy was developed to educate information resource users about the value of information resources and the importance of safeguarding these resources. Additionally, this document provides a broad security policy for WVU, as well as standards offering direction for the development of central and departmental information security procedures and programs to protect University information resources.

All WVU information resource policies, standards and procedures must be reviewed on a periodic basis to determine if they need to be expanded or modified to remain effective in a dynamic environment. Accordingly, the WVU Information Security Policy shall be evaluated and updated on an ongoing basis to reflect the current information systems environment, combat the growing number of information security threats and meet prevailing requirements imposed by external agencies.

Contents

II. Information Security Objectives

Information security objectives seek to establish controls and practices to prevent, detect, correct and minimize the risk of loss or damage to information resources, disruption of access to information resources and unauthorized disclosure of information. These objectives are achieved through the implementation of effective policies, standards and procedures, which focus on the three primary components of information security: integrity, confidentiality and availability.

Integrity refers to the accuracy and completeness of information, as well as to the validity in accordance with business rules. The principle of integrity, as it relates to security, is used to determine the level of protection or restriction required to safeguard information resources from unauthorized access and modification. Keys to achieving information integrity include:

• Control procedures providing for the proper authorization of users.
• Segregation of duties with respect to information resource utilization.
• Formal validation, testing and certification procedures for additions and modifications to information systems, applications and processes.
• Authentication of all users accessing data, applications, systems, networks, data centers and other information resources.

Confidentiality addresses the protection of information resources from unauthorized access or disclosure. The University is obligated to protect private, proprietary and other sensitive information resources from those that do not have the right or need to access the resource. To help employees and other University authorized parties manage information resources appropriately, these resources must be classified according to levels of confidentiality. At a minimum this confidentiality classification should include the following levels:

• Confidential or restricted resources require the highest level of protection due to the risk and magnitude of loss or harm that could result from disclosures, alteration or destruction of the resource. These resources may be protected by federal, state, and other external regulations. Access to confidential or restricted resources is granted to particular individuals based on job responsibilities and is subject to the appropriate approval and authorization processes. Examples include medical data, personal financial data, social security numbers, and other nonpublic personal information
• Internal use or limited access includes resources that are intended to be used within the University or within a University operational entity. However, disclosure of these items to external sources is inappropriate and, if used inappropriately, could potentially harm the University. Access to these resources is granted on a need-to-know basis and requires authorization prior to access. Examples of limited or internal use resources include student grades, employment history and access to electronic folders on shared drives.
• University public or unrestricted refers to resources that are generally accessible by University employees and students for use while conducting University business or mission related activities. Examples include general admittance to computer training labs, logical access to the WVU Internet sites, and the ability to view employee names via an electronic directory.

Availability is the assurance that information resources are accessible by authorized individuals as needed and when needed. From a security perspective, availability addresses the implementation of controls to prevent denial of service situations, recovery of information resources following a disaster, and similar situations that have the potential to interfere with the delivery of information resource services. Information resources should be ranked according to priority of restoration following a significant interruption in service. Resources identified as mission critical or unique typically require more stringent security measures than supplemental or common resources that can be easily replaced. An availability framework and security measures for restoration plans should be further addressed in a business continuity plan. Availability categories include the following levels:

• Critical items will be the first priority for any restoration or recovery efforts. Unavailability of the information resource will stop mission critical operations or result in material financial loss. These items need to be available within 24 to 48 hours of an incident. Critical resources require the highest level of safeguards to prevent disruption of services and to ensure a secure environment for the resumption of services.
• Intermediate items will be the second priority for recovery efforts. Unavailability of these information items may cause loss or damage if they were not available within a reasonable time. Intermediate items must be restored within one to four weeks after an incident. Security measures for intermediate resources must be appropriate for assessed levels of security risk.
• Long-term information resources will be considered after the restoration of critical and intermediate items. The University will not suffer significant loss or damage if these items were unavailable for an extended period. Although security over long-term items is generally less stringent than critical or intermediate items, this may not always be the case. Security assessments must be conducted to determine if long-term resources provide access to or information about the critical or intermediate resources.

Contents

III. Information Security Policy Scope

This policy applies to University students, faculty, and employees granted use of WVU information resources. It equally applies to individuals and other entities that, by nature of their relationship with WVU, are entrusted with access to University information resources. Examples of such individuals and entities are contractors, consultants, external auditors, vendors and governmental agencies. Typical information resources covered in this policy include written, printed or electronic documentation, all forms of data, applications/software, storage media, personal computers, servers, minicomputers, mainframes, peripherals and data centers that are used for administration, research, education or other purposes supporting the University mission.

The WVU Information Security Policy incorporates the Institution’s polices, standards and procedures in the area of information security. Activities, actions or behaviors in this area must comply not only with the above-mentioned policy, but also with any other institutional policies and procedures, as well as any federal and state laws and regulations governing the use of information resources, including all records of customer information. Accordingly, the use of information resources is subject to the usual requirements of legal and ethical behavior within the WVU community. Users of WVU information resources must comply with federal, state and other applicable governmental laws; rules of the Higher Education Policy Commission; the State of West Virginia Information Security Policy; and applicable contracts and licenses. Additionally, information resource users must follow specific WVU Policy statements regarding information resources supported by the President’s Office; The Division of Administration, Finance, and Human Resources; Institutional Advancement; Student Affairs; Academic Affairs and Research, HSC Finance and Administration; Office of Information Technology (OIT); and other WVU entities.

WVU Information resource users should be aware that they are subject to the laws of other states and countries when they engage in electronic communications with persons or utilize information resources located outside the University’s domain. All users are responsible for ascertaining, understanding, and complying with the laws, policies, contracts, and licenses applicable to their particular purpose and use. Under some circumstances (e.g., audits, investigations, or legal requirements) the University may be required to provide information to external parties. The Information Security Officer and the appropriate representatives from the University Administration shall address such situations on an individual basis. The highest level of authority shall dictate the management of information in these circumstances.

Individual units within the University may supplement the Information Security Policy by developing standards, procedures or other “conditions of use” for information resources under their control. These directives shall provide additional detail, specific guidance or particular restrictions on the use of certain information resources. However, supplemental items must be consistent with the overall WVU Information Security Policy and other polices issued by higher levels of authority. To ensure that consistent polices standards and procedures are employed throughout the University, the Information Security Officer shall approve and coordinate the implementation of supplemental directives.

Contents

IV. Information Security Structure

Information security requires the active support and ongoing participation of individuals from various disciplines and management levels. This section of the policy outlines security roles and responsibilities for all members of the WVU community operating within the Information Security structure. These roles and responsibilities involve individuals who are responsible for developing, approving, and implementing information security policies, standards and procedures. Also, included are vehicles for promoting information security awareness and education, conducting periodic compliance assessments, and managing security issues as they arise. Primary roles and responsibilities within the information security structure include the Information Security Officer, Information Security Council, Information Security Liaisons, Information Resource Users, University Administration and Management, and Internal Audit. This structure must be reviewed and revised periodically as WVU experiences changes in the technical and information environments and encounters new information security risks.

Information Security Officer (ISO)

The Information Security Officer has overall, direct responsibility for establishing and administering the West Virginia University Information Security Program. The ISO function should be located at the policy development and enforcement level of the WVU organizational hierarchy. Accordingly, the ISO shall report to a cabinet level authority, serve as a member of the AIMS Executive Committee and coordinate the efforts of the Information Security Council. The ISO’s primary responsibilities are to:

• Maintain an inventory of WVU information resources, including a detailed description of the information security architecture.
• Establish a formal information security risk management program.
• Monitor, investigate, and resolve security incidences and violations.
• Implement controls to prevent, detect, and correct information security incidences and violations.
• Consult with technology service groups and others on information resource security issues and techniques.
• Keep management informed about technical, legal and regulatory changes affecting information privacy, security risks and computer crime.
• Serve as Chairperson for the WVU Information Security Council to coordinate the efforts of the WVU Security Liaisons.
• Establish information security awareness and education programs with the assistance of the WVU Information Security Council.
• Approve and issue University information security policies. Approve, issue and coordinate central and departmental security standards, procedures and programs throughout the University, including the regional campuses.
• Publish and maintain WVU Information Resource Security Policies, Procedures and Standards with the assistance of the Information Security Council.
• Work with the Information Security Council to ensure that security policies, procedures, and standards are reviewed and maintained to reflect changes in the WVU information resources environment.
• Develop an information security review and compliance program that includes scheduled and random information security assessments.
• Establish, publish and maintain a formal WVU Information Security Incident / Violation Response and Reporting Plan which provides detailed response scenarios and delineates responsibilities for implementation of the plan and associated procedures.
• Develop and implement a process to ensure that University information security requirements are addressed in the procurement of external service providers, consultants and other third parties.

Information Security Council (ISC)

The Information Security Council (ISC) coordinates information security efforts across multiple functional and technical areas throughout the University. This council is the primary vehicle for evaluating and responding to information security risks associated with existing, proposed, and new information resources, systems and applications. This council governs the Information Security Risk Management Program and the Information Security Awareness and Education Program. To be effective in a dynamic environment, the ISC should meet at least monthly and more often when circumstances dictate. The primary members of the ISC are the

• Information Security Officer (Chairperson),
• Information Security Liaisons Representatives,
• Internal Audit Information Systems Auditor, and
• Legal Counsel, information technology specialists, faculty representatives and administrators shall contribute to the Council as necessary.

The Information Security Council has the following responsibilities:

• Communicate about new or updated information systems or strategies being considered for implementation at the University.
• Evaluate the information security control risks presented by proposed, new, and existing systems or strategies.
• Review information security policies, procedures and standards on an ongoing basis to ensure that these items reflect the current WVU information systems environment.
• Contribute to the effectiveness and efficiency of information security management by coordinating and standardizing information security policies, standards and procedures throughout the University.
• Recommend new or updated information security policies, security education programs and security information compliance programs.
• Assist the Information Security Officer in the development and implementation of information security awareness and education programs, compliance programs, information services and service provider procurement oversight programs, and information risk management programs.
• Review and evaluate responses to information security violations and incidents in order to develop more effective information security policies, standards and procedures.
• Recommend and maintain a formal WVU Information Security Incident / Violation Response and Reporting Plan.

Information Resource Providers

The Information Resource Providers are those entities or parties which are responsible for the (1) management of functional business areas which utilize the information resources; (2) production, collection and maintenance of data; and / or (3) operation, maintenance and support of the technical applications and systems. There are numerous information providers, with widely varying responsibilities, at WVU. Therefore, for illustrative purposes, a general description of a few of these parties is described below.

One type of information provider includes departmental managers, assistant directors, directors or other designated persons who have the responsibility and authority to act on behalf of the administration. Typically, these providers are viewed as the custodians, and possibly owners, of specific information resources. Therefore, these providers are responsible for establishing the overall security strategy for those information resources, including the resource security classifications, definition of data access levels, and authorization for resource access.

Other information resource providers include those entities that actually operate, maintain and support the information resources. Examples include, but are not limited to, application administrators and coordinators, network administrators, data center personnel, application developers, database administrators, and the help desk consultants. To ensure an effective security strategy, all information resource providers must coordinate their operation, maintenance and support activities.

Information Security Liaisons (ISLs)

The Information Security Liaisons (ISLs) shall coordinate and promote responsible information security practices for all information services delivered by WVU and its regional campuses. The ISLs, working under the direction of the Information Security Officer, will contribute to the Information Security Council. Each University organizational entity or business area (e.g. unit, department, division, and college) shall designate a person or persons to serve as Information Security Liaison. The individuals serving as ISLs must be familiar with or responsible for some aspect of information management (e.g., system administration, application coordination, or departmental computer support) within their respective business area. The number of liaisons appointed from each area will depend on entity size, scope of responsibility, involvement with information systems and complexity of operations. ISL representation could include Expert Business Officers, each major WVU application or system, the primary divisions in the Office of Information Technology and other academic or administrative entities as appropriate. The Information Security Liaisons shall have the following responsibilities:

• Ensure that all information users in their respective department or functional area have access to and are trained about current information security polices, procedures and standards.
• Serve as or work directly with the information resource users and providers to ensure that appropriate user access and responsibilities are established and maintained within the scope of the user’s job responsibilities.
• Work with management to develop and implement procedures to notify the information resource custodians when users are terminated or transferred so that the user’s access can be disabled or changed accordingly.
• Assist the ISO in conveying information related to the protection of information resources.
• Assist in the detection of and response to actual, potential and suspected security exposures and violations.
• Assist in compiling and maintaining an inventory of the entity’s information resources. Report to the ISO on information security concerns, issues and incidences.
• Contribute to a framework for classifying the confidentiality, availability and integrity of information resources and identify security requirements for those resources.

Information Resource Users

Information users include any student, faculty member, employee, contractor, vendor, consultant or information resource provider who utilizes WVU information resources to perform their academic or professional responsibilities. They have been granted explicit authorization to access a WVU resource and are responsible for the day-to-day, hands-on security of that resource. Information users will be granted different and various levels of access to information resources depending on their specific functions. Users must be granted “least privilege” or the minimal level of access required to perform their normal duties. Occasionally users will require expanded access to resources. When these situations occur, requests for exceptions must be submitted in writing and shall be evaluated by the appropriate security officials on a request-by-request basis. All users of the information resources are responsible for informing the technical and functional information resource providers of their needs for the protection of information, especially for the confidentiality, availability and integrity of those resources. Information resource users have the following responsibilities:

• Assume responsibility for all usage of their information system logon accounts (users and passwords). Accordingly, users must keep their passwords confidential and must not share their application or system logon accounts with others.
• Use the data, application or system only for purposes related to their academic or professional responsibilities.
• Safeguard the integrity, accuracy and confidentiality of the University’s data as outlined in University policies, as well as federal, state and local regulations.
• Report known or suspected security vulnerabilities to their supervisor, the area’s Information Security Liaison and / or the WVU Information Security Officer.
• For users and providers to be held accountable for these responsibilities, they first must be made aware of appropriate information security practices through information security education programs, and published policies, standards and procedures. Additionally, all users and providers shall be required to acknowledge and sign information security and / or confidentiality agreement(s) in order to receive and maintain the privilege of using University information resources.

Administration and Management

Each Dean, Director and Business Area Manager is responsible for the security of information resources under their jurisdiction and for implementing information security standards and procedures for their areas or responsibility. As part of this responsibility Deans, Directors, and Business Area Managers shall:

• Comply with the WVU Information Security Policy and, as necessary, develop supplemental information security strategies for their areas of responsibility.
• Authorize employee access to information resources under their control as needed to perform their job responsibilities.
• Participate in and provide security awareness and training programs for their staff and determine that users working in their business area receive current security training appropriate for their job responsibilities.
• Review, evaluate and revise business area policies, standards and procedures to ensure that information resource safeguards remain effective.
• Implement personnel hiring practices to document user information security duties and responsibilities in position descriptions, perform employee background checks for information sensitive positions and consider information security implications in employment termination and transfer procedures.
• Develop standardized, and where appropriate centralized, procedures to ensure that employees sign or acknowledge current security /confidentiality agreements.

Internal Audit

WVU Internal Audit provides independent, objective assurance and consulting services designed to add value to the University’s operations. The primary responsibility of the WVU Internal Audit Information System Function is to assess security risks, measure compliance to security policies and standards, evaluate the effectiveness of security procedures and provide consulting services for the information security governance processes. A representative from the Internal Information Systems Audit Function shall serve on the Information Security Council. Additionally, the WVU Internal Information Systems Audit Function will contribute to the WVU Information Security Structure by:

• Conducting information resource audits to evaluate compliance with applicable laws, regulations, contracts and University policies.
• Performing risk assessments of information resource applications, systems or components to determine security risks and consequences to the institution.
• Analyzing and reporting on information security controls for University information sites, systems, applications, or components of these items.
• Coordinating or participating in information resource assessments conducted by external consultants or auditors.
• Developing reports to identify and document information resource risks and deviations from prescribed laws, regulations, policies, standards and procedures.
• Defining audit standards for the procurement of information services and service providers.
• Presenting recommendations to strengthen information security controls.

Contents

V. Information Security Function

The implementation and ongoing maintenance of a comprehensive, effective Information Security Function will require a commitment of resources to numerous, but critical, information security roles and responsibilities. The Information Security Function will be responsible for establishing and enforcing information security polices, standards and procedures. To fulfill this responsibility the Information Security Function, which includes the ISO, ISC, and ISLs, provides awareness and education programs to promote information security; implement an information risk management program to identify critical security threats and vulnerabilities and reduce security risks to an acceptable level; and develop an ongoing compliance program to ensure that information security policies, standards, procedures, incident response scenarios and controls are functioning as intended.

Authorization and Authentication

Authorization is the positive determination by the owner of an information resource that a specific individual may access that information resource. Authentication refers to processes utilized to confirm the identity of an authorized information resource user.

West Virginia University is the owner of all institutional information resources that are developed by, used by or distributed to employees, students, faculty members or authorized representatives of outside entities. Additionally, WVU can serve as the agent or custodian of information belonging to other parties. Although WVU assumes ownership responsibility, certain administrators and managers are directly responsible for executing this responsibility. All administrative information systems and applications environments shall maintain consistent standards for establishing the accountability, authorization, and authentication of information users. These standards shall be compatible with WVU Information Security Policy.

Access to information resources shall be granted to University employees only in accordance with their specific jobs. Information resource owners, as part of their management responsibility, are required to review all requests for access to information resources and verify that all requests meet a legitimate business need.

Student access is primarily for work associated with their course of study and related activities. A student may access data if the data pertains to that student or, with prior special permission data related to work responsibilities, if that student is also an employee of WVU. Students, faculty, researchers and staff may use their access to University computers to use worldwide networks such as the Internet. As necessary, on a case-by-case basis, access may be granted to third parties, consultants or outside vendors.

As a condition of obtaining and maintaining access to any University computer system, all authorized users are required to sign a statement and / or acknowledge via electronic screens or banners that they have received a copy of and read these policies, understand them and shall comply with them. Authorized users understand that by using any University information resource, they agree to comply with all related University policies and standards and the regulations provided below:

• Only authorized users have access to University information resources.
• Individuals requesting access to University computer systems shall not provide false or misleading information to obtain access to University computing facilities, otherwise, they risk facing appropriate penalties.
• Authorized users are assigned unique logon IDs or operator IDs, and passwords to access University computers and applications.
• Individuals shall not attempt to compromise passwords belonging to others, otherwise they risk facing appropriate penalties.
• Computer accounts are to only be used by the person to whom they were assigned. Logon-ids / operator-ids / user-ids and passwords are not shared.
• Users shall manage their user ids and passwords according to the password standards established for each particular system or application that they are authorized to use.
• All computer access granted to an authorized user must be removed when they transfer or terminate employment, graduate, withdraw from, or otherwise cease to have a business, commercial or other relationship with the University. Files of transferred or terminated employees, faculty members and students must be reviewed and disposed of by the appropriate manager in a timely and effective manner, and in accordance with any applicable University policies and procedures, and federal and state laws.

Information Security Awareness and Education Program

An effective level of security awareness, including the training of information resource security liaisons, users, providers, and management, is one of the most effective means of reducing vulnerability to error and fraud, and must be continually emphasized and reinforced. Employees who are not informed of risks or of security policies are not likely to take steps to prevent the occurrence of violations.

The Information Security Officer, with assistance from the Information Security Council, shall develop and implement a formal security education program, which will include the following elements:

• Training programs and communication plans to educate users about information security policies, standards and procedures; appropriate use of information resources, practices to safeguard information resources and protocols for responding to security incidents and violations.
• Information user assessment programs to verify that users continue to understand their information security responsibilities.
• Procedures for notifying information resource users (e.g., data owners, users, providers, and management) of their respective responsibilities for information resource protection and recovery, and the consequences of non-compliance with information security responsibilities. The responsibilities and consequences shall be clearly defined.
• Communication plans to inform and update users about the provisions of the WVU Information Security Policy, relevant federal or state statutes and other regulations governing the use of information resources.
• Protocol and procedures for users to acknowledge their responsibility under the WVU Information Security Policy in order to obtain and maintain access to information resources. WVU information users shall acknowledge and agree in writing to comply with WVU information security policies in order to obtain access to information resources
• Information access and system usage disclaimer messages banners and screens to be displayed upon logon to information systems. These messages will notify individuals that the resource is for authorized users only and is governed by the WVU Information Security Policy. The messages and banners will also advise users that information resource and information system use may be monitored. By proceeding beyond the banner or welcome screen, an individual acknowledges and accepts the WVU information security policy.
• Standardized procedures for designing, distributing and maintaining WVU information security, privacy or confidentiality agreements, including both paper and electronic agreements.

Information Security Risk Management Program

The Information Security Function shall be committed to working efficiently to ensure the appropriate protection of information resources through an information security risk management program. Accordingly, the Information Security Function shall employ a risk assessment strategy to analyze, and compare threats to and vulnerabilities in information resources with respect to their criticality and value to the University. The results of this risk assessment will be used to determine appropriate, cost-effective safeguards and countermeasures. The specific information security mechanisms and implementations will be established for appropriate information resources and will vary based on risk assessment results. All assessment findings and recommendations, as well as the safeguards, procedures and controls implemented, shall be documented and reported to the Information Security Council.

The Information Security Officer and the Information Security Council shall maintain an ongoing risk management program to test and evaluate the effectiveness of preventative, detective and corrective information security controls to ensure their continued effectiveness against evolving risks and threats. A risk assessment process should include the following elements:

• Identification of the information assets that need to be protected. The business purpose, operating environment and the general nature of the information resources should be described.
• A determination of compliance with federal, state, University and other regulatory information resource requirements.
• The organizational consequences that would result from a significant breach of information security.
• An estimate of the probability of such a breach occurring in the light of prevailing threats and controls.
• A determination by management of the extent of risk that will be accepted, mitigated, transferred or managed.
• A formal information security risk control strategy, evaluation and reporting program that considers scheduled and random security evaluations.

Information Security Monitoring, Reporting and Enforcement

Monitoring

It is the responsibility of the information users, information resource providers, management, and the Information Security Council to identify and implement appropriate measures to prevent and detect attempts to compromise information resources. In order to protect the privacy, security and integrity of University information resources against unauthorized or improper use, and to protect authorized users from the effects of such abuse or negligence, the University reserves the right to:

• Limit, restrict, or terminate any computer account or use of other computer and information resources.
• Inspect, copy, remove or otherwise alter any data, file, or computer resource, which may undermine authorized use of information resources.
• Monitor or check the configuration of computer and network resources as necessary to protect University information assets.
• Enforce these provisions without prior notice to the user.

Reporting

Individuals aware of any actual or suspected information security breach or vulnerability must report such situations to the appropriate Dean or Director, Information Security Liaison and Information Security Officer. In some circumstances, the OIT Helpdesk will receive the initial information about a security threat or violation. In these situations, the OIT Helpdesk Consultant will notify the Information Security Officer. The Information Security Officer, in coordination with appropriate University officers, shall examine the situation to determine if policy has been violated and if loss or damage has occurred. Also, the Information Security Officer shall determine the appropriate course of action according to the WVU Information Security Incident / Violation Response and Reporting Procedure. Results shall be reported through the proper administrative channels for any legal or disciplinary action regarding any University policy violations. The University Office of Public Safety, Legal Counsel, Internal Audit, outside law enforcement authorities or others may be involved in the response to an information security violation.

Enforcement

The University views the misuse of computers and information resources as a serious matter, and may restrict access to its facilities even if the user is unable to complete course requirements or work responsibilities as a result. Violation of the WVU Information Security Policy, as well as other applicable WVU, State and Federal regulations may result in:

• Restriction or termination of a user’s access to University information resources, including the summary suspension of all computer access pending further disciplinary or judicial action.
• Initiation of legal action by the University and/or respective federal, state or local law enforcement officials, including but not limited to, criminal prosecution under appropriate federal, state or local laws.
• Providing restitution for any improper use of information resources and services.
• Other disciplinary actions depending on the specific violation.

Information Services and Service Provider Procurement Oversight Program

The Information Security Office® shall implement and maintain an information services procurement oversight program to provide direction in the selection of external or third party service providers. This program will outline an information services evaluation and selection process that shall consider the ability of a service provider to maintain appropriate safeguards over information resources, including confidential customer information. In addition, the Information Security Office® will work with Procurement Services, Legal Counsel and other designated institutional officials to develop and incorporate standard contractual protections applicable to third party service providers. Some basic controls which shall be included in contracts or other formal agreements with third party service providers, consultants or vendors, who will access or use WVU information resources, include, but are not limited to the following:

• Privacy and Confidentiality. Any information obtained through the provision of information services shall be collected, used, disclosed and retained in conformity with WVU privacy and confidentiality requirements. All third party service provider contracts shall contain or reference a confidentially statement which expresses an explicit acknowledgement of the provider’s responsibility to manage and secure University information resources.
• General Security Controls. The provider shall demonstrate that University information resources, including hardware, software and data are protected against both physical and logical unauthorized access.
• Availability. The vendor agreement shall provide assurances that the system or service will remain available according to WVU operational needs. Also, the vendor shall provide and demonstrate a Business Continuity Plan that will allow WVU to continue or resume service according to the WVU operational needs. Items included under the availability criteria include, but are not limited to, data backup and recovery procedures, plans to repair or replace hardware, software and data processing infrastructure, and evidence that business continuity plans have been documented, communicated and tested.
• Processing Integrity. The vendor shall demonstrate that the vendor has implemented controls to ensure that system processing is complete, accurate, timely and authorized.
• Policies and Procedures. In the contract, the vendor shall address defined, documented and communicated formal policies relevant to security, availability, processing integrity and privacy and confidentiality. The vendor will show that personnel utilize procedures to achieve organizational objectives according to policy.
• Monitoring. Specific definitions of the sources, types and levels of monitoring shall be included in the formal agreements. As appropriate, WVU shall require that the service providers obtain independent audits or evaluations of the security controls provided for WVU information resources. The vendors should regularly provide the results of such evaluations to the Information Security Officer and other designated WVU representatives.
• Compliance with WVU Contract. All agreements with external, third party service providers shall provide mechanisms to determine that the vendor is operating according to the contract requirements. As appropriate, an independent appraisal will evaluate specific information security or processing requirements to determine that the vendor has implemented and continues to maintain those controls while providing services to WVU.

Policy Management

Request for waivers, deviations or exceptions to this policy must be thoroughly documented and presented to the Information Security Officer and / or the AIMS Executive Committee. Under normal operating conditions, The AIMS Executive Committee and University Information Security Officer must approve information security policy exceptions and exemptions. In the event of an emergency situation, the Information Security Officer shall determine the appropriate action or response to the exception situation. Questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Information Security Officer.

Management and oversight for this policy shall be vested with the Information Security Officer and the AIMS Systems Executive Committee. The Information Security Officer, working with the Information Security Council, reserves the right to change this policy as necessary to

WVU Information Security Policy

Goals, Mission, and Services

• The Information Security Program Goals
• The Information Security Program Mission
• Organization
• Services

Interim Policy

• Executive Summary

• Introduction
• Information Security Objectives
  • Integrity
  • Confidentiality
  • Availability
• Information Security Policy Scope
• Information Security Policy Structure
  • Information Security Officer
  • Information Security Council
  • Information Resource Providers
  • Information Security Laisons
  • Information Resource Users
  • Administration and Management
  • Internal Audit
• Information Security Function
  • Authorization and Authentication
  • Information Security Awareness and Education Programs
  • Information Security Risk Management Program
  • Information Security Monitoring, Reporting and Enforcement
  • Information Security Policy Management

Acknowledgements

Contact Us | Disclaimer