[ skip to content ]

Toggle Mobile Menu

University Policy 3505

More Information about this image

Handbook and paperwork for the newly hired.

Old Dominion University

University Policy

3505 Information Technology Security Policy

Responsible Oversight Executive: Vice President for Administration and Finance
Date of Current Revision or Creation: March 15, 2017
  1. Purpose

    The purpose of this policy is to state the codes of practice with which the University aligns its information technology security program and document the best practices and standards with which the University aligns its security activities.

  2. Authority

    Code of Virginia Section 23.1-1301, as amended, grants authority to the Board of Visitors to make rules and policies concerning the institution. Section 6.01(a)(6) of the Board of Visitors Bylaws grants authority to the President to implement the policies and procedures of the Board relating to University operations.

    Restructured Higher Education Financial and Administrative Operations Act, Code of Virginia Section 23.1-1000 et seq., as amended

  3. Definitions

    Code of Practice for Information Security Management (ISO/IEC 27002:2005) - The international standard that defines guidelines and general principles for the effective management of information security within an organization. It is a risk-based framework widely used to guide establishment of security standards and management practices.

    EDUCAUSE Association - A nonprofit association dedicated to the advancement of higher education through the effective use of information technology. Members include representatives from institutions of higher education, higher education technology companies, and other related organizations.

    Family Educational Rights and Privacy Act (FERPA) - A Federal law enacted to protect access to student records and provide control over the disclosure of information from these records.

    Gramm-Leach-Bliley Act (GLBA) - A Federal law enacted to control how financial institutions deal with the private information of individuals.

    Health Insurance Portability and Accountability Act (HIPAA) - A Federal law enacted to set national standards for the security of electronic-protected health information.

    Information Security - The concepts, techniques, technical measures, and administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use.

    Information Security Officer (ISO) - The Old Dominion University employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion University's information technology (IT) security program.

    Information Technology Security Program - Provides a high-level view of the University's security controls and elements used to satisfy the laws and regulations relevant to information security. The Information Security Officer has delegated authority for the selection and implementation of security controls and manages the overall security program.

    International Electrotechnical Commission (IEC) - A global organization that develops and publishes standards addressing electrical, electronic, and related technologies. Membership comes from government, the private sector, consumer groups, professional associations, and others.

    International Organization for Standardization (ISO) - The world's largest developer of standards. The organization is made up of representatives from governmental and private sector standard bodies, e.g. the American National Standards Institute.

    Payment Card Industry Customer Information Security Program (PCI) - A comprehensive set of payment application security requirements designed to ensure the confidentiality and integrity of customer information.

    Virginia Alliance for Secure Computing and Networking (VA SCAN) - An organization formed to help strengthen information technology security programs within Virginia. The Alliance was organized and is operated by security practitioners and researchers from several Virginia higher education institutions.

  4. Scope

    This policy applies to all decision makers, developers and planners of campus systems and operations related to the conceptualization, design, acquisition, and maintenance of information technology.

  5. Policy Statement

    The University's information technology security program is based upon best practices recommended in the Code of Practice for Information Security Management published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27002:2005) and is appropriately tailored to the specific circumstances of the University.

    The program also incorporates security requirements of applicable regulations including, but not limited to, the Family Educational Rights and Privacy Act, Payment Card Industry Customer Information Security Program, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking, serve as resources for additional effective security practices.

    The ISO/IEC 27002:2005 Code of Practice and other sources noted above are used to guide development and ongoing enhancement of additional information technology security policies as needed.

  6. Procedures

    The specific standards to be utilized for compliance with this policy are published on the Information Technology Services Computing Policies and Standards website. For security purposes, procedures and guidelines are maintained internally and are available upon request to relevant parties as authorized by the Information Security Officer.

  7. Records Retention

    Applicable records must be retained and then destroyed in accordance with the Commonwealth's Records Retention Schedules.

  8. Responsible Officer

    Chief Information Officer

  9. Related Information

    University Policy 4100 - Student Record Policy

    Information Technology Standard 01.2.0 - IT Security Roles & Responsibilities

    Information Technology Standard 02.1.0 - Internet Privacy Standard

    Information Technology Standard 02.2.0 - Workplace Device Technologies Standard

    Information Technology Standard 02.3.0 - Data Administration and Classification Standard

    Information Technology Standard 02.4.0 - IT Asset Control Standard

    Information Technology Standard 02.5.0 - Encryption Standard

    Information Technology Standard 02.6.0 - Remote Access and Virtual Private Network Standard

    Information Technology Standard 02.11.0 - Password Management

    Information Technology Standard 04.1.0 - MIDAS Identity Management Standard

    Information Technology Standard 04.2.0 - Account Management Standard

    Information Technology Standard 05.1.0 - IT Security Incident Handling Standard

    Information Technology Standard 05.2.0 - Data Breach Notification Standard

    Information Technology Standard 05.4.0 -Virus & Malicious Code Protection Standard

    Information Technology Standard 06.1.0 - IT Facilities Security Standard

    Information Technology Standard 06.3.0 - Project Management Standard

    Information Technology Standard 06.4.0 - IT System Inventory Standard

    Information Technology Standard 06.5.0 - Server Management Standard

    Information Technology Standard 06.6.0 - Security Monitoring and Logging Standard

    Information Technology Standard 06.8.0 - IT Infrastructure, Architecture, and Ongoing Operations Standard

    Information Technology Standard 06.9.0 - Data Center Operations Standard

    Information Technology Standard 06.11.0 - System Change Management Standard

    Information Technology Standard 06.12.0 - Network Management Standard

    Information Technology Standard 06.13.0 - Desktop Management Standard

    Information Technology Standard 07.1.0 - Business Impact Analysis Standard

    Information Technology Standard 07.2.0 - Business Continuity and Disaster Recovery Plan Standard

    Information Technology Standard 08.1.0 - Risk Assessment Standard

    Information Technology Standard 08.2.0 - IT Security Program Review

    Information Technology Standard 09.1.0 - Acceptable Use Standard

    Information Technology Standard 09.3.0 - Audit Standard

Policy History

Policy Formulation Committee (PFC) & Responsible Officer Approval to Proceed:

/s/ Rusty Waterfield
Responsible Officer
March 9, 2017

Policy Review Committee (PRC) Approval to Proceed:

/s/ Donna W. Meeks
Chair, Policy Review Committee (PRC)
December 13, 2017

Executive Policy Review Committee (EPRC) Approval to Proceed:

/s/ David F. Harnage
Responsible Oversight Executive
March 10, 2017

University Counsel Approval to Proceed:

/s/ R. Earl Nance
University Counsel
March 14, 2017

Presidential Approval:

/s/ John R. Broderick
May 15, 2017

Previous Revisions

October 1, 2007; April 9, 2010; April 26, 2011; March 15, 2017

Scheduled Review Date

March 15, 2021