Policies

The following OIT security policies establish a baseline for information security and risk management activities for the University and are based on the COV ITRM SEC501 and SEC514 Standards, which defines the minimum acceptable level of information security and risk management activities that the University must implement.

It is the User's responsibility to ensure they familiarize themselves with these policies. Questions should be directed to the University Information Security Officer.

Office of Information Technology & SUPPORTING Policies

32-01 - Acceptable Use of Technological Resources
32-02 - Data Classification Policy

The following policies are currenlty under review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501).

32-8-2 Information Security Roles and Responsibilities
32-8-3 Business Impact Analysis
32-8-7 Security Audits

RECORDS MANAGMENT SCHEDULES

33-04 - University Records Management

Schedules can be found at http://www.lva.virginia.gov/agencies/records/sched_state/index.htm.

Common records can be found under the following General Schedules:
GS-101: General Administration, Contracts and Purchasing
GS-102: Finance & Accounting
GS-103: Human Resources/Personnel
GS-106: Building & Maintenance
GS-111: Academic Departments, Athletics, Housing, Research, Student Affairs, Student Financial, Student Registration, University Development
GS-113: Information Technology
GS-120: Health

32.8 Security Control Catalog

32.8.100 Access Control

Replaced by BOV #38-02 (2020) - Logical Access Control Policy
Replaced by BOV #38-08 (2022) Remote Wireless and Mobile Access Policy

32.8.200 Awareness And Training

Replaced by BOV #38-04 (2021) - Security Awareness and Training Policy

32.8.300 Audit And Accountability

Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.3: Audit and Accountability.

32.8.400 Security Assessment And Authorization

32.8.500 Configuration Management

Replaced by BOV #38-06 (2021) - Change Management Policy

32.8.600 Contingency Planning

32.8.1100 Physical And Environmental Protection

32.8.1200 Planning

Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.12: Planning.

32.8.1300 Personnel Security

32.8.1400 Risk Assessment

Replaced by BOV #38-07 (2022) – Risk Assessment

32.8.1500 System And Services Acquisition

Replaced by BOV #38-03 (2021) - System and Services Acquisition Policy