The following OIT security policies establish a baseline for information security and risk management activities for the University and are based on the COV ITRM SEC501 and SEC514 Standards, which defines the minimum acceptable level of information security and risk management activities that the University must implement.
It is the User's responsibility to ensure they familiarize themselves with these policies. Questions should be directed to the University Information Security Officer.
Office of Information Technology & SUPPORTING Policies
32-01 - Acceptable Use of Technological Resources
32-02 - Data Classification Policy
The following policies are currenlty under review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501).
- 32-8-2 Information Security Roles and Responsibilities
- 32-8-3 Business Impact Analysis
- 32-8-7 Security Audits
RECORDS MANAGMENT SCHEDULES
33-04 - University Records Management
Schedules can be found at http://www.lva.virginia.gov/agencies/records/sched_state/index.htm.
Common records can be found under the following General Schedules:
GS-101: General Administration, Contracts and Purchasing
GS-102: Finance & Accounting
GS-103: Human Resources/Personnel
GS-106: Building & Maintenance
GS-111: Academic Departments, Athletics, Housing, Research, Student Affairs, Student Financial, Student Registration, University Development
GS-113: Information Technology
GS-120: Health
32.8 Security Control Catalog
32.8.100 Access Control
Replaced by BOV #38-02 (2020) - Logical Access Control Policy
Replaced by BOV #38-08 (2022) Remote Wireless and Mobile Access Policy
32.8.200 Awareness And Training
Replaced by BOV #38-04 (2021) - Security Awareness and Training Policy
32.8.300 Audit And Accountability
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.3: Audit and Accountability.
32.8.400 Security Assessment And Authorization
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.4: Security Assessment And Authorization.
32.8.500 Configuration Management
Replaced by BOV #38-06 (2021) - Change Management Policy
32.8.600 Contingency Planning
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.6: Contingency Planning.
32.8.700 Identification And Authentication
Replaced by BOV #38-05 (2021) - Identification and Authentication Policy
32.8.800 Incident Response
Replaced by BOV #38-09 (2022) – Incident Response
32.8.900 Maintenance
Replaced by BOV #38 (2020) - System Maintenance Policy
32.8.1000 Media Protection
Replaced by #38-01 (2020) - Media Protection Policy
32.8.1100 Physical And Environmental Protection
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.11: Physical And Environmental Protection.
32.8.1200 Planning
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.12: Planning.
32.8.1300 Personnel Security
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.13: Personnel Security.
32.8.1400 Risk Assessment
Replaced by BOV #38-07 (2022) – Risk Assessment
32.8.1500 System And Services Acquisition
Replaced by BOV #38-03 (2021) - System and Services Acquisition Policy
32.8.1600 System And Communications Protection
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.16: System And Communications Protection.
32.8.1700 System And Information Integrity
Currenlty undergoing review and/or replacement. In the interim, please refer to the Virginia Infomration Technology Agency's Information Security Standard (SEC501) Control Family 8.17: System And Information Integrity.