Charged with securing information technology and University data, the Office of Information Technology (OIT) Security Team has developed a set of policies and standards for all NSU personnel, contractors and others who access NSU resources to use to secure these resources and data. These policies and standards are based on Virginia Information Technology Agency’s (VITA) Security Standard SEC530. Based on the NIST 800-53 framework and developed for executive branch agencies, the standard incorporates 18 of the NIST 800-53 control families.
A group of subject matter experts from OIT was convened to tailor the standards to the unique needs of higher education, support security for DoD research endeavors and comply with regulatory requirements such as NIST800-171, GLBA, and FERPA. This group, the OIT Standards Development Group, met regularly over the course of several months combing through the SEC530 and incorporating those controls that satisfy these regulations and best practices for sensitive systems.
Together, these policies and standards comprise the Information Security Program for Norfolk State University and a baseline of minimum requirements for sensitive systems.
It is the User's responsibility to ensure they familiarize themselves with these policies. Questions should be directed to the University's Chief Information Security Officer.
Information Technology Policies
#38-10 (2024) – Information Security Policy directs the University's CISO to develop the security program and the security standards based on the control families from SEC530.
#32-01 - Acceptable Use of Technological Resources governs what is acceptable and not acceptable use of technology, including Artificial Intelligence (AI).
#32-02 - Data Classification Policy that defines classifications for data and the systems the data resides on. This policy’s classifications then dictate the level of security needed. More specifically, it defines the systems and data classified as sensitive, thus requiring the application and adherence of the controls within the standards.
INFORMATION Security STANDARDS
38-10.0 Roles and Responsibilities (NSU-RR)
38-10.1 Access Control (NSU-AC)
38-10.2 Awareness And Training (NSU-AT)
38-10.3 Audit And Accountability (NSU-AU)
38-10.4 Assessment, Authorization & Monitoring (NSU-CA)
38-10.5 Configuration Management (NSU-CM)
38-10.6 Contingency Planning (NSU-CP)
38-10.7 Identification And Authentication (NSU-IA)
38-10.8 Incident Response (NSU-IR)
38-10.9 Maintenance (NSU-MA)
38-10.10 Media Protection (NSU-MP)
38-10.11 Physical & Environmental Protection (NSU-PE)
38-10.12 Planning (NSU-PL)
38-10.13 Program Management (NSU-PM)
38-10.14 Personnel Security (NSU-PS)
38-10.15 Risk Assessment (NSU-RA)
38-10.16 System And Services Acquisition (NSU-SA)
38-10.17 System & Communications Protection (NSU-SC)
38-10.18 System And Information Integrity (NSU-SI)
Records Managment Policy & Schedules
33-04 - University Records Management
Common records can be found under the following General Schedules:
GS-101: General Administration, Contracts and Purchasing
GS-102: Finance & Accounting
GS-103: Human Resources/Personnel
GS-106: Building & Maintenance
GS-111: Academic Departments, Athletics, Housing, Research, Student Affairs, Student Financial, Student Registration, University Development
GS-113: Information Technology
GS-120: Health
These schedules can be found at http://www.lva.virginia.gov/agencies/records/sched_state/index.htm.