Skip to main content

Policies

The following OIT security policies establish a baseline for information security and risk management activities for the University and are based on the COV ITRM SEC501 and SEC514 Standards, which defines the minimum acceptable level of information security and risk management activities that the University must implement.

It is the User's responsibility to ensure they familiarize themselves with these policies. Questions should be directed to the University Information Security Officer.

Office of Information Technology & SUPPORTING Policies

32-01 - Acceptable Use of Technological Resources
32-8-2 Information Security Roles and Responsibilities
32-8-3 Business Impact Analysis
32-8-4 System and Data Sensitivity Classification
32-8-5 Sensitive IT System Inventory and Definition
32-8-6 Risk Assessment
32-8-7 Security Audits
33-04 - University Records Management

RECORDS MANAGMENT SCHEDULES

 

As identified in the 33-04 - University Records Management Policy, schedules can be found at http://www.lva.virginia.gov/agencies/records/sched_state/index.htm.

Common records can be found under the following General Schedules:
GS-101: General Administration, Contracts and Purchasing
GS-102Finance & Accounting
GS-103Human Resources/Personnel
GS-106Building & Maintenance
GS-111: Academic Departments, Athletics, Housing, Research, Student Affairs, Student Financial, Student Registration, University Development
GS-113Information Technology
GS-120: Health

32.8 Security Control Catalog

32.8.100 Access Control

Replaced by BOV #38-02 (2020) - Logical Access Control Policy
Replaced by BOV #38-08 (2022) Remote Wireless and Mobile Access Policy

32.8.200 Awareness And Training

Replaced by BOV  #38-04 (2021) - Security Awareness and Training Policy

32.8.300 Audit And Accountability

32 - 8 - 301 Audit and Accountability Policy and Procedures
32 - 8 - 302 Auditable Events
32 - 8 - 303 Content of Audit Records
32 - 8 - 304 Audit Storage Capacity
32 - 8 - 305 Response to Audit Processing Failures
32 - 8 - 306 Audit Review, Analysis, and Reporting
32 - 8 - 308 Time Stamps
32 - 8 - 309 Protection of Audit Information
32 - 8 - 311 Audit Record Retention
 

32.8.400 Security Assessment And Authorization

32 - 8 - 401 Security Assessment and Authorization Policies and Procedures
32 - 8 - 403 Information System Connections
32 - 8 - 406 Security Authorization
32 - 8 - 407 Continuous Monitoring
 

32.8.500 Configuration Management

Replaced by BOV #38-06 (2021) - Change Management Policy

 

32.8.600 Contingency Planning

32 - 8 - 601 Contingency Planning Policy and Procedures
32 - 8 - 602 Contingency Plan
32 - 8 - 603 Contingency Training
32 - 8 - 604 Contingency Plan Testing and Exercises
32 - 8 - 606 Alternate Storage Site
32 - 8 - 607 Alternate Processing Site
32 - 8 - 608 Telecommunication Services
32 - 8 - 609 Information System Backup
32 - 8 - 610 Information System Recovery and Reconstitution
 

32.8.700 Identification And Authentication

Replaced by BOV #38-05 (2021) - Identification and Authentication Policy

32.8.800 Incident Response

32 - 8 - 801 Incident Response Policy and Procedures
32 - 8 - 802 Incident Response Training
32 - 8 - 803 Incident Response Testing and Exercises
32 - 8 - 804 Incident Handling
32 - 8 - 805 Incident Monitoring
32 - 8 - 806 Incident Reporting
32 - 8 - 807 Incident Response Assistance
32 - 8 - 808 Incident Response Plan
 

32.8.900 Maintenance

Replaced by BOV #38 (2020) - System Maintenance Policy

32.8.1000 Media Protection

Replaced by #38-01 (2020) - Media Protection Policy

32.8.1100 Physical And Environmental Protection

32 - 8 - 1101 Physical and Environmental Protection Policy and Procedures
32 - 8 - 1102 Physical Access Authorizations
32 - 8 - 1103 Physical Access Control
32 - 8 - 1105 Access Control for Output Devices
32 - 8 - 1106 Monitoring Physical Access
32 - 8 - 1107 Visitor Control
32 - 8 - 1108 Access Records
32 - 8 - 1109 Power Equipment and Power Cabling
32 - 8 - 1110 Emergency Shutoff
32 - 8 - 1111 Emergency Power
32 - 8 - 1113 Fire Protection
32 - 8 - 1114 Temperature and Humidity Controls
32 - 8 - 1118 Location Of Information System Components
 

32.8.1200 Planning

32 - 8 - 1201 Security Planning Policy and Procedures
32 - 8 - 1202 System Security Plan
32 - 8 - 1204 Rules of Behavior
32 - 8 - 1206 Security-Related Activity Planning

32.8.1300 Personnel Security

32 - 8 - 1301 Personnel Security Policy and Procedures
32 - 8 - 1303 Personnel Screening
32 - 8 - 1304 Personnel Termination
32 - 8 - 1305 Personnel Transfer
32 - 8 - 1306 Access Agreements
32 - 8 - 1307 Third-Party Personnel Security
32 - 8 - 1308 Personnel Sanctions
 

32.8.1400 Risk Assessment

32 - 8 - 1401 Risk Assessment Policy and Procedures
32 - 8 - 1402 Security Categorization
32 - 8 - 1403 Risk Assessment
32 - 8 - 1405 Vulnerability Scanning

32.8.1500 System And Services Acquisition

Replaced by BOV #38-03 (2021) - System and Services Acquisition Policy

32.8.1600 System And Communications Protection

32 - 8 - 1601 System and Communications Protection Policy and Procedures
32 - 8 - 1602 Application Partitioning
32 - 8 - 1603 Security Function Isolation
32 - 8 - 1604 Information in Shared Resources
32 - 8 - 1607 Boundary Protection
32 - 8 - 1608 Transmission Integrity
32 - 8 - 1609 Transmission Confidentiality
32 - 8 - 1612 Cryptographic Key Establishment and Management
32 - 8 - 1613 Use of Cryptography
32 - 8 - 1614 Public Access Protections
32 - 8 - 1617 Public Key Infrastructure Certificates
32 - 8 - 1620 Secure Name-Address Resolution Service (Authoritative Source)
32 - 8 - 1623 Session Authenticity
32 - 8 - 1628 Protection of Information At Rest
 

32.8.1700 System And Information Integrity

32 - 8 - 1701 System and Information Integrity Policy and Procedures
32 - 8 - 1702 Flaw Remediation
32 - 8 - 1703 Malicious Code Protection
32 - 8 - 1704 Information System Monitoring
32 - 8 - 1705 Security Alerts, Advisories, and Directives
32 - 8 - 1708 Spam Protection
32 - 8 - 1709 Information Input Restrictions
32 - 8 - 1710 Information Input Validation