Information Security Policy (#3408)
Policy Statement and Purpose
Continuous availability of information is essential to the operation of Virginia Commonwealth University programs. Expanded use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to administration, faculty, staff, and students than ever before. VCU has realized increased productivity, in terms of improved delivery of services, enhanced administrative capabilities, and lower operating costs, as a direct result of the growing commitment to use information technology.
Information technology has also brought new administration concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies and practices must be established to ensure that hazards are eliminated or their effects minimized.
The focus of information security is on ensuring protection of information and continuation of program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining automated information systems. Protecting that information and the surrounding investment is the impetus for establishing an information security program.
Protecting information assets includes:
- Physical protection of information processing facilities and equipment.
- Maintenance of application and data integrity.
- Assurance that automated information systems perform their critical functions correctly, in a timely manner, and under adequate controls.
- Protection against unauthorized disclosure of information.
- Assurance of the continued availability of reliable and critical information.
Many program operations that traditionally were manual or partially automated are today fully dependent upon the availability of automated information services to perform and support their daily functions. The interruptions, disruption, or loss of information support services may adversely affect VCU's ability to administer programs and provide services. The effects of such risks must be eliminated or minimized.
Additionally, information entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside VCU. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Otherwise, we risk compromising the integrity of VCU programs, violating individual rights to privacy, violating copyrights, or facing criminal penalties.
An effective and efficient security management program requires active support and ongoing participation from multiple disciplines and all levels of administration. Responsibilities include identifying vulnerabilities that may affect information assets and implementing cost-effective security practices to minimize or eliminate the effects of the vulnerabilities.
The Virginia Department of Technology Planning is responsible for coordinating information technology within state government and is an important source of guidelines, standards, and rules governing computing resources at VCU. The Virginia Department of Technology Planning has jurisdiction over computing resources in all State institutions of higher education. Their security policy and standard are the top level computing security documents for everyone at VCU.
The Information Security Policy and Standard applies to all Virginia Commonwealth University faculty, staff and students accessing applications and computer systems operated by VCU or utilizing VCUnet to access non-VCU resources. The Information Security Policy and Standard applies to information resources owned by others, such as state agencies, political subdivisions of the state, or federal government agencies, in those cases where a contractual or fiduciary duty exists to protect the resources while in the custody of VCU. The Policy and Standard also applies to both VCU and commercial hosts and workstations attached to VCUnet at the Virginia Biotechnology Park and other off-campus locations.
In the event of a conflict between the Information Security Policy and another security policy the more restrictive security measures shall apply.
Procedures to enact the requirements of the security policy are provided in the Related Documents section below. Failure to comply with this policy and related procedures will be considered a violation of the VCU Computer and Network Resources Use Policy.
Who Should Read This Policy
All members of the VCU community should read this policy.
- Virginia Information Technology Agency policies, standards and guidelines
- VCU Computer and Network Resources Use Policy
- VCU IT Policies
- IT Security Procedures
- Computer Incident Response Team Procedures
Questions or comments about this policy should be directed to the Assistant Vice President of Administrative Information Technology. Changes to this policy will be authorized by the joint approval of the University Information Technology Advisory Committee (UITAC) and the Executive Officers of the University.
This article was updated: 09/30/2009