|
|
Information Security Policy
|
Information Technology Security Policy
Revision: 1.3
Effective: 2022-06-15
Contact: Chief Information Security Officer
GENERAL
The Virginia Community College System (VCCS) has a highly complex and resource-rich information technology environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Safeguarding the VCCS’s computing assets in the face of growing security threats is a significant challenge requiring a strong, persistent, and coordinated program that leverages widely accepted, effective security practices appropriate for the higher education environment. This policy states the codes of practice with which the VCCS aligns its information technology security program.
This policy applies to all academic and operational departments and offices at all Virginia Community College (VCCS) locations. This policy does not apply to research projects, research initiatives, or instructional programs.
POLICY STATEMENT
The VCCS Information Security Program will be based on best practices recommended in the “Information security management systems — Requirements” published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27001) and appropriately tailored to the specific circumstances of the VCCS. The program will also incorporate security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE association and the Virginia Alliance for Secure Computing and Networking, will serve as additional resources for effective security practices.
STANDARDS AND PROCEDURES
The ISO/IEC 27001 Information security management systems — Requirements and other sources noted in the policy statement will be used to guide the development and ongoing enhancement of information technology security standards as needed. Information technology security standards can be found on the VCCS Intranet website https://onvccs.sharepoint.com/teams/src/SitePages/Standards%20and%20Guidelines.aspx.
TERMS
None.
RELATED INFORMATION
"Information security management systems — Requirements" (ISO/IEC 27001). This international standard defines guidelines and general principles for effective information security management. It is a risk-based framework widely used to establish security standards and management practices.
EDUCAUSE Association – EDUCAUSE is a nonprofit association dedicated to the advancement of higher education through the effective use of information technology. Members include representatives from institutions of higher education, higher education technology companies, and other related organizations.
International Organization for Standards (ISO) –ISO is an independent, non-governmental international organization with a membership of 163 national standards bodies including the American National Standards Institute (ANSI). Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges such as information security.
International Electrotechnical Commission (IEC) – The IEC is a global organization that develops and published standards addressing electrical, electronic and related technologies. The IEC's members are National Committees, and they appoint experts and delegates coming from industry, government bodies, associations and academia to participate in the technical and conformity assessment work of the IEC.
Virginia Alliance for Secure Computing and Networking (VA SCAN) – VA SCAN was formed to help strengthen information technology security programs within Virginia. The Alliance was organized and is operated by security practitioners and researchers from several Virginia higher education institutions.
ROLES AND RESPONSIBILITIES
VCCS System Office, ITS – Chief Information Security Officer (CISO)
The Chief Information Security Officer (CISO) will be responsible for oversight of compliance with the VCCS Information Security Program by all colleges, the System Office, and the Shared Services Center, the development and maintenance of VCCS Information Security Standards as required by ISO/IEC 27001 “Information security management systems — Requirements” and to comply with relevant Federal and Commonwealth of Virginia legal and regulatory requirements, and the investigation of breaches of data protection and privacy.
Colleges, SSC & System Office
Responsibilities include implementing the VCCS Information Security Standards, following VCCS information security best practices as provided in the VCCS Information Security Guidelines, and utilizing VCCS recommended information security tools and templates as necessary.
POLICY APPROVAL AND REVISIONS
The State Board adopted the proposed Information Technology policy statements in the areas of accessibility; infrastructure, architecture and operations; project management; and security to fully comply with §2.0 and §5.0 of Chapter 824, 829 of the 2008 Acts of Assembly.
RESPONSIBLE STAFF:
Vice Chancellor, Information Technology Services
Virginia Community College System