Information Security Initiatives
In order for security to be effective we must continuously evaluate and adapt our policies, procedures and technology. Click on any of the initiatives below to learn what changes are planned to enhance security at Longwood University and to see how these changes may affect you.
In Progress |
||
| Initiative | Updated | Description |
| Data Storage | 10/13/2009 | New data storage requirements will affect where you store sensitive and non-sensitive university data. |
| Roles and Responsibilities | 9/16/2009 | Security roles and responsibilities are being assigned to those with direct access and control of data, resources and systems. |
| Data Classification and Risk Assessment | 8/27/2009 | In order to better understand the protection requirements of systems and data, the university is undertaking a process to classify data and assess IT system risk. |
| Encryption | 8/27/2009 | Developing an encryption program centrally managed by IITS will allow for protection of data stored in locations other than network drives. |
| Compliance with ISO 27002 | 9/16/2009 | As part of a move to Level II status we are assessing the impacts of complying with ISO 27002. |
| Social Networking Presence for Information Security | 8/27/2009 | To increase our awareness efforts the Information Security Office will be joining Facebook and Twitter. |
| IITS Security Program Assessment | 8/27/2009 | An internal self-study of the effectiveness of our information security program will be undertaken. |
| Shibboleth Feasibility Study | 8/27/2009 | In order to be proactive in our consideration of the security of emerging technologies we will conduct a feasibility study of Shibboleth. |
Completed |
||
| Initiative | Completed | Description |
| Remote Access | 11/28/08 | Options for remotely accessing university IT resources and systems are being expanded. |
| Student Employee Security Awareness Training | 12/03/08 | Security awareness training will now be provided for all student employees. |
What is a security initiative?
By
outlining our future plans for enhancing security we hope to provide advance
notice to the campus on some of our most important forthcoming changes so that
the campus will have an opportunity to ask questions, provide feedback and
prepare.
What
are the “VITA standards” or “state standards” that I hear about?
The Virginia Information Technologies
Agency (VITA) publishes policies and standards that provide guidance on
responsible information security practices for Virginia’s agencies, including
universities. (See the policies and standards here: http://www.vita.virginia.gov/library/default.aspx?id=537#securityPSGs.)
While these policies and standards
establish requirements that the university must meet, the university’s goals in
enacting security initiatives include:
- Protecting the confidentiality and accuracy of data that has been entrusted to us
- Ensuring access to university IT resources and systems
- Meeting regulatory requirements and auditor recommendations
- Protecting the university
Where
can I find a copy of a policy?
IITS policies can be accessed from our Information and Instructional Technology Services Policies, Procedures, Standards and Guidelines index page.
Questions or concerns regarding university IITS policies may be directed to the
Information Security Office through the contact information listed to the
right.
What
do all of these new terms mean?
- Sensitivity - Sensitivity is the degree of adverse effect a compromise of confidentiality, integrity or availability would have on Commonwealth of Virginia interests, the conduct of university programs or the privacy to which individuals are entitled.
- 3 Levels of Data Sensitivity: (From least to most sensitive)
- Public - all data acceptable for public consumption
- Internal - all data used for conducting university business that is not meant for distribution beyond the university. “Internal” is the default classification.
- Restricted - all data for which an unauthorized disclosure may result in identity theft or university liability for costs or damages under laws, government regulations or contract
- System owners – System owners are individuals at the management level of the university who are responsible for the operation and maintenance of university IT systems with regard to security. Their responsibilities will include decision making, authorizations and approvals related to the operation and maintenance of IT systems.
- System administrators – System administrators are the individuals who fulfill the day-to-day security responsibilities of an IT system.
- Data owners – Data owners are individuals at the management level of the university who are responsible for deciding how data should be classified and protected. Data owners will be relied upon for their knowledge of business and protection needs of data.
- Data custodians – Data custodians are members of IITS staff or contracted vendors who are responsible for data in their possession (ex. they are responsible for the server on which the data resides).
- Privacy officers – Privacy officers are individuals responsible for directing the university’s adherence to a specific state or federal privacy law (ex. HIPAA, FERPA). Privacy officers’ knowledge of regulations will be relied upon in defining protection requirements of data and systems.