University Information Technology Security Program 6033

I. POLICY OWNER

The Vice President for Strategic Operations oversees this policy. Information Technology Services (ITS) is responsible for monitoring compliance with the policy and taking any necessary corrective action.

II. PURPOSE

Longwood University has a highly complex and resource-rich Information Technology (IT) environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Safeguarding the institution's computing assets in the face of growing security threats is a significant challenge requiring a strong, persistent and coordinated program that leverages widely accepted, effective security practices appropriate for the higher education environment. This policy states the codes of practice with which the university aligns its IT security program.

The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations, on condition that certain commitments to the Commonwealth are met. Chapters 824 and 829 of the 200 Virginia Acts of the Assembly and Longwood's Memorandum of Understanding with the Commonwealth provide full delegated responsibility for management of the institution's IT security activities. This delegation includes the authority to conduct these activities in accordance with industry best practices appropriately tailored for the specific circumstances of the university, in lieu of following Commonwealth-determined specifications. This policy documents the industry best practices with which the university will align its security activities.

III. POLICY

The University's IT security program will be based upon best practices recommended in the "Code of Practice for Information Security Management" published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27002), appropriately tailored to the specific circumstances of the university. The program will also incorporate security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE association and the Virginia Alliance for Secure Computing and Networking, will serve as resources for additional effective security practices.

IV. PROCEDURES

Related policies, standards and guidelines may be maintained internally by Information Technology Services.

Approved by the Board of Visitors, September 11, 2009
Updated, December 13, 2019