Information Security
Title:
Information Security Policy
Responsible Office:
Information Security Office
Effective Date:
2006
Last Reviewed:
February 14, 2024
I. Purpose
William & Mary has a highly complex and resource-rich information technology environment upon which there is increasing reliance to provide mission-critical academic, instructional, and administrative functions. Safeguarding the institution's computing assets in the face of growing security threats is a significant challenge requiring a strong, persistent, and coordinated program that leverages widely accepted, effective security practices appropriate for the higher education environment. This policy states the codes of practice with which the university aligns its information technology security program.
II. Scope
The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations on condition that certain commitments to the Commonwealth are met. W&M's Management Agreement with the Commonwealth provides full delegated responsibility for the management of institutions' information security activities. This delegation includes the authority to conduct these activities in accordance with industry best practices appropriately tailored for the specific circumstances of the university, in lieu of following Commonwealth-determined specifications. This policy documents the industry's best practices with which the university will align its security activities.
III. Policy
The university's information security program will be based upon best practices recommended in the "Code of Practice for Information Security Management Systems" published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27002:2022), appropriately tailored to the specific circumstances of W&M. The program will also incorporate security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE association and the Virginia Alliance for Secure Computing and Networking, will serve as resources for additional effective security practices. The university has appointed a Chief Information Security Officer with responsibility for identifying and implementing those controls that are deemed necessary and appropriate to achieve the goals of the Security Program at the university.
IV. Non-Compliance
An employee's failure to comply with any of the above policy statements may result in being disciplined in accordance with general university employment policies and procedures that apply to the respective category of employees. The university may temporarily deny access to university information systems and refer the case to the appropriate local, state, or federal authority for further disposition.
A student's failure to comply with any of the above policy statements may result in disciplinary actions in accordance with the Student Handbook. Depending on the nature and severity of the violation, the university may take one or more of the disciplinary actions listed under the Administration of Student Code of Conduct, Section VII. The university may temporarily deny access to university information systems and refer the case to the appropriate local, state, or federal authority for further disposition.