Close menu Resources for... William & Mary
W&M menu close William & Mary

Security Requirements for Non-IT Managed Assets

Title: Security Requirements for Non-IT Managed Assets
Effective Date: August 1, 2024
Responsible Office: Information Technology
Last updated: August 1, 2024

Purpose

The purpose of this policy is to communicate the minimum-security requirements for Information Technology assets connected to the William & Mary network that are not managed by central Information TechnologyAdditionally, this policy stipulates the procedural requirements for non-IT managed asset owners and business units. 

Scope

This policy applies to all individuals and technology at William & Mary, the university, including the Virginia Institute of Marine Science. 

Policy
System documentation  

Asset owner(s) are responsible for maintaining a current asset inventory including the following information and provided to the information security team.  This information will be used to plan and conduct annual risk assessments and access reviews.  

system documentation

Asset Description  

General description of the assets primary function(s)  

Asset components  

List the components that make up the asset including hardware, OS, applications, databases, network configuration, data classification  

Network Configuration   

Please provide networking requirements such as does this need to be accessed from the public internet, a list of ports that need to be open.  

Location  

Is this system on premise or in the cloud.  If on premise, building and room location. If cloud, which one.  

Administrative/privileged users  

List all users who will have administrative/privileged access to the system and its components.  

Non-administrative/privileged users  

List all users who will be accessing the system.  

Administrative/privileged authentication method  

Describe how administrative/privileged user accounts will authenticate including multi-factor authentication.  

Non-admin authentication method  

Describe how non-admin users will authenticate including multi-factor authentication.  

Who is responsible for security/compliance/maintenance  

List the person responsible for ensuring the asset complies with IT security policies and running supported, secure components.   

Who is responsible for access control and account management.  

List the person(s) who will provision/deprovision and service accounts.  

Policy and procedure compliance  

Asset owners are responsible for ensuring compliance with the following policies.  

policy and procedure compliance

Identity and Access Management Policy  

Data Classification and Protection Policy 

Network Security Policy  

VPN Policy  

Logging and Monitoring Policy  

Backup Policy  

Change Control Policy   

Cloud Services Policy  

Technical Vulnerability Management Policy   

Asset Management Policy  

Configuration Management Policy  

Vendor Hosted Application Policy   

Physical and Environmental Security Standard  

Annual risk assessment  

The information security team will meet with asset owner(s) to review/update current system documentation and assess compliance with security policies.  

Vulnerability scanning and remediation 

Information security team will conduct regular vulnerability scans.  Asset owner(s) are responsible for remediating any identified critical or high vulnerabilities within 30 days.  

Penetration testing and remediation 

The information security team will conduct periodic penetration tests.  Asset owner(s) are responsible for remediation of identified weaknesses.  

Risk acceptance and exemptions 

Exemptions from any of these requirements must be submitted to the Chief Information Security Officer for review and approval.  

The dramatic increase in information security incidents requires the university to take a more proactive approach to protecting its network and information technology assets.  Therefore, failure to comply with the requirements outlined in this document could result in the removal of vulnerable assets from the network.  

Non-Compliance 

Non-compliance with this policy can result in the disconnection of technology assets from the William & Mary network.