Security Requirements for Non-IT Managed Assets
Title:
Security Requirements for Non-IT Managed Assets
Effective Date:
August 1, 2024
Responsible Office:
Information Technology
Last updated:
August 1, 2024
Purpose
The purpose of this policy is to communicate the minimum-security requirements for Information Technology assets connected to the William & Mary network that are not managed by central Information Technology. Additionally, this policy stipulates the procedural requirements for non-IT managed asset owners and business units.
Scope
This policy applies to all individuals and technology at William & Mary, the university, including the Virginia Institute of Marine Science.
Policy
System documentation
Asset owner(s) are responsible for maintaining a current asset inventory including the following information and provided to the information security team. This information will be used to plan and conduct annual risk assessments and access reviews.
Asset Description |
General description of the assets primary function(s) |
Asset components |
List the components that make up the asset including hardware, OS, applications, databases, network configuration, data classification |
Network Configuration |
Please provide networking requirements such as does this need to be accessed from the public internet, a list of ports that need to be open. |
Location |
Is this system on premise or in the cloud. If on premise, building and room location. If cloud, which one. |
Administrative/privileged users |
List all users who will have administrative/privileged access to the system and its components. |
Non-administrative/privileged users |
List all users who will be accessing the system. |
Administrative/privileged authentication method |
Describe how administrative/privileged user accounts will authenticate including multi-factor authentication. |
Non-admin authentication method |
Describe how non-admin users will authenticate including multi-factor authentication. |
Who is responsible for security/compliance/maintenance |
List the person responsible for ensuring the asset complies with IT security policies and running supported, secure components. |
Who is responsible for access control and account management. |
List the person(s) who will provision/deprovision and service accounts. |
Policy and procedure compliance
Asset owners are responsible for ensuring compliance with the following policies.
Identity and Access Management Policy |
Data Classification and Protection Policy |
Network Security Policy |
VPN Policy |
Logging and Monitoring Policy |
Backup Policy |
Change Control Policy |
Cloud Services Policy |
Technical Vulnerability Management Policy |
Asset Management Policy |
Configuration Management Policy |
Vendor Hosted Application Policy |
Physical and Environmental Security Standard |
Annual risk assessment
The information security team will meet with asset owner(s) to review/update current system documentation and assess compliance with security policies.
Vulnerability scanning and remediation
Information security team will conduct regular vulnerability scans. Asset owner(s) are responsible for remediating any identified critical or high vulnerabilities within 30 days.
Penetration testing and remediation
The information security team will conduct periodic penetration tests. Asset owner(s) are responsible for remediation of identified weaknesses.
Risk acceptance and exemptions
Exemptions from any of these requirements must be submitted to the Chief Information Security Officer for review and approval.
The dramatic increase in information security incidents requires the university to take a more proactive approach to protecting its network and information technology assets. Therefore, failure to comply with the requirements outlined in this document could result in the removal of vulnerable assets from the network.
Non-Compliance
Non-compliance with this policy can result in the disconnection of technology assets from the William & Mary network.