Security Requirements for Non-IT Managed Assets

Purpose

The purpose of this policy is to communicate the minimum-security requirements for Information Technology assets connected to the William & Mary network that are not managed by central Information Technology.  Additionally, this policy stipulates the procedural requirements for non-IT managed asset owners and business units. 

Scope

This policy applies to all individuals and technology at William & Mary, the university, including the Virginia Institute of Marine Science. 

Policy

System documentation  

Asset owner(s) are responsible for maintaining a current asset inventory including the following information and provided to the information security team.  This information will be used to plan and conduct annual risk assessments and access reviews.  

system documentation

Asset Description	General description of the assets primary function(s)
Asset components	List the components that make up the asset including hardware, OS, applications, databases, network configuration, data classification
Network Configuration	Please provide networking requirements such as does this need to be accessed from the public internet, a list of ports that need to be open.
Location	Is this system on premise or in the cloud.  If on premise, building and room location. If cloud, which one.
Administrative/privileged users	List all users who will have administrative/privileged access to the system and its components.
Non-administrative/privileged users	List all users who will be accessing the system.
Administrative/privileged authentication method	Describe how administrative/privileged user accounts will authenticate including multi-factor authentication.
Non-admin authentication method	Describe how non-admin users will authenticate including multi-factor authentication.
Who is responsible for security/compliance/maintenance	List the person responsible for ensuring the asset complies with IT security policies and running supported, secure components.
Who is responsible for access control and account management.	List the person(s) who will provision/deprovision and service accounts.

Policy and procedure compliance  

Asset owners are responsible for ensuring compliance with the following policies.  

policy and procedure compliance

Identity and Access Management Policy

Data Classification and Protection Policy

Network Security Policy

VPN Policy

Logging and Monitoring Policy

Backup Policy

Change Control Policy

Cloud Services Policy

Technical Vulnerability Management Policy

Asset Management Policy

Configuration Management Policy

Vendor Hosted Application Policy

Physical and Environmental Security Standard

 Annual risk assessment  

The information security team will meet with asset owner(s) to review/update current system documentation and assess compliance with security policies.  

Vulnerability scanning and remediation  

Information security team will conduct regular vulnerability scans.  Asset owner(s) are responsible for remediating any identified critical or high vulnerabilities within 30 days.  

Penetration testing and remediation  

The information security team will conduct periodic penetration tests.  Asset owner(s) are responsible for remediation of identified weaknesses.  

Risk acceptance and exemptions  

Exemptions from any of these requirements must be submitted to the Chief Information Security Officer for review and approval.  

The dramatic increase in information security incidents requires the university to take a more proactive approach to protecting its network and information technology assets.  Therefore, failure to comply with the requirements outlined in this document could result in the removal of vulnerable assets from the network.  

Non-Compliance 

Non-compliance with this policy can result in the disconnection of technology assets from the William & Mary network.