GW SON IT Security Standard

Policy Statement 

This standard sets forth the measures established by the George Washington University (hereinafter, “GW” or “the University”) School of Nursing (“Nursing” or “SON”) to address cybersecurity risk in critical infrastructure, specifically Technology Assets. As designed, SON’s approach to cybersecurity helps support the university’s regulatory, legal, environmental, and operational requirements for managing and monitoring risk.

The GW School of Nursing expects all members within its community to adhere to and act in accordance with this standard. All Authorized Users are individually responsible for managing cybersecurity risk effectively. Not doing so may result in unacceptable consequences to individuals and increased costs to the school.

This process provides a framework for Authorized Users to use when evaluating specific circumstances. This is in supplement and subordinate to university policy.

Reason for Policy

Information is a vital asset to the School of Nursing. Certain types of information are subject to legal and regulatory requirements. Non-Public Information requires protection from unauthorized access, modification, disclosure or destruction. This standard strives to establish expected behaviors regarding Technology Assets as part of a larger effort to create a safety centric mindset within the school.

Who is Governed by this Policy 

This standard applies to all George Washington University School of Nursing Authorized Users of university-owned and issued Technology Assets. For this standard, Technology Assets include information technology hardware or software that is used in the acquisition, processing, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or disposal, of data.

Policy 

Data Security 

Protecting Non-Public Information

SON Authorized Users who have access to Non-Public Information are responsible for protecting that information while it is in their custody in a manner that is consistent with contractual or legal restrictions and is reasonable and appropriate given the level of sensitivity, value, or risk that the Non-Public Information has to the university or members of the university community. Maintaining the confidentiality, integrity, availability, and regulatory compliance of Non-Public Information stored, processed, and/or transmitted at the university is a requirement of all SON Authorized Users.

Use of University Laptops and Desktops

When provided to SON Authorized Users, GW managed laptops and desktops (computers) must be the primary means to store, process, and transact with University Data or otherwise conduct university business. GW managed
computers are approved to access, process, and store both Restricted and Regulated data when the following conditions are met.

Access must be limited to only authorized users. A business “need to know” is required for Regulated data. In addition, the following security controls must be in place:

• Strong Password
• Encryption
• Remote wiping capability
• Registered and managed by the GW IT mobile device management service

Laptops and desktops provided by SON IT OPS meet the above requirements Restricted and Regulated data.

Privacy and University Technology Assets

SON employees have no right of personal privacy with respect to personal data or University Data when stored, processed, and/or transmitted on University Technology Assets.

Personal Use of University Laptops and Desktops

GW issued and managed laptops and desktops are assigned in order to support the mission of SON, and are not intended to support more than incidental and occasional personal use. SON IT OPS recognizes that Authorized Users may occasionally use GW issued and managed computers in order to access cloud-based accounts through a browser, however, personal software and personal data should not be installed to the hard drive.

The primary principles governing Personal Use of University Resources are:

1. The university incurs no additional cost from that use other than the minimal cost incurred from ordinary wear and tear, and the use of minimal amounts of other resources (ink, toner, etc.)

2. The use does not inappropriately interfere with or reduce the hours worked by the employee

3. The use does not preclude others with work-related needs from using the resources; and

4. The use does not violate any applicable laws, regulations, or other university policies.

Use of Personal Laptops and Desktops

• GW systems (Box, Google Drive, etc.) approved for Restricted or Regulated information may be accessed on personal laptops and desktops but not installed.
• Regulated or Restricted information may not be downloaded, stored or synchronized on Personal Technology Assets.

Requirements for accessing Regulated and Restricted information from Personal
Technology Assets:

• Full Disk Encryption (FDE)
• Use of VPN
• Must be password protected
• Anti-virus / Anti-spyware software must be active and maintained up to date
• Updates for all installed software, drives, and firmware should be installed within a reasonable period

Appropriate University Resources

Unless otherwise directed by university guidance or policy, SON Authorized Users should utilize university resources as directed within this section. This list of appropriate university resources is not exhaustive or all-inclusive. Note:
Unapproved software/services may not be used in conjunction with University Data.

• GW Box should be used for the storage or sharing of Regulated information. Regulated information should never be shared publicly or stored on Personal Technology Assets.
• GW Mail (Google Mail, Gmail) should be used in conjunction with [NetID]@gwu.edu accounts for all business email communications. Regulated information should never be sent via email, even if sent with default or third party encryption (such as Zix Corp).
• Cisco AnyConnect VPN should always be used when performing work on behalf of the university over non-GW internet connections (networks) - to include when “working from home” or using a home internet connection.
• GW Documents (Documentum) should be used for the storage of documents with official retention requirements as defined by policy, laws, regulations, or other rules.

Individual Responsibilities for Data Security

1. Notify the IT Support Center, SON management, and SON IT OPS immediately if Non-Public Information, passwords, computer equipment, or system access control mechanisms are lost, stolen or disclosed or suspected of being lost, stolen or disclosed.
2. Understand and follow requirements for data security that apply to yourself or data in your custody.
3. Use secure methods to transmit Non-Public Information.
4. Log out when finished using a system.
5. Do not intentionally damage, alter or misuse any university-owned or maintained computing systems, equipment, and networks.
6. Follow university guidance regarding securing University Data when traveling abroad or domestically.
7. Know how to apply the Three Steps to Data Security.
8. Report (by forwarding) any unsolicited or suspicious email to abusegwu [dot] edu. Your report may play a key role in helping others at GW avoid similar scams and phishing attempts. Do not forward or otherwise send suspicious email to any other entities.

Physical Security 

University Technology Asset Damage, Loss, or Theft

SON Authorized Users are responsible for taking appropriate precautions to prevent damage to or loss/theft of University Technology Assets. Policies for appropriate use of university property as identified in the faculty/staff handbooks or elsewhere may be used to determine whether liability exists.

If a University Technology Asset is lost or stolen on University property it must be reported to University Police immediately. For theft or loss off campus, it should instead be reported to local police. If one can be provided, the police report should include the service tag/serial number for the lost/stolen device. A copy of thepolice report must be sent to SON IT OPS within ten business days of the discovery of the loss. As applicable, SON IT OPS (son_it_opsgwu [dot] edu) will contact GW IT Support to notify the University of the loss/theft and obtain confirmation thedevice is full disk encrypted.

Individual Responsibilities for Physical Security

1. Ensure that suites and offices are locked outside normal business hours. When leaving for the day, make sure the suite or office is appropriately
   secured so that no one can enter after business hours without a key.
2. Implement a clean desk policy. At the end of each day, lock up Non-Public Information in a drawer or cabinet.
3. Lock Technology Assets with a password when they are not in use. When leaving a work space, turn computers off or enable a screensaver lock so the machine cannot be accessed without a password.
4. Securely dispose of records that are no longer needed. When any documents, including convenience copies, are no longer needed, they should be securely eliminated as directed by GW’s Records Management policy.
5. Maintain possession or control of Technology Assets. Apply appropriate safeguards to the extent possible to reduce the risk of theft and unauthorized access.

Enforcement

Suspected violations of this standard should be reported to the IT Support Center, to the individual’s manager, as well as SON IT OPS. In accordance with the Non-Retaliation Policy, SON prohibits retaliation against a member of the university community for making a good faith report of a potential university related legal or policy violation. SON IT OPS may escalate violations of this standard to the SON Dean, SON Human Resources, SON management, or university personnel as appropriate.

Definitions 

Authorized Users: Any faculty, staff, student, student worker, temporary worker, contractor, affiliate, and other authorized users of university computing systems, applications, equipment, and networks.

Mobile Device: Any device that can be easily transported and that has the capability to store, process, or transmit data, including but not limited to laptops,
portable hard drives, USB flash drives, smartphones, and tablets.

Non-Public Information: Information that may only be disclosed to individuals outside the university in specific situations with appropriate technical safeguards and may include but is not limited to information that fits into one of the following categories: Regulated Information, Restricted Information.

• Regulated Information: Information that is protected by local, national, or international statute or regulation mandating certain restrictions. For example, student academic and financial records are regulated by the Family Educational Rights and Privacy Act (FERPA) and certain personal health information is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Other forms of Regulated Information include
  social security numbers, export controlled data and information (excluding technology or software that arises during, or results from, fundamental research under Section 734.8 of the EAR), and credit card information.
• Restricted Information: Information that must be limited to appropriate university faculty, staff, students, or other Authorized Users with a valid business need. This information must be protected from unauthorized access, use, or disclosure due to university policies, contract, or designation, or due to proprietary or privacy considerations. Examples of Restricted Information include payroll and tax information, performance appraisals, and internal directory information.

Protected Health Information (“PHI”): Information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.

Public Information: Information with no restrictions on access, use, or disclosure under university policy, or contract, or local, national, or international statute or regulation. Public Information includes announcements and press releases, public event information, and public directories.

Technology Assets: Information technology hardware or software that is used in the acquisition, processing, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or disposal, of data.

Personal Technology Assets: Technology Assets owned by an individual and not supported, managed, approved, leased, or otherwise acquired by the university. Personal Technology Assets are not primarily intended to foster or support the ongoing mission of the university.

University Technology Assets: Technology Assets owned, supported, managed, approved, leased, or otherwise acquired by GW and intended to foster or support the ongoing mission of the university.

University Data: Regulated, Restricted, and Public data produced or consumed for university business.

Related Information

• Acceptable Use for Computing Systems and Services
• Data Classification Levels
• Data Protection Guidance
• Electronic Theft
• Email Security Guide (PDF Guidance)
• Guide to GW’s Information Management and Protection Policies (PDF Guidance)
• How to Use Data Encryption (PDF Guidance)
• Information Security
• International Travel Guidelines (PDF Guidance)
• Laptop Computer and Small Electronics Theft
• Non-Retaliation
• Personal Use of University Resources
• Physical Security Memo (PDF Guidance)
• Practical Guide for Classifying University Data (PDF Guidance)
• Records Management
• Three Steps to Data Security (PDF Guidance)

Contacts 

Contact	Telephone	Email
School of Nursing, IT OPS	N/A	son_it_opsgwu [dot] edu