...
that Information Technology Services is responsible for establishing the rules to safeguard the hardware, software, and information systems utilized at WVU. The governance established by ITS applies to all units, faculty, staff, affiliates, and vendors with access to WVU systems and data. The table below identifies the minimum security requirements for a WVU system or application based on the classification of the data stored within the system and/or the system’s criticality. Security requirements are based on implemented technology governance and are organized below based on the NIST Cybersecurity FrameworkThe loss of confidentiality, integrity, or availability has
Security Category = [Confidentiality impact + Integrity impact + Availability impact]
Confidentiality means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of infromation.
Availability mean ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.
Level 1 - Low | Level 2 - Moderate | Level 3 - High | ||||
|---|---|---|---|---|---|---|
Impact on WVU’s mission | None | No impact | Potential impact | |||
Impact on WVU’s reputation | At most a minimal risk | Moderate risk | Significant risk | |||
Impact on WVU’s finances | None | Mild impact | Significant impact | |||
Risk to the security of other systems protecting data | None | Mild impact | Significant impact | |||
Risk to life safety | None | None | Potential risk | |||
Criticality of data | Intended for public disclosure | Generally not available to public | Protection is required by lawData Classification | Public | Internal/Confidential | Confidential/Sensitive |
| Table of Contents |
|---|
| Info |
|---|
Icon Key: |
Required ☑ Recommended 
Prohibited⬜ Not Required...
Governance: University-Owned Device Standard, Secure Server Standard, Information Security Policy, Sensitive Data Policy
Security Control | Level 4Level 3 | Level 2 | Level 1 | |||
|---|---|---|---|---|---|---|
Maintain inventory of computers that identifies criticality of device or data being stored on it.
|
|
|
|
| ||
Maintain inventory of systems being used and managed by WVU that identifies classification of data stored within. |
|
|
|
| ||
Maintain inventory of servers being used and managed by WVU that identifies purpose of server and classification of data stored on server. |
|
|
|
| ||
Develop, document, and periodically update system security plans. |
| ☑ ☑ | ⬜ |
Business Environment
Governance: Vendor Security and Compliance/Technology Procurement Standard (pending development), Risk Assessment Standard
...