The WVU Information Security Policy identifies that Information Technology Services is responsible for establishing the rules to safeguard the hardware, software, and information systems utilized at WVU. The governance established by ITS applies to all units, faculty, staff, affiliates, and vendors with access to WVU systems and data. In support of a risk-based approach to security, WVU will classify information systems in one of three security categories and provide the minimum security requirements within each category. At a high level, the security category of an information system is based on the type of data within the system and its criticality to the operations of the University.
System Criticality | Data Classification | |||
|---|---|---|---|---|
Sensitive | Confidential | Internal | Public | |
Mission Critical | Level 3HighLevel 3 | High | Level 3HighLevel 3 | High |
Core | Level 3High | Level 2ModerateLevel 2 | Moderate | Level 2 Moderate |
Business Critical | Level 3High | Level 2ModerateLevel 2 | Moderate | Level 1Low |
Operational | Level 3High | Level 2 Moderate | Level 1 LowLevel 1 | Low |
The WVU Data Classification Policy establishes the rules that govern the classification of information generated through the academic, administrative, research, and outreach activities conducted at WVU into four categories: Sensitive, Confidential, Internal, and Public. The WVU Information Security Policy identifies that Information Technology Services is responsible for establishing the rules to safeguard the hardware, software, and information systems utilized at WVU. The governance established by ITS applies to all units, faculty, staff, affiliates, and vendors with access to WVU systems and data. The table below identifies the minimum security requirements for a WVU system or application based on the classification of the data stored within the system and/or the system’s criticality. Security requirements are based on implemented technology governance and are organized below based on the NIST Cybersecurity Frameworkthe criticality of information systems into four categories: mission critical, core, business critical, and operational.
For assistance classifying the information system you manage, review the information provided in the Security Objectives section or contact Information Security Services at infosec@mail.wvu.edu.
Security Objectives
The Security Category = [Confidentiality impact + Integrity impact + Availability impact]
...
Level 1 - Low | Level 2 - Moderate | Level 3 - High | |
|---|---|---|---|
Impact on WVU’s mission | None | No impact | Potential impact |
Impact on WVU’s reputation | At most a minimal risk | Moderate risk | Significant risk |
Impact on WVU’s finances | None | Mild impact | Significant impact |
Risk to the security of other systems protecting data | None | Mild impact | Significant impact |
Risk to life safety | None | None | Potential risk |
Data Classification | Public | Internal/Confidential | Confidential/Sensitive |
The table below identifies the minimum security requirements for a WVU system or application based on the classification of the data stored within the system and/or the system’s criticality. Security requirements are based on implemented technology governance and are organized below based on the NIST Cybersecurity Framework
| Table of Contents |
|---|
| Info |
|---|
Icon Key: |
Required ☑ Recommended 
Prohibited⬜ Not Required...