ITS Information Technology Security Standard

1.1 About This Standard

This standard details specific requirements that must be employed to support George Mason University’s policies.

1.2 Applicability to IT Systems and Data

Systems
Systems are categorized based on a FIPS 199 based (Standards for Security Categorization of Federal Information and Information Systems) methodology and corresponding control set is then applied to the system based on their category.

• • High (H)
  • Moderate (M)
  • Low (L)

Some control statements apply only to particular subsets of High category systems; these control statements are prepended with either “CUI Only” or “PCI DSS Only” as appropriate.

Categorization for externally hosted systems is performed during service acquisition, by the Architectural Standards Review Board. The Information Technology Services (ITS) organization is responsible for monitoring compliance of High category external systems in accordance with the Third-Party Risk Management Process.

Data

The Data Stewardship Policy (University Policy 1114: Data Stewardship) references three categories of data:

• • Protected: Highly Sensitive Data
  • Protected; Restricted Data
  • Public Data

2. Interpretation

The applicable controls for any university information system are defined by the category of data that is processed, stored, or transmitted by that system as described above. The university’s Information Technology Security Office, the Chief Information Security Officer and the IT Risk and Compliance office will work with departments to interpret requirements and to ensure that suitable controls are in place for departmental information systems.

3. Requirements

System administrators are responsible for complying with the control requirements that are specified for the sensitivity level of systems they maintain. Questions regarding applicability, implementation, or exemption requests should be referred to the Information Technology Security Office (itsoinfo@gmu.edu) or the IT Risk and Compliance office (itrc@gmu.edu). The corresponding control descriptions from NIST SP 800-53 are referenced in brackets at the end of each control requirement within the published .pdf of the IT Security Standard.

3.1 Access Control

The university must limit system access to authorized users, processes acting on behalf of authorized users, or authorized devices. Authorization to use university computing services and applications is based on an individual’s affiliation with Mason, that individual’s role and responsibilities, and the designated category of the system. Requests for privileged access beyond basic user levels are generally initiated by the individual’s department or unit; approval must be based on the requester’s job duties and role, and limited to the minimum level of access required to perform those duties.

3.2 Assessment, Authorization, and Monitoring

The university must develop, disseminate, and periodically review/update documented procedures to facilitate the implementation of the Security Assessment and Authorization policy and associated Security Assessment and Authorization controls.

3.3 Audit and Accountability

The university must create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity on sensitive systems.

3.4 Awareness and Training

The university must ensure that managers, system administrators, and end users are made aware of security risks associated with their activities, and of the applicable policies, standards, and procedures related to the security of those systems.

3.5 Configuration Management

The university must establish and maintain baseline configurations of sensitive systems throughout the system life cycle. Standard security controls shall be established and enforced as a component of the baseline configuration.

3.6 Contingency Planning

Units that are deemed critical to academic, research, and public safety operations of the university are required to maintain a Continuity of Operations Plan (COOP) documenting a means of achieving full or partial business operations for critical functions during a continuity event (ref: University Policy 1413 Continuity of Operations Planning).

3.7 Identification and Authentication

The identity of information system users, processes acting on behalf of users, or authorized devices must be verified before being allowed access to university information systems.

3.8 Maintenance

The university must perform periodic and timely maintenance on university information systems, and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

3.9 Media Protection

The university must protect information system media, both paper and digital; limit access to information system media to those authorized to view it; and sanitize or destroy information system media before disposal or release for reuse.

3.10 Personnel Security

The university must (i) ensure that individuals occupying positions of responsibility are trustworthy and meet established security criteria for those positions; (ii) ensure that Mason information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with Mason security policies and procedures.

3.11 Physical and Environmental Protection

Physical access to sensitive information systems, equipment, and operating environments must be limited to authorized individuals. The physical plant, utilities, and infrastructure supporting sensitive systems must be protected and controlled.

3.12 Planning

The IT Security Office must develop and document a security plan for the university that addresses information technology security standards, roles, responsibilities, and approved projects that affect the university’s security posture.

3.13 Risk Assessment

The university must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), assets, and individuals resulting from the operation of university information systems and the associated processing, storage, or transmission of university information.

3.14 System and Communications Protection

The Vice President for Information Technology is responsible for establishing control requirements that address Systems and Communications Protection of Mason’s information resources. Security standards and controls are published by the IT Security Office; information system owners must ensure that appropriate procedures to implement those controls are developed, disseminated to system administrators and system users, and maintained through regular updates. All related policies and procedures must be reviewed per designated cadence, and when necessary to address environmental changes.

3.15 System and Information Integrity

The Vice President for Information Technology is responsible for establishing control requirements that address System and Information Integrity of the university’s information resources. The IT Security Office, in coordination with system owners, is responsible for developing and disseminating to all Mason units a set of standards and controls to implement the policy. System owners must ensure that operating procedures supporting the standards and controls are developed and followed. All related policies and procedures must be reviewed annually, and when necessary to address environmental changes.

3.16 System and Services Acquisition

The university must: (i) allocate sufficient resources to adequately protect information systems; (ii) employ system development life cycle processes that incorporate information security considerations; and (iii) ensure that third-party providers employ adequate security measures, through applicable laws, contracts, certifications, and formal agreements to protect information, applications, and/or services outsourced by the university.

Date of last revision: 5 February 2024