Information security standards provide a set of best practices to safeguard Mason's and your data, assets, and resources. These security standards are derived from NIST 800-53 and the NIST Cyber Security Framework (CSF).
- Hardware & Software Security
- PCI Compliance
- Remote Access
IT Security Standards
Expand All Collapse All
Hardware & Software Security
Password Complexity Standard
Date of last revision: 26 February 2016
The purpose of this standard is to define the user password requirements or electronic access to George Mason University's workstations and systems. This standard applies to every faculty member, staff member, student, temporary employee, contractor, outside vendor, and visitor to campus (i.e., user) who authenticates to university-owned computing systems or devices. This standard is designed to minimize the potential exposure to George Mason University from damages that may result from unauthorized use of George Mason University resources. Damages include the loss of highly sensitive or university confidential data, intellectual property, damage to public image, and damage to critical George Mason University internal systems. George Mason University’s Password Complexity Standard requirement is as follows: Your password:
- Cannot be your first, middle, or last name
- Cannot be your username/netID
- Must not include repeated characters, such as AAA or 555
- Must not include alphabetic sequences, such as abc or CBA
- Must not include numeric sequences, such as 123 or 321
- Must not use common keyboard sequences, such as QWERTY or password
- Must be at least 10 and no more than 30 characters long
Only the characters specified below may be used and the password must include 3 out of 4 of the following character classifications.
- Upper case: ABCDEFGHIJKLMNOPQRSTUVWXYZ
- Lower case: abcdefghijklmnopqrstuvwxyz
- Numbers: 1234567890
- Special characters: _
The password must not use dictionary words.
The password must not be easily guessed.
The password cannot be reused.
The password selected will be tested against a pro-active password checker library, which tests passwords for effectiveness (e.g., cracklib).
Change your password as requested. An email reminder will be sent to the account owner about 30 days before the password expires. For increased security, change your password frequently.
If you authenticate directly to systems, devices or workstations that are in scope for Payment Card Industry Data Security Standard compliance you must also:
- Change your password at least every 90 Days
- Include both letters and numbers in the password/passphrase
Incident Response Plan for PCI DSS incidents
Date of last revision: 26 April 2016
The purpose of this standard is to define requirements for responding to a cybersecurity incident involving credit cardholder data.
University Policy 1305: Reporting Electronic Security Incidents requires every faculty member, staff member, student, temporary employee, contractor, outside vendor, and visitor to campus who has access to university-owned or managed information through university-provided or personal computing systems, devices, or physical or electronic files to report Information Security Incidents. As defined in University Policy 1114: Data Stewardship, sensitive information includes “payment card numbers associated with a personal identifier,” as defined by the Payment Card Industry Data Security Standards (PCI DSS).
As stated in University Policy 1305, Information Technology Services (ITS) and the Information Technology Security Office, in conjunction with the Office of University Counsel and the affected university department, shall direct the incident response and investigation. ITS, the IT Security Office, the Office of University Counsel, and the affected university department will coordinate on business recovery procedures, business continuity procedures, and data back-up processes, as appropriate.
Specific procedures are defined in University Policy 1305: Reporting Electronic Security Incidents. Communication and contact strategies in the event of an information security incident are also defined in the “IV. RESPONSIBILITIES” and “V. DATA BREACH NOTIFICATION RESPONSIBILITIES” sections of University Policy 1305. The IT Security Office will coordinate with the Office of University Counsel, as appropriate, when the notification of the payment brands may be necessary. The Office of University Counsel is responsible for the ongoing analysis of legal requirements for reporting compromises.
As a part of the incident response process, consultation of incident response procedures proposed by the payment brands may be required:
- American Express Data Security Operating Policy 
- MasterCard Account Data Compromise User Guide 
- Visa—Responding to a Data Breach 
- Visa—What To Do If Compromised 
Remote access user
Date of last revision: 26 June 2016
The purpose of this standard is to define the user’s requirements for connecting to George Mason University’s network from any host. These standards are designed to minimize potential exposure to George Mason University from damages which may result from unauthorized use of George Mason University resources. Damages include the loss of highly sensitive or university confidential data, intellectual property, damage to public image, and damage to critical George Mason University internal systems. All remote access users are required to comply with University Policy 1301: Responsible Use of Computing and all other applicable George Mason University information security policies.
Level One (Applies to students)
- Remote access by students is limited to the BYOD (Bring Your Own Device) network established by ITS.
Level Two (Applies to all Mason employees and contractors requiring remote access to George Mason internal networks):
- It is the responsibility of all users with remote access privileges to ensure that unauthorized users are not allowed access to George Mason internal networks.
- All hosts, including personal computers, which connect to George Mason internal networks via remote access technologies, must use the most current version of the centrally supported antivirus program for specific operating systems.
- All hosts that connect to George Mason internal networks via remote access technologies must have current security patches applied to their operating systems and software applications.
- All hosts, including personal computers, which connect to George Mason internal networks via remote access technologies must use a host firewall.
- Two-factor authentication (2FA) is required to authenticate all remote access VPN sessions connecting to George Mason internal networks.
Level Three (Applies only to users accessing highly sensitive data):
In addition to Level Two requirements, the following applies to all users who require access to highly sensitive data and/or systems. For more information on what is considered highly sensitive data see the following website:
- All hosts must be university-owned systems; all Windows and Mac hosts must be centrally managed by ITS via SCCM or Jamf.
- All hosts that store highly sensitive data must enable full disk encryption and the user must have explicit permission to store the data. Contact the ITS Support Center to request permission to store highly sensitive data: firstname.lastname@example.org
Remote Access Device
Date of last revision: 26 June 2016
George Mason University’s Information Technology Services (ITS) division maintains a Virtual Private Network (VPN) system that supports off-campus access to internal university networks and hosts. All remote access gateway devices shall meet the following requirements:
- VPN tunnels must use industry-standard strong encryption.
- VPN must prevent split tunneling, with an allowed exception for local network access.
- Active VPN sessions must time out after no more than 12 hours. Idle VPN sessions shall time out after no more than 60 minutes.
- Direct remote access to internal University network devices using Remote Desktop Protocol (RDP) or Secure Shell (SSH) protocol is prohibited.
- Passwords shall, at a minimum, comply with the same standards as Patriot Pass.