Overview

Information security standards provide a set of best practices to safeguard Mason's and your data, assets, and resources. These security standards are derived from NIST 800-53 and the NIST Cyber Security Framework (CSF).

Download the the PDF version of the Information Technology Security Standard by clicking or tapping on the image.

IT Security Standard Download

Incident Response Plan for PCI DSS Incidents

The purpose of this standard is to define requirements for responding to a cybersecurity incident involving credit cardholder data.

> More information

ITS Information Technology Security Standard

This standard details specific requirements that must be employed to support the George Mason University's Information Security Policy. These requirements are categorized in eighteen (18) Control Family Standards drawn from NIST Special Publication (SP) 500-53. Some controls are required only for particular classes of systems and/or data. System administrators are responsible for complying with the control requirements that are specified for the sensitivity level of systems they maintain. Questions regarding applicability, implementation, or exemption requests should be referred to the Information Technology Security Office.

> More information

Password Complexity Standard

The purpose of this standard is to define the user password requirements or electronic access to George Mason University's workstations and systems. This standard applies to every faculty memeber, staff member, student, temporary employee, contractor, outside vendor, or visitor to campus (i.e., user) that authenticates to university-owned systems or devices.

> More information

Remote Access User Standard

The purpose of this standard is to define the user's requirements for connecting to George Mason University's network from any host.

> More information

Remote Access Device Standard

George Mason University's Information Technology Services (ITS) maintains a Virtual Private Network (VPN) system that supports off-campus access to internal university networks and hosts. All remote access gateway devices need to meet the requirements listed in this standard.