Information security standards provide a set of best practices to safeguard Mason's and your data, assets, and resources. These security standards are based on the National Institute of Standards and Technology’s Special Publication (NIST SP) 800-53 moderate baseline controls, scoped and tailored to the context of higher education institutions. NIST SP 800-53 is a widely accepted industry standard, most often used by U.S. federal and state agencies. The IT Security Standard describes controls as they apply to systems and processes based upon a high/medium/low classification.

Download the PDF version of the Information Technology Security Standard by clicking or tapping on the image.

IT Security Standard Download

Incident Response Plan for PCI DSS Incidents

The purpose of this standard is to define requirements for responding to a cybersecurity incident involving credit cardholder data.

> More information

ITS Information Technology Security Standard

This standard details specific requirements that must be employed to support George Mason University's policies. These requirements are categorized in sixteen (16) Control Family Standards drawn from NIST Special Publication (SP) 500-53 Revision 5. Some controls and enhancements are required only for particular classes of systems and/or data. System administrators are responsible for complying with the control requirements that are specified for the categorization and sensitivity level of the systems they maintain. Questions regarding applicability, implementation, or exemption requests should be referred to the Information Technology Security Office or the IT Risk and Compliance office.

> More information

Password Complexity Standard

The purpose of this standard is to define the user password requirements or electronic access to George Mason University's workstations and systems. This standard applies to every faculty memeber, staff member, student, temporary employee, contractor, outside vendor, or visitor to campus (i.e., user) that authenticates to university-owned systems or devices.

> More information

Remote Access User Standard

The purpose of this standard is to define the user's requirements for connecting to George Mason University's network from any host.

> More information

Remote Access Device Standard

George Mason University's Information Technology Services (ITS) maintains a Virtual Private Network (VPN) system that supports off-campus access to internal university networks and hosts. All remote access gateway devices need to meet the requirements listed in this standard.

Media Sanitization Procedure

This procedure provides detailed instructions for the permanent removal and verification of the removal of data from Mason-owned electronic devices. This applies to all university departments and offices at all George Mason University locations that are planning to release for reuse Mason-owned electronic devices.