Ïã¸ÛÁùºÏ²Ê×ÊÁÏ

Ìý

, grants authority to the Board of Visitors to make rules and policies concerning the institution. Section 7.01(a)(6) of the Board of Visitors Bylaws grants authority to the President to implement the policies and procedures of the Board relating to University operations.

, Restructured Higher Education Financial and Administrative Operations Act

Ìý

Data Compliance Owners – As defined in , University employees (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview. Data compliance owners understand the compliance requirements for their data, designate the compliance level of their data and approve access to their data. University Data Compliance Owners oversee compliance for data that is shared or leveraged across the University, such as Human Resources, Finance, Financial Aid, and Student FERPA data. Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the University Data Compliance Owners.

Information Security Governance, Risk, and Compliance (GRC) – A strategic functional unit within the University Information Security Office serving the campus community by assisting with meeting compliance of federal and state regulations; University policies, standards, and guidelines; and managing potential security risks to the University. The GRC team also seeks to provide University leadership with the tools needed to make informed risk-based decisions that best support the mission of the University.

Project Management Office (PMO) - A strategic functional unit within the Office of Information Technology Services (ITS) that promotes and advances project management principles and services for Information Technology (IT) projects at Ïã¸ÛÁùºÏ²Ê×ÊÁÏ.

Services – Professional services to include consulting, designing, organizing, and managing University environments to include access to University data, to assist or do work on behalf of University employees. Consultation to departments on security aspects related to potential software purchases, ensuring alignment with our overall security objectives.

Software Technologies and Applications - Computer programs or a group of computer programs and related data that process, store, or access University data, operate on or interact with the University systems and information technology resources. These include, but are not limited to, system software, application software, programming software, whether delivered as software as a service (cloud-based), hosted, or on-premises installed on Ïã¸ÛÁùºÏ²Ê×ÊÁÏ systems.

System Compliance Owner – As defined in , a manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.

This policy applies to all employees and employees of affiliated organizations who are paid through the University in academic and administrative units who procure software technologies. Employees include all staff, administrators, faculty, full- or part-time, and classified or non-classified persons who are paid by the University. Affiliated organizations are separate entities that exist for the benefit of the University through an operating agreement and include the Foundations, the Community Development Corporation, and the Alumni Association.

This policy applies to all software technologies, applications and services, including single quantity, open-source, commercially available or independently developed software, that are determined to meet one or more of the following criteria for review, regardless of who initiates the acquisition or the origin of the funding source:

• requires the use of University IT systems and resources, with exceptions as noted in ITS Guidelines;
• requires on-going maintenance by ITS;
• collects, stores, displays, or exports personally identifying data, non-public personal or financial information, protected health information, or student records, or will store or manage data that is subject to legal controls (Ex. FERPA, HIPAA);
• interfaces with an existing enterprise system application, such as MIDAS, Banner, course management system, etc.; or
• has implications for physical safety.

Note: Anyone who is uncertain about whether a planned acquisition or development of software technology, application, or service is subject to this policy should contact Information Security GRC.

The Solutions Discovery Analysis process, in collaboration among the requesting department, Procurement, and ITS, is one way to apply due care in expanding adoption of information security reviews. In cases where systems are purchased prior to completing a solutions security review or system risk assessment, it will remain the responsibility of the requesting department to initiate and complete the review in collaboration with Information Security GRC.

Software technologies, applications and services are to be implemented in ways that contribute to the effectiveness and efficiency of the institution and promote compliance with University standards. Prior to procurement of any new software technologies, applications or services as defined within the scope of this policy, the System Owner will initiate with Information Technology Services (ITS) an evaluation to assess integration requirements with existing University services, systems and standards, and operational support requirements. The primary goals are determination of integration challenges or coordination needs, information gathering for initiating an IT project, assistance in assessment of redundant services that may be leveraged, assistance with maintenance and cost analysis when appropriate, fostering appropriate dialogue among various stakeholders and operating units, and resource planning. Additional benefits include documentation of the specific data that are involved, gaining Data Owner approval for use of the data, facilitating the proper contract addendum for sharing the data, and supporting identity and access considerations according to Ïã¸ÛÁùºÏ²Ê×ÊÁÏ IT security standards.

Departments and administrative units contribute to and share responsibility for the deployment of software technologies, applications and services. Specifically, they are responsible for:

• gathering information on software technologies, applications and services;
• initiating a software decision analysis with the ITS PMO prior to the procurement;
• understanding information security roles and responsibilities;
• supporting University standards and compliance;
• conducting ongoing maintenance; and
• managing cost of ownership.

The ITS PMO is responsible for (i) accepting and tracking requests for reviews and (ii) coordinating timely responses to the departmental or administrative units.

ITS is responsible for reviewing submissions and sharing findings with departments and appropriate administrative units. The review will include:

• an analysis of compliance with Federal and State regulations and University policy;
• a technical review, including a security review and an integration review when appropriate; and
• ongoing maintenance and cost of ownership review, when appropriate.

ITS and the requesting department will use the following standards and guidelines for reviewing and making recommendations:

• compatibility with the University's computing and network environments;
• compliance with the University's IT standards andÌýSoftware Decision Analysis and System Risk Analysis Guideline;
• suitability based on needs assessment;
• licensing compliance for software purchase;
• hardware and software that can be efficiently supported; and
• availability of sufficient University resources (including initial and recurring costs).

The outcome of the review will be an analysis of the technology's ability to be compliant with and successful in the University's IT environment. If applicable, recommendations will be made to prevent or mitigate risks. Software acquisitions that do not meet ITS recommendations will not be supported without approval of the requesting department's Vice President.

Ìý

​​​​​​The requesting department applies this policy for the Information Technology software, system, or service planned for implementation at Ïã¸ÛÁùºÏ²Ê×ÊÁÏ according to the criteria established within the policy.

1. Departments considering a planned acquisition or development of software technology, application, or service are subject to this policy and should contact the IT Project Management Office which will initiate the Solutions Discovery Analysis process.

2. The requesting department gathers information about the software and submits anÌýITS Solutions Discovery ÌýAnalysis Request to ITS to assist in the data collection. Other information needed will consist of technical documentation, hardware requirements, vendor practices, security, consulting, etc. ITS staff will be available to consult upon request. Early planning is strongly encouraged in order to avoid unnecessary delays.

3. Information Security GRC assesses the information with technical support staff and/or the vendor for further clarification as needed on specific items in the review document. The time required to complete a review can vary based on the complexity of the system and the timing in the academic and budget cycles of the University.

4. Following the assessment, ITS provides a summary including whether contract protections are needed via use of the relevant Addendum Form, whether further architectural review is needed, whether an IT project is needed, and identification of data compliance ownership and responsibilities.

5. The departmental System Compliance Owner for the requested system will sign-off on the ITS findings, acknowledging security responsibilities as the System Compliance Owner, and when Ïã¸ÛÁùºÏ²Ê×ÊÁÏ data is involved, the Data Compliance Owner(s) will sign off for approval for the use of the data as well as other designated roles such as system administrator or application administrator when warranted.

Questions regarding this policy should be directed to the Information Security GRC Office via email at itsriskandcompliance@odu.edu.

Ìý

Applicable records must be retained and then destroyed in accordance with theÌý.

Associate Vice President and CIO, Information Technology Services

Ìý

The deployment of information technology applications must adhere to all applicable University Policies as noted below. For the Standards associated with University Policies, see also:

University Policy 3500 - Policy on the Use of Computing Resources

University Policy 3502 - Information Technology Infrastructure, Architecture, and Ongoing Operations Policy

University Policy 3504 – Data Administration Policy

University Policy 3505 - Information Technology Security Policy

University Policy 3508 - Information Technology Project Management

Information Technology Services Computing Policies and Standards

Information Technology Services Standard 02.3.0 – Data Administration & Classification Standard

Information Technology Services Standard 08.1.0 – Risk Assessment StandardÌýÌýÌýÌýÌýÌýÌýÌý

Department of Procurement Services Procurement Manual