Information Security Policy


This policy and related standards define the framework upon which the University of Richmond’s [the “University”] information security program is established and maintained. The policy provides direction for information security related policies, standards, procedures, and guidelines to ensure the confidentiality, integrity, and availability of University information resources.

Policy Statement: 

The University is required to develop, implement and maintain a comprehensive information security program containing administrative, technical, and operational controls. The University's information security program is based upon best practices recommended in NIST SP800-53r4 and is appropriately tailored to the University’s size, complexity, and the nature of its activities.
The program also incorporates security requirements of applicable regulations including, but not limited to, FERPA, PCI-DSS, GLBA, HIPAA, GDPR, and Red Flags Rule. Professional organizations, such as EDUCAUSE, VASCAN, HEISC, and REN-ISAC serve as resources for additional security best practices.
NIST SP800-53r4 and other sources noted above are used to guide development and ongoing enhancement of additional information security policies, as needed.

Roles and Responsibilities:

The Vice President and Chief Information Officer is the institutional point of contact for information security and is responsible for designating the Director of Information Security to coordinate and oversee the information security program.
The Director of Information Security has delegated authority for the selection and implementation of security controls and manages the overall information security program.
Vice presidents, deans, associate/assistant vice presidents and academic/administrative unit leaders shall be responsible for identifying critical and sensitive functions. In addition, they and their staff are responsible for the security, confidentiality, availability, and integrity of data and software stored on individual workstations and centrally managed computer systems to the extent that they have access and or access control.
Vice presidents, deans, associate/assistant vice presidents, and academic/administrative unit leaders are required to designate a data steward for any information resource under their control. They must also designate an application owner for any information resource not centrally managed by Information Services.
This policy also places responsibility on deans, associate/assistant vice presidents and academic/administrative unit leaders to: 1) require appropriate computer use as specified in the policy Acceptable Use Policy, 2) ensure compliance with information technology policies and standards by people and services under their control, and 3) implement and monitor additional procedures as necessary to provide appropriate security of information and technology resources within their area of responsibility.
All users of university information technology resources are required to adhere to the requirements detailed in University of Richmond’s Information Security standards and policies related to information security and technology.

View the Information Security Policy.