The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations, on condition that certain commitments to the Commonwealth are met. The College of William and Mary's Management Agreement with the Commonwealth provides full delegated responsibility for management of the institution's information security activities. This delegation includes the authority to conduct these activities in accordance with industry best practices appropriately tailored for the specific circumstances of the university, in lieu of following Commonwealth-determined specifications. This policy documents the industry best practices with which the university will align its security activities.
The College's information security program will be based upon best practices recommended in the "Code of Practice for Information Security Management Systems" published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27002:2013), appropriately tailored to the specific circumstances of the College. The program will also incorporate security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE association and the Virginia Alliance for Secure Computing and Networking, will serve as resources for additional effective security practices.
The ISO/IEC 27002:20013 Code of Practice and other sources noted in the policy statement will be used to guide development and ongoing enhancement of additional information security policies as needed.