Minimum Security Requirements for IT Assets

Title: Minimum Security Requirements for IT Assets
Effective Date: March 5, 2026
Responsible Office: Information Technology
Last updated: Second Version

Purpose

The purpose of this policy is to communicate the minimum-security requirements for Information Technology assets connected to the William & Mary network that are not managed by central Information Technology. Additionally, this policy stipulates the procedural requirements for non-IT managed asset owners and business units.

Scope

This policy applies to all individuals and technology at William & Mary, the university, including the Virginia Institute of Marine Science. This includes, but is not limited to, hardware, operating systems, applications, databases, network devices, cloud‑hosted services, vendor‑hosted services, and specialized systems, regardless of whether they are centrally managed by Information Technology or managed by departments, units, or third parties.

Policy

System documentation 

Asset owner(s) are responsible for maintaining a current asset inventory and providing this information to the Information Security team.  This information will be used to plan and conduct annual risk assessments and access reviews. 

System documentation must include, at a minimum, the following information:

system documentation
Asset Description	General description of the assets primary function(s)
Asset components	List the components that make up the asset including hardware, OS, applications, databases, network configuration, data classification
Network Configuration	Please provide networking requirements such as does this need to be accessed from the public internet, a list of ports that need to be open.
Location	Is this system on premise or in the cloud.  If on premise, building and room location. If cloud, which one.
Administrative/privileged users	List all users who will have administrative/privileged access to the system and its components.
Non-administrative/privileged users	List all users who will be accessing the system.
Administrative/privileged authentication method	Describe how administrative/privileged user accounts will authenticate including multi-factor authentication.
Non-admin authentication method	Describe how non-admin users will authenticate including multi-factor authentication.
Who is responsible for security/compliance/maintenance	List the person responsible for ensuring the asset complies with IT security policies and running supported, secure components.
Who is responsible for access control and account management.	List the person(s) who will provision/deprovision and service accounts.

Policy and procedure compliance 

Asset owners are responsible for ensuring compliance with the following policies. 

policy and procedure compliance
Identity and Access Management Policy
Data Classification and Protection Policy
Network Security Policy
Logging and Monitoring Policy
Backup Policy
Change Control Policy
Asset Management Policy
Configuration Management Policy
Vendor Hosted Application Policy
Physical and Environmental Security Standard

 Annual risk assessment 

The Information Security team will meet with asset owner(s) to review and update system documentation and assess compliance with security policies on a regular basis. 

Vulnerability scanning and remediation 

The Information Security team will conduct regular vulnerability scans of university information technology assets. Asset owner(s) are responsible for remediating any identified critical or high vulnerabilities within 30 days or within an alternative timeframe approved through the risk acceptance process.

Assets that are identified as presenting a security risk to the university may be subject to immediate risk‑reduction actions. Such assets will first be isolated to a secure network segment that has no access from the public internet. Isolation does not eliminate the obligation to remediate identified vulnerabilities.

If the identified security risk is not remediated within one week of isolation, or within a shorter timeframe if warranted by the severity of the risk, the asset will be removed from the university network until the risk has been adequately addressed and approved for reconnection by the Information Security team.

Penetration testing and remediation 

The Information Security team will conduct periodic penetration tests.  Asset owner(s) are responsible for remediation of identified weaknesses. 

Risk acceptance and exemptions 

Exemptions from any of these requirements must be submitted to the Chief Information Security Officer for review and approval. 

Exemptions from any of the requirements outlined in this policy must be submitted to the Chief Information Security Officer for review and approval.

The increasing frequency and severity of information security incidents require the university to take a proactive approach to protecting its network and information technology assets. Failure to comply with the requirements outlined in this document may result in network segmentation, removal of public internet accessibility, or disconnection of vulnerable assets from the university network.

Non-Compliance

Non-compliance with this policy can result in the disconnection of technology assets from the William & Mary network.