The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this standard is to establish the management responsibilities and define the elements to be examined in information security program reviews.

2. Definitions

   Information Security Officer (ISO) is responsible person for developing, reviewing, evaluating, and managing the University's Information Security Program.

   Information Security Program is the framework of general principles, guidelines and security controls and elements used to protect University data and assets and to satisfy the laws and regulations relevant to information security.

   Information Security Review is a summary of security recommendations and safeguards to be developed by the University, the IT Security Team and the technical staff for the continued protection of information technology assets.

3. Standards Statement

   The Old Dominion University Information Security Program elements are reviewed on an annual cycle and when significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.

   The IT Security Program Reviews include assessing opportunities for improvement of information security policy and the approach to managing information security in response to changes to the organizational environment, business circumstances, legal conditions, or technical environment.

   The ISO reviews should include information on these topics as appropriate:

   • feedback from interested parties
   • results of independent reviews
   • status of preventive and corrective actions
   • results of previous ISO reviews
   • process performance and information security policy compliance
   • changes to the organizational environment, business circumstances, available resources, contractual, regulatory, and legal conditions, or to the technical environment
   • trends related to identified threats or vulnerabilities
   • reported information security incidents
   • recommendations provided by relevant authorities

   ISO management reviews will document decisions and\or actions related to:

   • improvement of the organization's approach to managing information security and its processes
   • improvement of control objectives and controls
   • improvement in the allocation of resources and\or responsibilities

   Based on the results of the reviews, the ISO Office develops an IT Security Review outlining strategies and actions for the protection of the confidentiality, integrity, availability, and accountability of the University's information technology assets.

4. Procedures, Guidelines & Other Related Information

   Federal and State Law

   University Policy 3505 - Security Policy

5. History

   Date	Responsible Party	Action
   April 20, 2010	CIO/ITAC	Approved
   October 2011	CIO/ITAC	Reaffirmed
   August 2015	IT Pollicy Office/ISO	Three year review, updated links.
   July 2018	IT Policy Office	Definitions and links checked
   November 2021	IT Policy Office	Definitions and links checked