91¶ÌÊÓƵ

Ìý

, grants authority to the Board of Visitors to make rules and policies concerning the institution. Section 7.01(a)(6) of the Board of Visitors Bylaws grants authority to the President to implement the policies and procedures of the Board relating to 91¶ÌÊÓƵ operations.

, Restructured Higher Education Financial and Administrative Operations Act

Ìý

Data Compliance Owners – As defined in , 91¶ÌÊÓƵ employees (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview. Data compliance owners understand the compliance requirements for their data, designate the compliance level of their data and approve access to their data. 91¶ÌÊÓƵ Data Compliance Owners oversee compliance for data that is shared or leveraged across the 91¶ÌÊÓƵ, such as Human Resources, Finance, Financial Aid, and Student FERPA data. Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the 91¶ÌÊÓƵ Data Compliance Owners.

Information Security Governance, Risk, and Compliance (GRC) – A strategic functional unit within the 91¶ÌÊÓƵ Information Security Office serving the campus community by assisting with meeting compliance of federal and state regulations; 91¶ÌÊÓƵ policies, standards, and guidelines; and managing potential security risks to the 91¶ÌÊÓƵ. The GRC team also seeks to provide 91¶ÌÊÓƵ leadership with the tools needed to make informed risk-based decisions that best support the mission of the 91¶ÌÊÓƵ.

Project Management Office (PMO) - A strategic functional unit within the Office of Information Technology Services (ITS) that promotes and advances project management principles and services for Information Technology (IT) projects at Old Dominion 91¶ÌÊÓƵ.

Services – Professional services to include consulting, designing, organizing, and managing 91¶ÌÊÓƵ environments to include access to 91¶ÌÊÓƵ data, to assist or do work on behalf of 91¶ÌÊÓƵ employees. Consultation to departments on security aspects related to potential software purchases, ensuring alignment with our overall security objectives.

Software Technologies and Applications - Computer programs or a group of computer programs and related data that process, store, or access 91¶ÌÊÓƵ data, operate on or interact with the 91¶ÌÊÓƵ systems and information technology resources. These include, but are not limited to, system software, application software, programming software, whether delivered as software as a service (cloud-based), hosted, or on-premises installed on ODU systems.

System Compliance Owner – As defined in , a manager or departmental head responsible for operation and maintenance of a 91¶ÌÊÓƵ IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.

This policy applies to all employees and employees of affiliated organizations who are paid through the 91¶ÌÊÓƵ in academic and administrative units who procure software technologies. Employees include all staff, administrators, faculty, full- or part-time, and classified or non-classified persons who are paid by the 91¶ÌÊÓƵ. Affiliated organizations are separate entities that exist for the benefit of the 91¶ÌÊÓƵ through an operating agreement and include the Foundations, the Community Development Corporation, and the Alumni Association.

This policy applies to all software technologies, applications and services, including single quantity, open-source, commercially available or independently developed software, that are determined to meet one or more of the following criteria for review, regardless of who initiates the acquisition or the origin of the funding source:

• requires the use of 91¶ÌÊÓƵ IT systems and resources, with exceptions as noted in ITS Guidelines;
• requires on-going maintenance by ITS;
• collects, stores, displays, or exports personally identifying data, non-public personal or financial information, protected health information, or student records, or will store or manage data that is subject to legal controls (Ex. FERPA, HIPAA);
• interfaces with an existing enterprise system application, such as MIDAS, Banner, course management system, etc.; or
• has implications for physical safety.

Note: Anyone who is uncertain about whether a planned acquisition or development of software technology, application, or service is subject to this policy should contact Information Security GRC.

The Solutions Discovery Analysis process, in collaboration among the requesting department, Procurement, and ITS, is one way to apply due care in expanding adoption of information security reviews. In cases where systems are purchased prior to completing a solutions security review or system risk assessment, it will remain the responsibility of the requesting department to initiate and complete the review in collaboration with Information Security GRC.

Software technologies, applications and services are to be implemented in ways that contribute to the effectiveness and efficiency of the institution and promote compliance with 91¶ÌÊÓƵ standards. Prior to procurement of any new software technologies, applications or services as defined within the scope of this policy, the System Owner will initiate with Information Technology Services (ITS) an evaluation to assess integration requirements with existing 91¶ÌÊÓƵ services, systems and standards, and operational support requirements. The primary goals are determination of integration challenges or coordination needs, information gathering for initiating an IT project, assistance in assessment of redundant services that may be leveraged, assistance with maintenance and cost analysis when appropriate, fostering appropriate dialogue among various stakeholders and operating units, and resource planning. Additional benefits include documentation of the specific data that are involved, gaining Data Owner approval for use of the data, facilitating the proper contract addendum for sharing the data, and supporting identity and access considerations according to ODU IT security standards.

Departments and administrative units contribute to and share responsibility for the deployment of software technologies, applications and services. Specifically, they are responsible for:

• gathering information on software technologies, applications and services;
• initiating a software decision analysis with the ITS PMO prior to the procurement;
• understanding information security roles and responsibilities;
• supporting 91¶ÌÊÓƵ standards and compliance;
• conducting ongoing maintenance; and
• managing cost of ownership.

The ITS PMO is responsible for (i) accepting and tracking requests for reviews and (ii) coordinating timely responses to the departmental or administrative units.

ITS is responsible for reviewing submissions and sharing findings with departments and appropriate administrative units. The review will include:

• an analysis of compliance with Federal and 91¶ÌÊÓƵ regulations and 91¶ÌÊÓƵ policy;
• a technical review, including a security review and an integration review when appropriate; and
• ongoing maintenance and cost of ownership review, when appropriate.

ITS and the requesting department will use the following standards and guidelines for reviewing and making recommendations:

• compatibility with the 91¶ÌÊÓƵ's computing and network environments;
• compliance with the 91¶ÌÊÓƵ's IT standards andÌýSoftware Decision Analysis and System Risk Analysis Guideline;
• suitability based on needs assessment;
• licensing compliance for software purchase;
• hardware and software that can be efficiently supported; and
• availability of sufficient 91¶ÌÊÓƵ resources (including initial and recurring costs).

The outcome of the review will be an analysis of the technology's ability to be compliant with and successful in the 91¶ÌÊÓƵ's IT environment. If applicable, recommendations will be made to prevent or mitigate risks. Software acquisitions that do not meet ITS recommendations will not be supported without approval of the requesting department's Vice President.

Ìý

​​​​​​The requesting department applies this policy for the Information Technology software, system, or service planned for implementation at Old Dominion 91¶ÌÊÓƵ according to the criteria established within the policy.

1. Departments considering a planned acquisition or development of software technology, application, or service are subject to this policy and should contact the IT Project Management Office which will initiate the Solutions Discovery Analysis process.

2. The requesting department gathers information about the software and submits anÌýITS Solutions Discovery ÌýAnalysis Request to ITS to assist in the data collection. Other information needed will consist of technical documentation, hardware requirements, vendor practices, security, consulting, etc. ITS staff will be available to consult upon request. Early planning is strongly encouraged in order to avoid unnecessary delays.

3. Information Security GRC assesses the information with technical support staff and/or the vendor for further clarification as needed on specific items in the review document. The time required to complete a review can vary based on the complexity of the system and the timing in the academic and budget cycles of the 91¶ÌÊÓƵ.

4. Following the assessment, ITS provides a summary including whether contract protections are needed via use of the relevant Addendum Form, whether further architectural review is needed, whether an IT project is needed, and identification of data compliance ownership and responsibilities.

5. The departmental System Compliance Owner for the requested system will sign-off on the ITS findings, acknowledging security responsibilities as the System Compliance Owner, and when ODU data is involved, the Data Compliance Owner(s) will sign off for approval for the use of the data as well as other designated roles such as system administrator or application administrator when warranted.

Questions regarding this policy should be directed to the Information Security GRC Office via email at itsriskandcompliance@odu.edu.

Ìý

Applicable records must be retained and then destroyed in accordance with theÌý.

Associate Vice President and CIO, Information Technology Services

Ìý

The deployment of information technology applications must adhere to all applicable 91¶ÌÊÓƵ Policies as noted below. For the Standards associated with 91¶ÌÊÓƵ Policies, see also:

• 91¶ÌÊÓƵ Policy 3500 - Policy on the Use of Computing Resources
• 91¶ÌÊÓƵ Policy 3502 - Information Technology Infrastructure, Architecture, and Ongoing Operations Policy
• 91¶ÌÊÓƵ Policy 3504 – Data Administration Policy
• 91¶ÌÊÓƵ Policy 3505 - Information Technology Security Policy
• 91¶ÌÊÓƵ Policy 3508 - Information Technology Project Management
• Information Technology Services Computing Policies and Standards
• Information Technology Services Standard 02.3.0 – Data Administration & Classification Standard
• Information Technology Services Standard 08.1.0 – Risk Assessment StandardÌýÌýÌýÌýÌýÌýÌýÌý
• Department of Procurement Services Procurement Manual