Policies and Standards
Purpose
Following a comprehensive IT audit completed in March 2009, VCU IT Assurance Services recommended the VCU School of Medicine to develop a more comprehensive set of security standards and procedures to be applied to all VCU School of Medicine departments. These standards should be compliant with the most restrictive VCU Information Security Standards or the VCU Affiliated Covered Entities (ACE) policy, providing for compliance of both. Additionally, a prescribed exception policy should document instances when there is a clear business reason for non-compliance.
As a required response to the audit recommendation, an IT audit resolution committee (ITARC) was appointed by the dean to develop the Information Security Standards for the VCU School of Medicine.
VCU SOM Information Security Standards
The following standards have been developed and carefully reviewed by the IT Audit Resolution Committee and VCU School of Medicine management team. It is the responsibility of all VCU School of Medicine personnel to read, understand, and abide by these standards in order to ensure the proper information security within the VCU School of Medicine.
- Information Security Standard Summary [PDF]
- Sensitive Data Classification Guideline [PDF]
- Business Continuity Management Standard for IT Systems [PDF]
- Data Handling and Storage Standard [PDF]
- Handheld Mobile Device Security Standard [PDF]
- Personnel Security Standard [PDF]
- Physical Security Standard [PDF]
- Removable Storage Media Security Standard [PDF]
- Research Equipment Workstation Security Standard [PDF]
- Workstation Security Standard [PDF]
For a list of forms and templates, including the exception form, data sharing agreement and remote access request form, please visit the Forms and Templates section of the website
VCU Information Security Policies and Guidelines
- VCU Information Security Standards [Word]
- Confidential Information and Privacy [PDF]
- Data Classification Guidelines [PDF]
- Email Transmission of Confidential Data [PDF]
- Password Standard [PDF]
- Remote Access Standard [PDF]
- Security Standard for Encryption [PDF]
- Research Data and Intellectual Property Standard [PDF]
- VCU Office of Research Policies and Guidelines [Link]
VCU ACE Security Policies
The VCU Affiliated Covered Entity (ACE) Security Policies apply to all personnel who have access to any Electronic Protected Health Information (EPHI). This set of policies encompasses the regulation of workstations and personnel on the VCUHS, VCUSecNet and VCUSecureNet networks. Since most of School of School of Medicine is operating on the aforementioned networks, it is imperative for any EPHI data handlers to review and ensure compliance to these policies.
