的目的 资讯科技标准 是指定要求遵守旧道明大学信息技术政策, 其他大学政策, as well as applicable laws and regulations. 标准可能包括业务原则, 最佳实践, 技术标准, 迁移和实现策略, 指导设计, deployment and management of information technology.

1. 目的

   本指南的目的是支持大学政策3509，并确保基于软件的技术, 应用程序和服务 meet University information technology requirements, are compatible with existing technology standards and services, ，以配合资讯科技的发展重点，而不会造成不必要的服务中断或其他风险，影响大学业务的有效运作.

2. 定义

   数据所有者 -负责监督与捕获相关的数据管理职能的大学雇员(通常为注册主任或单位主任级别), 维护, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview.

   项目管理办公室(PMO) -信息技术服务办公室(ITS)内的一个战略职能单位，促进和推进项目管理原则和服务的信息技术(IT)项目在最靠谱的网赌软件.

   Software Technologies, Applications and 服务s -计算机程序或一组计算机程序及相关数据，在大学系统和信息技术资源上运行或与之交互. 这些包括, 但不限于, 系统软件, 应用软件, 以及编程软件, whether delivered as software as a service (cloud), 主持, 或本地安装在ODU系统上.

   系统所有者 -负责运营和维护大学IT系统或监督其职权范围内托管系统的经理或部门负责人.

3. 的指导方针

   University Policy 3509 establishes the practice that for software technologies, 应用程序和服务, 采购前, 提出申请的部门将展开软件决策分析，以评估与大学现有服务的整合需求, 制度和标准, 以及运营支持要求.

   大学政策3504, 数据管理政策, establishes the need for IT security roles and responsibilities, 及ITS标准01.2.0, IT安全角色和职责, 确立系统所有者为负责大学IT系统或其职权范围内托管系统的操作和维护的人, including adhering to University policy and standards, managing the risks and maintaining compliance associated with their systems. ITS和采购服务支持系统所有者作为他们所监督的系统的管理者.

   新购买的

   1. 用于新购买的软件技术, 应用程序和服务, 请求者可以通过ITS项目管理办公室发起软件决策分析(SDA), which assists with initial information gathering. ITS将协助完成软件决策分析和结果总结，通知系统所有者和其他人员:
      • 法规遵从性
      • 数据分类
      • 当有保证时，记录风险
      • Whether a contract addendum is required, and which contract addendum applies
      • Whether a third-party assessment is required
      • How authentication and account management are addressed
      • Whether remote access is required to the ODU network
      • 是否可能需要一个智能交通系统项目
      • IT security roles and responsibilities for 系统所有者 and Data Owner(s)
      • Sign-off by 系统所有者 and Data Owner(s)
      • When warranted in the estimation of the 系统所有者, Data Owner or Chief 资讯保安办事处r (CISO), CISO和首席信息官(CIO)根据业务需求和已识别的风险进行审查和评论，并由负责的副总裁或助理/助理副总裁接受
   2. After appropriate procurement procedures and documentation are complete, Procurement 服务s may execute the contract, with the appropriate addendum and assessments as specified in the SDA summary, once the summary is accepted by the 系统所有者 and Data Owner(s) and, when warranted in the estimation of the 系统所有者, 数据所有者和CISO, 首席信息安全官和首席信息官的审查和评论, 并由负责的副总裁或助理副总裁根据业务需求和已识别的风险接受.
   3. Risk-based decisions may be made by the 系统所有者, in collaboration with the Data Owner and ITS Security, 在软件决策分析得到相关方的批准后，采购服务部签订并执行合同. 这包括系统所有者接受对附录的修改，以保护软件决策分析总结中确定的托管数据和剩余风险. 数据所有者 have the discretion to deny the sharing of data under their stewardship.
   4. If, 在系统所有者的评估中, 数据所有者或CISO, the risks fall outside of what is considered acceptable based on numerous factors, but the business need for the system requires purchase, 负责的副校长或助理副校长可以通过签署软件决策分析摘要代表学校接受风险.
   5. 对于本质上不需要这样的分析的IT采购，可以做出软件决策分析的例外, or that are reviewed and implemented through different processes, 如:
      • Desktop software that involves no cloud storage of protected data, 无远程访问要求, and is implemented according to applicable 它的标准s.
        • Example: Word Processor with templates that are stored in cloud
      • 学术, instructional or research desktop software that involves no cloud storage of protected data, 无远程访问要求, and does not introduce privacy or security considerations.
      • 订阅SaaS(软件即服务)解决方案，允许访问不涉及ODU共享受保护数据或与ODU系统集成的第三方数据或服务.
        • Example: Subscription access to business data used for SCoB business analysis
      • 不涉及受监管数据且被认为风险较低的SaaS软件可能只会得到最少的文档和合同支持.
        • Examples: TeamDynamix, or other 主持 solutions involving no regulated data
      • Site Licensed software that is managed by ITS, 没有云存储数据, and is implemented according to applicable 它的标准s.
      • Commodity hardware such as routers, switches, rack servers, etc. 不需要新的软件组件.
      • 软件技术, 不符合《网上十大网赌娱乐大全》标准的服务和系统.

      第三方评估 may be industry standard SOC II type reports, or a report that provides a similar assurance relative to the risks involved.

      • For all systems involving regulated data (confidential or restricted), 采购前 processing and\or contract execution, the 系统所有者 will seek to collect a third-party assessment report prior to purchase, ITS安全运营部将根据与系统相关的风险进行适当的审查. Reports will be reviewed for restricted systems, and reports may be reviewed for confidential systems.
        • FERPA的机密资料通常会根据我们的FERPA资料拥有人(http://vcxftz.guoyao100.net/about/monarchcitizenship/ferpa), no third-party assessment will be required.
          
      • 对于数据受限的系统, the 系统所有者 will collect the third-party assessment annually thereafter, 在任何续约之前, which will be reviewed by ITS Security Operations.
      • 对于具有机密数据的系统, 在任何续约之前, the 系统所有者 will collect third-party assessments upon renewal of the contract, which may be reviewed by ITS Security Operations, based on the degree of risks associated with the system.
        • FERPA的机密资料通常会根据我们的FERPA资料拥有人(http://vcxftz.guoyao100.net/about/monarchcitizenship/ferpa ), no third-party assessment will be required.

      系统风险评估 是否与软件决策分析的风险部分相关，并按08完成.01.0风险评估标准.

      • For new systems that are classified as restricted during the software decision analysis, 系统风险评估将在项目阶段由系统所有者在ITS安全运营部门的协助下进行，并在投入生产前完成.
      • For new systems classified as confidential during the software decision analysis, the Software Decision Analysis Summary will serve as the system risk assessment.
      • 对于低风险系统, 完成完整的系统风险评估是低优先级的，不应影响有效的操作.
      • 系统风险评估 can be requested by submission of an ITS support ticket.

   续签

   在续签时, 采购服务部将遵循其技术软件更新指南，支持系统所有者续签合同.

   If there is no Software Decision Analysis Summary or System Risk Assessment on record, a best effort will be made to conduct a review before renewal.

   • 续订的软件决策分析按照与新购买相同的程序处理.
   • 采购事务处可继续续订现有服务，以保持服务的可用性. 在这种情况下, 软件决策分析或系统风险评估将由系统所有者尽快安排，但不迟于合同签订后一年，并将提供给采购服务部门.

4. 标准、程序、指南 & 其他相关资料

   University Policy 3509 - Software Decision Analysis Policy

   采购指南# 11-015:软件年度续订

   ITS标准08.01.0 -风险评估标准

   它的标准 02.3.0 -数据管理 & 分类标准

5. 历史

   日期	负责任的政党	行动
   2018年9月	资讯保安办事处	创建
   2019年7月	资讯保安办事处	更新