Cybersecurity Risk Policy

• This policy applies to all University students, faculty and staff and all other individuals and entities including, but not limited to, contractors, temporary employees, sponsored researchers, affiliates, visitors, and volunteers (collectively, “Authorized Users”).

GW Information Technology (“GW IT”) will assess the University’s cybersecurity risk and manage any identified risk for the purpose of eliminating or minimizing the likelihood and impact of threats and vulnerabilities to the greatest extent practical. GW IT manages and mitigates cybersecurity risk by, among other things, establishing policies and guidance on the use of GW IT Resources, instituting cybersecurity risk standards and procedural controls, and providing security awareness training for Authorized Users.

Any data stored or processed using GW IT Resources falls within the scope of this policy which is governed by the IT Cybersecurity Risk Management Standard. The standard outlines requirements and processes for assessing and managing the cybersecurity risk associated with those GW IT Resources that collect, transmit, store, or process data used to accomplish university operations such as research, teaching, learning and administrative support.

GW IT is responsible for detecting suspected or known security threats or emerging indications of compromised systems. GW IT accomplishes this by evaluating the content of University systems, network behavior, and third-party technology products and services acquired by the University. GW IT is also responsible for making decisions for network and cybersecurity defensive measures that protect the confidentiality, integrity, and availability of GW IT Resources.

In addition to the responsibilities of GW IT, Authorized Users play an important role in mitigating cybersecurity risk while using GW IT Resources both on campus and when accessing GW IT Resources remotely. Authorized Users are required to:

• Comply with GW’s Acceptable Use of IT Resources Policy.
• Comply with GW’s Identity and Access Management Policy and Standards.
• Complete assigned security awareness training.
• Understand and observe their responsibilities related to their stewardship of data and services, including compliance with the University’s Data Management and Protection Standard.
• Safeguard the confidentiality, integrity and availability of the University’s information residing on or connected to GW IT Resources.
• Only use University managed or approved devices to conduct GW activities, to the greatest extent possible. In circumstances when a non-GW managed device is used to conduct GW activities, follow the University’s Data Management and Protection Standard.
• Have all software or hardware to be used on the university network reviewed or assessed by GW IT consistent with the Procure to Pay Purchasing Review Process prior to the acquisition or installation.

In addition, Authorized Users conducting research activities may unintentionally be at greater risk of exposure to malware or other vulnerabilities that may degrade GW IT Resources and put GW research information at risk for fraud, theft, or misappropriation. Accordingly, research activities that involve use of GW IT Resources must be conducted in compliance with University policies, Office of Vice Provost of Research requirements, and applicable laws and regulations. This may include, but is not limited to, agreements and plans that outline data use and protection and obtaining the appropriate security reviews and approvals prior to project initiation.

Enforcement and Penalties

Non-compliance with this policy may result in restriction and possible loss of access to GW IT Resources. Non-compliance may also result in disciplinary action up to and including termination (employees) or suspension/expulsion (students).