Category Archives: Services

Virginia Western, VCCS & Commonwealth of Virginia Standards Compliance

Virginia Western’s computer systems are governed by VWCC guidelines, VCCS guidelines and Commonwealth of Virginia policy. These standards are revised frequently in order to adapt to changing security challenges. Information and Educational Technologies is tasked with managing VWCC compliance as a system owner.  Storage guidelines are part of an overall effort to improve information systems reliability and security in the Commonwealth of Virginia, as well as protect the privacy of the individuals we serve.

Our systems are subject to APA and VCCS audits. As a user of resources governed by this standard, your stewardship is a key element of our compliance efforts.

Raising security awareness and assessing risks is the key to any successful information system security program.

What is Sensitive Data?

What is Sensitive Data? Sensitive data is the first name or first initial and last name in combination with and linked to any one or more of the following data elements, when the data elements are neither encrypted nor redacted.

Definitions

Encrypted means to encode the data in such a manner as to render it unreadable without an encryption key, as defined by accepted encryption standards.

Redact means to alter or truncate data such that no more than parts of the following information is accessible.

Sensitive Items

  1. Social security number
  2. Drivers license number or state identification card number issued in lieu of a driver’s license number.
  3. Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts.
  4. Other personal identifying information, such as insurance data or date of birth.
  5. Five digits of a social security number; or
  6. The last four digits of a driver’s license number, state identification card number, or account number.

Note: The term does not include information that is lawfully obtained from publicly available information or from federal, state, or local government records lawfully made available to the general public

All agency systems, processes, logical and physical data storage locations that contain personally identifiable information are considered sensitive, raising the standard of compliance to the standard of compliance for systems containing sensitive data. 

Storage of these items on COV and VWCC systems is not permitted unless it is specifically required for college business. Normal college business operations require that sensitive information be maintained in many departments. If your department is required to store sensitive information as defined in the next section, you as the data owner, are responsible for notification of Information and Educational Technologies of the need to store sensitive information and to classify your data storage requirements as defined in the college’s Continuation of Operations and Disaster Recovery Plans.

Sensitive data is never to be stored on portable storage devices in unencrypted form, including laptop computers, CD/DVDs, USB Keys, cell phones or PDAs. In the event that there is a business requirement to store sensitive data on a portable device, documentation of the nature of the data and justification for storing it on portable media must be submitted in writing to the College Chief Information Security Office along with documentation of processes that will be used to secure this data. Information and Educational Technologies will work with the data owner to establish storage that is in compliance with the applicable state, VCCS and college guidelines.

Secure Transmission of Sensitive Data

Sensitive data must be protected from exposure to unauthorized persons or when it is exchanged with authorized recipients outside the normal security boundaries of the VCCS network.   Authorized recipients may include other VCCS employees, consultants, cloud services providers, or other entities with approved non-disclosure and acceptable use agreements on file. 

Transmission of sensitive data using email is not allowed unless the data is included as an encrypted attachment or the email itself sent encrypted.  Note that some email servers will reject or strip off unrecognized attachments, so this method is not always reliable.  Send the encryption key (password) to the recipient using an alternate communication method (cell phone) to ensure the data and the encryption key are transmitted separately.

VWCC has standard operating procedures for transmission of secure data as detailed in SOP-VWCC-007 Data Encryption available for review on request. Specific procedures for sending encrypted data are detailed in Secure transmission of information using Outlook Email (PDF).

Please contact the Help Desk if there are additional questions on the process.

Use of Non-Network Storage

Local Storage

The use of local hard drive storage is highly discouraged on physical and virtual machines! Information stored on local hard drives is not backed up by automated backup systems. Local hard drive storage is subject to failure and corruption and should not be used to store any information that is essential to business operations. This drive is considered a temporary storage location. By default, many applications and browsers download directly to the C:\Downloads folder. The desktop and any documents and data on the desktop are saved under the user profile, which is on the C drive. Deletion of the user profile, which often is done to remove malware will remove data stored on the Desktop and in the Downloads folder. Virtual machines have a limited amount of C drive space which can impact performance. Windows Explorer can be used to assess the amount of available space on the C drive and also to move files that are important to other more suitable storage locations.

Sensitive data should not be stored on local storage unless there is a documented business need to do so and approval has been granted by the college Chief Information Security Officer or designee. Encryption should be used to protect the data from disclosure. Any backup media and encryption techniques used to make backups of local data must meet standards and be approved by IET before use.

Portable Storage

Portable storage, while very convenient, provides a particularly easy opportunity to transport malicious software, including programs capable of logging keystrokes, installing hidden Trojan programs and other software that can introduce problems for the college. Non Commonwealth of Virginia storage of this type is expressly prohibited from being used on computers in the college system unless these systems are part of a segregated guest network. Administrative computer systems may only use storage devices that were purchased by the college and are used in systems owned by the college. One particularly simple method of breaking in to computer systems is to leave portable storage devices around a work area or congregating place, knowing that many users will take them back to their systems to see what is stored there. The user of the computer system bears responsible for violation of this guideline in the event of an incident, so please do not use non-COV devices in your computers!

CDs, DVDs or other media are never to be used to store and transport sensitive information in an unencrypted form!

Cloud Based Storage

Many cloud storage options are available. Google Drive, Microsoft One Drive, Sky Drive, Drop Box are all examples of this type of storage. Each of these presents advantages and offers challenges that are dependent on specific configuration choices. Providers offer attractive cloud storage entry points. Cloud storage is ideal for storing and sharing cross platform data that is of a non-sensitive nature. Care must be exercised when utilizing cloud storage options. Many cloud storage solutions can be configured to synchronize back to college local storage space and may create issues with storage quotas or fill up drives. The college is tasked with maintaining an efficient and secure storage infrastructure, which creates the need to ensure compliance to a level of standards that allows flexibility while effectively managing resources. Cloud storage options are never to be used to store and transport sensitive information in an unencrypted form!

Backups

Backups are done, at minimum, on a daily basis. Restoration of files is guaranteed after one backup cycle occurs at the end of the day. Tapes are archived for one month. Data is available for restoration for a maximum of 30 days. At this point the tapes are rotated back into the next backup cycle and overwritten. If files are deleted and need to be restored, a request should be submitted to the Help Desk to perform a restore operation.

Network Storage & Data Responsibilities

Information and Educational Technologies provides network storage to ensure that all work related, commonly accessed and modified files are backed up and available for restoration.

High speed, high availability storage, such as our network storage systems, carry a high cost of ownership and must be managed properly. Efficient and careful allocation of resources is requisite to the college mission.  Central storage management is a balance between providing a safe solution to hold essential work related data and becoming a repository for large amounts of rarely, if ever, accessed information.

Each system user is allocated 3.5 GB of network I: drive space and unlimited U: (utility) drive space upon initial account creation. The limit can and shall be increased where the business need exists. Mission critical, business related data is required to be stored on the network storage systems!

A review of the user’s storage requirements will be conducted when the limit is reached.  If data is not within the guidelines for appropriate network storage use, it can be migrated to another media or deleted at the discretion of the end user. This should be done promptly. Limits can be raised to allow for this process, but will be returned to normal when it is completed. Periodic internal audits of storage use may be performed to ensure compliance with guidelines.

The amount of data on the server is proportional to the time needed to back up and restore the information.  In the event of a server failure, it is important to return to normal operations as quickly as possible, which is expedited by conservative storage management policies.

Compression

Compression of data on the network drives is not supported or needed. Users are asked not to turn on compression. Turning compression on will not technically harm the system, but it will slow access time.

Data Ownership Responsibilities

System users are the custodians and owners of data that they store on the network, local drives and any other form of media including, but not limited to DVDR, CDR and CDRW, Disk on Key, external USB or firewire drives, as well as Internet storage resources. As custodians of this data, they are held responsible for compliance with Commonwealth of Virginia, the Virginia Community College System and Virginia Western policies and guidelines regarding data storage practices.  As a data owner, you must know what you are storing, why you are storing it and where it is being stored.  You should understand the risk of disclosure and the impact of loss of this data to your business unit!

Encryption

Information of a sensitive nature should only be encrypted using encryption techniques provided by the college’s computer systems. Use of encryption technologies on college business data that are not capable of being reversed by administrative processes authorized by IET is strictly prohibited. 

WordPress

WordPress is open source software that can be used to create websites or blogs. Virginia Western uses WordPress in a number of places, including the Daily Bulletin, News, and this IET Services site.

If you think WordPress may be an appropriate solution for your project, please contact Web Admin at webadmin@virginiawestern.edu.

Virginia Western Events Calendar

Virginia Western utilizes an all-in-one event and academic scheduling system. Event requests can be submitted by logged in users. Not all resources are available for all users.

The Events Calendar, which includes Student Events, Community/Public Events, and the Academic Calendar, can be viewed at Virginia Western Campus Events.

Calendars available to submit events to:

How to Access Your Virtual Desktop from Off-Campus

VWCC secures sensitive data accessed from off-campus locations for all users using two-factor authentication.  This secures access to sensitive data from off-campus, and you need to ensure that you are setup for authentication via your Office365 account credentials on your desktop or mobile device of choice.  Please contact the Help Desk if you have problems following the instructions below.

Microsoft Azure Multi Factor Authentication

Multi Factor Authentication (MFA) ensures that you are who you claim to be by requiring multiple credentials from you before you are given access to software and/or resources. Microsoft Azure MFA integrates this authentication with your Offce365 login so you can also use it for access to your VDI desktop with minimum interactions. One of the biggest advantages of this process is that you do not have to login to your VDI a second time as you are pre-authenticated with your Microsoft account for Office365.  If you are unsure if you have been enabled to use this, please contact the VWCC Help Desk.

Accessing your Virtual Desktop

All off-campus access uses the secure gateway at remote.virginiawestern.edu using Microsoft MFA.  If you are not able to use this gateway, please contact the Help Desk.

To Access Your Virtual Desktop with VMWare Horizon

VMware Horizon download
  1. The instructions assume that you are off-campus and are using a computer or laptop or some other device which you will use to access your remote VDI desktop and do not already have the VMware client installed.  If you already have the client, skip to the next step.  Open your web browser of choice and go to https://remote.virginiawestern.edu.  You should see a screen like the one on the right.  Click on the option to Install VMware Horizon Client.  This will take you to the VMware software download page with options to install the VMware Horizon client on your computer.  Pick the one appropriate for your computer (i.e. Windows or Mac) and download and run the software to install it on the computer.  You might have to reboot the computer to complete the install.
  2. Once the Horizon Desktop client or iOS app is installed, open it by clicking on the icon on your desktop.
    VMware Horizon Add a server
  3. If this is the first time you are using it, the empty Horizon client screen will open up.
    If, however, you have used the Horizon Client before, you will have other server icons on the window and need to click on the New Server option on the top left and add the entry for the remote.virginiawestern.edu server.  If you had been using any other server, you must switch to the one noted above (remote.virginiawestern.edu) before you log in.  Please contact the VWCC Help Desk if you need assistance with this.
    vmware horizon settings
  4. Click on the Add Server icon and type in remote.virginiawestern.edu and click on Connect.  Your default browser window will open up, ask you to accept the disclaimer and ask you if you want to open the connection using the Horizon client.  Click accept and check the box saying that you want this to be the default, so it will not ask you the next time.  That’s all you need to do as the VDI client will use your Office 365 credentials to log you in, as you normally do when using the other Office applications. You can close the browser window once you are connected.  That’s it, you should now have access to your VDI desktop.