Regulations and Policies
Federal Regulations
| Policy | Description |
|---|---|
| HIPAA Privacy Rule |
|
| Common Rule (45 CFR Part 46, Subpart A) |
|
| FDA (21 CFR Parts 50 and 56) | Federal laws and regulations pertaining to food and drugs, both legal pharmaceuticals and illegal drugs. |
| NIST SP 800-171 | Confidentiality of Controlled Unclassified Information (CUI) for non-federal systems and organizations. |
| Department of Defense Cybersecurity Maturity Model Certification (CMMC) | A verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI). |
| Defense Federal Acquisition Regulation Supplement (DFARS) | Department of Defense (DoD) cybersecurity regulations regarding external contractors and suppliers. |
| International Traffic in Arms Regulation (ITAR) | Export and import of items and data related to defense articles. |
| Dept of Commerce Export Administration Regulation (EAR) | Export of "dual-use" items including goods and related technology, technical data and assistance designed for commercial purposes but could have military applications. |
| Treasury Dept Office of Foreign Assets controls (OFAC) | Economic and trade sanctions based on US foreign policy and national security goals. |
| European General Data Protection Regulation (GDPR) | Legislation that updated and unified data privacy laws across the European Union (EU). GDPR was approved by the European Parliament on April 14, 2016 and went into effect on May 25, 2018. |
Institutional Policy
| Policy | Description |
|---|---|
| WVU Acceptable Use Policy | Rules that govern the use of the devices and information systems at West Virginia University, West Virginia Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure both the protection of University Data and compliance with University policies and applicable laws and regulations. |
| WVU Information Security Policy | Safeguarding hardware, software, and information systems utilized at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure the Confidentiality and Integrity of University Data. |
| WVU Sensitive Data Policy | Classification and security of data collected, generated, used, or stored by or on behalf of West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Data”). |
| WVU Data Retention Policy | Systematic review, retention, and destruction of Records received or created at West Virginia University, including West Virginia University Institute of Technology and Potomac State College of West Virginia University (collectively the “University”). |
| Data Destruction & Sanitation Policy | Establishes the minimum sanitization requirements pertaining to data, storage media, and/or device(s). This Standard is based on NIST 800-88: Guidelines for Media Sanitization. |
| WVU Procurement | Processes and services for the purchases of research related technologies; includes information security reviews. |
Research Standard Operating Procedures
| Policy | Description |
|---|---|
| RDM SOP 001 | Research Data Management and Protection at WVU |
| RDM SOP 002 | Use of WVU Health System Medical/Dental Records |
| RDM SOP 003 | Human Research Data Protection |
| RDM SOP 004 | Audit and Oversight of NIH Data Management and Sharing Plans |
| RDM SOP 005 | Research Data and Technology Risk Management |
| RDM SOP 006 | Research Data Risk Categories |
| WVU OHRP SOPs |
|
| WVU Human Subject Data Protection Process |
|
| WV CTSI SOPs |
|