Regulations and Policies

Federal Regulations

Table of federal data security and protection regulations.
Policy	Description
HIPAA Privacy Rule	Conditions under which protected health information may be used or disclosed by covered entities for research purposes Defines informed consent for research
Common Rule (45 CFR Part 46, Subpart A)	Compliance by research institutions Researchers' obtaining, waiving, and documenting informed consent Institutional Review Board (IRB) membership, function, operations, review of research, and record keeping.
FDA (21 CFR Parts 50 and 56)	Federal laws and regulations pertaining to food and drugs, both legal pharmaceuticals and illegal drugs.
NIST SP 800-171	Confidentiality of Controlled Unclassified Information (CUI) for non-federal systems and organizations.
Department of Defense Cybersecurity Maturity Model Certification (CMMC)	A verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI).
Defense Federal Acquisition Regulation Supplement (DFARS)	Department of Defense (DoD) cybersecurity regulations regarding external contractors and suppliers.
International Traffic in Arms Regulation (ITAR)	Export and import of items and data related to defense articles.
Dept of Commerce Export Administration Regulation (EAR)	Export of "dual-use" items including goods and related technology, technical data and assistance designed for commercial purposes but could have military applications.
Treasury Dept Office of Foreign Assets controls (OFAC)	Economic and trade sanctions based on US foreign policy and national security goals.
European General Data Protection Regulation (GDPR)	Legislation that updated and unified data privacy laws across the European Union (EU). GDPR was approved by the European Parliament on April 14, 2016 and went into effect on May 25, 2018.

Institutional Policy

Table of WVU institutional policies for data security and protection.
Policy	Description
WVU Acceptable Use Policy	Rules that govern the use of the devices and information systems at West Virginia University, West Virginia Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure both the protection of University Data and compliance with University policies and applicable laws and regulations.
WVU Information Security Policy	Safeguarding hardware, software, and information systems utilized at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Technology Resources”) to ensure the Confidentiality and Integrity of University Data.
WVU Sensitive Data Policy	Classification and security of data collected, generated, used, or stored by or on behalf of West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Data”).
WVU Data Retention Policy	Systematic review, retention, and destruction of Records received or created at West Virginia University, including West Virginia University Institute of Technology and Potomac State College of West Virginia University (collectively the “University”).
Data Destruction & Sanitation Policy	Establishes the minimum sanitization requirements pertaining to data, storage media, and/or device(s). This Standard is based on NIST 800-88: Guidelines for Media Sanitization.
WVU Procurement	Processes and services for the purchases of research related technologies; includes information security reviews.