IT Security
Board of Trustees Policy: 5.17
Date: July 2024
Supersedes: June 2020, January 2010
Purpose
Security breaches of data and technology pose a very real and very expensive Threat to the College. Security Safeguards must be in place to protect the College from these Threats, based upon the Risk they impose. The purpose of this policy is to enable the College to help protect all College data, ensure Availability and Integrity of technology required to run the College (networks, applications, data warehouses, etc.), and to comply with laws and regulations governing data privacy and protection.
Scope
The scope of this policy includes IT security management for all the College facilities, data, technology, and all Users. This policy does not include the management of non-IT related assets, such as paper records.
Policy
The College will ensure the Confidentiality, Integrity, and Availability of technology and data through the development and implementation of Compliance Standards which address various IT security requirements. These standards will follow industry-defined best practices in securing technology and data.
Roles and Responsibilities
The Board of Trustees delegates responsibility for the evaluation and approval of Compliance Standards that are part of the IT Security Program to the College President.
The Executive Director of Information Technology Security will serve as the College’s Information Security Officer. In this role, the Executive Director of Information Technology Security is responsible for the development, implementation, and continued administration of the IT Security Program’s Compliance Standards. Once approved by the President, the Compliance Standards will be implemented by the Executive Director of Information Technology Security.
Any User that Accesses any IT Asset play a crucial role in ensuring the success of the IT Security Program, and that responsibility must be viewed as a top priority of any User. For example, Users must create strong passwords, protect his or her login credentials, and utilize the College’s resources that are made available to ensure the safe storage and transmission of data.
Compliance Standards Overview
Compliance standards will be added, removed, and modified within the IT Security Program depending on changes to best practices in the industry. These standards will require the Executive Director of Information Technology Security, and those members of the College information technology staff designated by the Executive Director of Information Technology Security, to take steps to protect the College’s data and technology, such as:
- Perform Risk Assessments of the College’s IT Assets;
- Install, maintain, and review security Safeguards to achieve acceptable levels of Risk;
- Classify data according to its Sensitivity and Criticality to the College;
- Educate the College community of the importance of protecting sensitive data and methods for identifying and reporting suspected security incidents;
- Strategically and efficiently respond to IT security incidents;
- Maintain security Safeguards to protect the College’s Network Devices;
- Define secure practices for the electronic transfer of sensitive data;
- Implement security Safeguards to prevent, detect, and resolve IT Security Incidents arising from Threats that target networks, systems and Users;
- Define the security requirements for Users who Access sensitive IT Assets from remote (i.e., off campus) locations;
- Maintain security Safeguards against the infection and propagation of Malware;
- Properly manage User Identification, Authentication, and the creation and protection of strong Passwords;
- Maintain a program for ongoing Vulnerability management;
- Address vulnerabilities in IT Assets with Security Updates in a timely manner;
- Limit Access to sensitive IT Assets to permit Users the ability to Access only those resources required to perform their approved duties;
- Develop and follow appropriate data Backup and Recovery procedures;
- Implement security Safeguards restricting physical Access to areas that contain sensitive IT Assets;
- Define the requirements for maintaining, reviewing and securing logs on the College’s systems and IT Assets so that potential security incidents are identified and addressed in a timely manner;
- Establish rules for managing Third-Party Access to sensitive IT Assets, as well as protecting the College’s IT Assets after granting Access to a Third-Party;
- Implement appropriate data loss prevention measures to prevent and detect data breaches.
Consequences for Non-compliance
Whenever a User is found to be negligent in, or have a disregard for, the compliance with an IT security Compliance Standard, the College will determine the appropriate action to take against the User. By way of example, the College may determine in a case of simple negligence or inadvertent mistake that training the User is appropriate. The College may consider certain single incidents of non-compliance to be so harmful as to immediately rise to the level of more serious disciplinary consequences, up to and including a long term suspension of employment, termination of employment, removal of service, academic suspension, academic expulsion, termination of Third-Party relationship, or termination of contract.
Definitions
Access
The permission to enter, view, instruct, communicate with, store data in, retrieve
data from, or otherwise make use of specific information resources
Authentication
The process of verifying that a User or computer is who it purports to be, via Password,
token, or other credential
Availability
The assurance that information and communications services will be ready for utilization
when expected
Backup
The copying of data to a secondary medium (e.g., disk, tape) as a precaution in case
the primary medium fails
College
º£½ÇÉçÇø
Compliance Standard
A document in the IT Security Program which addresses a specific area of IT security,
and defines the appropriate security requirements for that area
Confidentiality
The assurance that information will be kept secret, with Access limited to the appropriate
Users
Criticality
The classification given to data which determines the importance of maintaining its
Availability
Integrity
The assurance that information is not accidentally or maliciously altered or destroyed,
and is timely, accurate, complete, and consistent with its intended purpose
IT Asset
An IT-related hardware, software, and data resource which support the College’s mission
IT Security Incident
An IT-related event which causes a breach of Confidentiality, Integrity, and/or Availability
of an IT Asset
IT Security Program
The collection of policies, Compliance Standards, procedures, and other documentation
which support the College’s goals in regards to IT security
Log
The chronological record of events which occur against an IT Asset, including connection,
User login, Access, and other various events, independent of whether or not any actual
or attempted security violations occurred
Malware
Malicious software (e.g., viruses, worms, Trojans) developed for the purpose of causing
disruption to the Confidentiality, Integrity, or Availability to an IT Asset
Network Device
An IT Asset which forms part of the underlying connectivity infrastructure for a network
(e.g., router, switch, firewall, intrusion prevention system, content filtering system,
remote access system)
Password
A secret string of characters which provides Authentication for a User account necessary
to gain Access to an IT Asset
Recovery
The restoration of data to a secondary medium (e.g. disk, tape) in an instance where
the primary medium fails
Risk
The combination of the probability of an event and its consequence
Risk Assessment
The process of discovering, analyzing, interpreting, and prioritizing IT security
Risks by examining Threats to and vulnerabilities of IT Assets, determine the magnitude
of Risks, and determine the acceptability of Risks
Safeguard
An administrative, technical, or physical entity that enforces or promotes the security
of an IT Asset
Security Update
A software patch which mitigates a security Vulnerability in an IT Asset
Sensitivity
The classification given to data which determines the importance of maintaining its
Confidentiality and Integrity
Third-Party
A person or organization not internal to the College
Threat
The potential for a Threat-source to accidentally trigger or intentionally exploit
a specific Vulnerability
User
Any faculty member, staff member, contractor, student, or Third Party having Access
to an IT Asset or electronic data of the College
User Identification
The process of determining the identity of a User in an IT system (e.g., Usernames)
Vulnerability
A flaw or weakness in system security procedures, design, implementation, or internal
controls that could be accidentally triggered or intentionally exploited and result
in a security breach or a violation of the system's security policy