College Information Resources are among the College's most valuable assets, and must be managed in a manner that supports appropriate levels of information integrity, confidentiality, and availability for lawful educational and business purposes.
This document contains a high-level information security policy for use by all College faculty, staff, administrators, consultants, contractors, students and other Users of the College's information technology resources.
All Users shall adhere to the requirements of this Security Policy, and to the requirements of other applicable College policies, standards, and mandatory procedures. All Users shall also comply with any applicable legal or regulatory requirements, and ethical or contractual obligations.
Note: Throughout this Security Policy the terms "data" and "information" are used interchangeably.
The purpose of this Security Policy and associated documents is to define information security practices that will enable the College to:
1) Identify and classify the data in the College's custody, and to apply appropriate protection mechanisms to that data and to systems related to that data.
2) Protect the privacy rights of College faculty, staff, administrators, and students, as well as other Users of College Information Resources.
3) Prevent the misuse of College data, applications, networks and Computer Systems.
4) Prevent compromises of the confidentiality, integrity or availability of College Information Resources.
5) Identify any compromises or misuse that may occur, and provide organizational process and procedures to address such incidents.
6) Comply with legal, contractual and ethical responsibilities with regard to the handling of personally identifiable and other sensitive information, including the configuration of its Computer Systems and networks.
1) This Security Policy covers electronic and printed information, defined to include, but not limited to, all information created, collected, retained, processed, or distributed by the College, and all Computer Systems or any subsidiary systems that contain or process data owned or in the custody of the College,regardless of physical location.
2) This policy also applies to, but is not limited to, all faculty, staff, administrators, students, alumni, consultants, and any person or agency employed or contracted by the College or any of its auxiliary organizations, who have an authorized need to access restricted for sensitive College information.
3) This policy applies regardless of whether the Computer Systems used in conjunction with College Information Resources are owned or controlled by the College or by some other party, including Users' personally owned Computer Systems, and regardless of physical location.
Restricted - Information assets that could be used to steal an individual's identity or cause harm to the individual, or for which there are legal requirements or industry standards prohibiting or imposing financial or other penalties for unauthorized disclosure or improper security measures. Data covered by the Family Educational Rights and Privacy Act (FERPA), the Maryland Personal Information Privacy Act (PIPA), and the Payment Card Industry Data Security Standard (PCI DSS) are in this class, and other data may be as well.
Sensitive - Data that the College has determined should be protected because it may expose the College to loss, or expose an individual to harm if disclosed, but which is not specifically protected by federal or state legislation or by binding contracts. For example, a User ID in combination with a password is considered to be sensitive.
Public - Although there are no restrictions on disclosure to protect public data (because the data is provided for broad viewing access), sufficient protection must be applied to preserve data integrity and prevent unauthorized modification or loss of such data.
Computer Systems - All computer hardware and software systems, including but not limited to routers, switches and wireless access points, firewalls, servers, databases, workstations, and Portable Computer Systems.
Electronic Media - Any device-readable storage media, whether electronic, mechanical, magnetic, optical, or other. Electronic Media includes, but is not limited to, memory devices in computers, e.g.: hard drives and non-volatile "flash" memory, and any removable/transportable digital memory medium, such as magnetic tape or disks, optical discs, or flash memory devices such as thumb drives and flash cards.
Information Resources- An umbrella term for all data, information media, and computer and other information systems.
Portable Computer Systems - A subset of Computer Systems, these are devices that are designed to be moved from location to location as a part of their normal operation. They include laptop computers, portable digital assistants (PDA), smartphones, and other portable electronic equipment capable of accessing or storing data.
Printed Media - Any human-readable information storage media, including but not limited to information written, typed, drawn, or printed on paper or microfiche.
Privileged Connectivity - Any network connectivity to College Computer Systems or data that would provide access not publically available to a User via an arbitrary computer system on the Internet. Certain workstations and other Computer Systems on certain College networks have Privileged Connectivity. A system is not considered to have Privileged Connectivity if all Users of that system are required to go through a College security gateway which requires authentication and encryption (such as a VPN or a secure portal) to gain access to any restricted or sensitive protected data, just as a User of an arbitrary system on the Internet would.
User -All faculty, staff, administrators, students, alumni, consultants, and any person or agency employed or contracted by the College or any of its auxiliary organizations who have a legitimate need to have access to College systems or data, and who are authorized to do so.
The unauthorized addition, modification, deletion, use, or disclosure of restricted or sensitive information owned by or in the custody of the College is expressly forbidden. In certain limited circumstances, as specified in federal and state legislation, the College may disclose restricted or sensitive information.
The College will take reasonable and appropriate steps consistent with current technological developments and accepted best practices to ensure the appropriate confidentiality, integrity,and availability of all restricted and sensitive College information.
A. ACCEPTABLE USE
1) All Users of College Computer Systems, networks, accounts, or other Information Resources are bound by the Student Usage, Employee Usage and Network Services Policies.
B. ACCESS CONTROL
1) Access to restricted or sensitive information and any associated systems that store College information is limited to those authorized individuals who need such access for the purpose of performing their job duties or other functions directly related to their contractual affiliation with the College.
2) While recognizing that there is a delicate balance between protecting data and permitting access to those who need to use the data for authorized purposes, systems should be configured to provide Users, Computer Systems and associated accounts with only those system privileges required for authorized purposes. This is the principle of least privilege.
3) Data access control measures must be sufficiently documented to support effective ongoing management of access privileges.
4) Restricted and sensitive information, whether electronic or printed, shall not be displayed in plain sight in order to prevent unauthorized viewing, and must be secured when unattended.
5) Methods of access to restricted or sensitive information, and any associated information systems, is limited to approved, secured, authenticated and centrally managed methods as defined by this Security Policy and by other College policies, configuration standards, and mandatory procedures.
6) Any computers, whether owned by the College or not, with direct connectivity to non-College networks, and which are also used to connect to College networks must comply with applicable College policies, standards, and mandatory procedures.
7) Access to Restricted, Sensitive or Public data may be monitored or logged for later review, in accordance with decisions made by the ISO or the appropriate data stewards. Where required by law or binding contracts,such monitoring and logging shall be performed.
C. ACCOUNT MANAGEMENT
1) All Users of systems that host, or have Privileged Connectivity to, restricted or sensitive data must have their own individual accounts and passwords. The sharing of accounts or passwords is forbidden. The use of group or generic accounts with access to restricted or sensitive data is forbidden.
2) User and system accounts shall be given only for those system privileges that allow them to perform their assigned job duties and functions in an efficient and effective manner.
3) Personnel who have administrative system access must use non-administrative accounts for performing non-administrative tasks.
4) The accounts of terminated, resigned or retired employees must be disabled on the effective date of the termination, resignation or retirement.
5) Employees that transfer from one position within the College to another must have their access adjusted or removed on the effective date of the transfer.
6) Accounts used by vendors or consultants for remote management of information systems must be enabled only during the time periods needed for their authorized contractual obligations.
D. NETWORK CONNECTIVITY
1) No party may connect College networks (whether wired or wireless) with each other or with non-College networks without the approval of TSS.
2) No party may install networking equipment, including but not limited to hubs, switches, routers, or wireless access points without the approval of TSS.
3) All College wireless networks are to be treated as untrusted public networks, isolated by firewalls from other College networks.
4) Any computer system connected to College Information Resources via a wireless network is to be treated as if it were connected via the public Internet, and no such system is to be given Privileged Connectivity to any College computer system or data.
5) Any connections between College networks and non-College networks must be properly secured by TSS to ensure that College networks, Computer Systems, and data are appropriately protected.
6) All Computer Systems that connect to College networks, or which are used to
access,store,or process restricted or sensitive data must comply with this Security Policy and with other applicable College policies, configuration standards, and mandatory procedures.
7) All servers must be approved by and registered with TSS before being connected to College networks.
8) Technology Services reserves the right to remove any computer system from the College network that does not comply with this policy.
E. BACKUP AND RECOVERY
1) Data essential to the business of the College, whether or not it is sensitive or restricted, is to be stored redundantly (backed up).
2) In order to be backed up by Technology Services, data must be stored on centrally managed file servers. Technology Services is not responsible for backing up the contents of the local hard drives of desktop or Portable Computer Systems, or the contents of removable storage media.
3) Backup of data and software stored on centrally managed file servers must be sufficient to satisfy disaster recovery requirements, as negotiated between the stewards of the data and software, and the administrators of the Computer Systems.
4) Computer Systems and media used for centralized storage and backup purposes shall be housed in College approved, centrally managed, and secured facilities.
5) Backup and recovery procedures are required for all essential data and software systems.
F. PHYSICAL SECURITY
1) No computer system or other information resource, which is not sufficiently physically secured shall be used to store or be given Privileged Connectivity to restricted or sensitive data, without sufficient compensating controls as determined by TSS.
2) All Users of College Information Resources are responsible for the physical security of any College data and Computer Systems and data in their custody.This includes, but is not limited to, ensuring that doors and cabinets are locked when unattended, and that only authorized individuals have access to these facilities and resources. It also includes responsibility for maintaining the physical security of briefcases and other physical information storage and transport mechanisms in their custody.
3) Campus Safety will provide guidance to the College and its User community regarding physical security measures, mechanisms and procedures.
4) Documentation of all Information Resources that house or have Privileged Connectivity to restricted or sensitive data, including but not limited to Computer Systems and file cabinets, shall be provided to TSS by the Data Stewards of each division or department.
5) TSS will provide Campus Safety with documentation of areas that house or have Privileged Connectivity to restricted or sensitive data, including data centers and other locations.
6) Campus Safety will provide appropriate physical security measures for College data centers, and other locations which house or have Privileged Connectivity to restricted or sensitive data.
7) Technology Services is responsible for determining who needs physical access to College data centers.
G. INCIDENT RESPONSE MANAGEMENT
1) It is the responsibility of everyone involved with College data and information systems to report suspected security incidents regarding these resources to TSS. Such suspected incidents include but are not limited to unauthorized access, exposure, loss or modification of restricted or sensitive data.
2) Various parties have additional responsibilities for security incident monitoring beyond reporting what they happen to notice. These specific responsibilities are listed in the Roles and Responsibilities section of this policy, and in other College policies.
3) TSS must respond to any suspected security incidents to make an initial determination of how to respond to the incident.
4) The College will report or publicize unauthorized information disclosures, as required by law or specific industry requirements. All such reporting and or publication is to be handled by an ad-hoc Incident Response Team assembled by TSS.
H. NEW HIRE EMPLOYEE SCREENING
1) All employee hiring, including the hiring of student-employees, must be done in compliance with the Background Check Policy.
I. SERVICE PROVIDERS
1) Any outside parties who, in order to fulfill their contractual obligations to the College, require access to restricted or sensitive College information, must comply with all applicable College Policies, including this Security Policy.
J. ROLES AND RESPONSIBILITIES
1) The Technology Systems and Services team will:
a. Perform Risk Management, including a formal Risk Assessment at least once per year, assisting the College in identifying and mitigating internal and external risks to the confidentiality, integrity and availability of College data, including but not limited to restricted and sensitive information.
b. Provide guidance and assistance to Data Stewards, Data Managers, and Users for handling restricted and sensitive information and associated information systems.
c. Contribute to the development of College information security policies, standards, and procedures, including this Information Security Policy.
d. Identify and promote good security strategies and practices, based on industry - accepted best practices.
e. Provide guidance regarding information security to Users of College Information Resources.
f. Implement and provide support for appropriate security mechanisms and procedures for controlling access to, transmitting, storing, and destroying restricted or sensitive data.
g. Perform vulnerability scans and penetrations tests on College Computer Systems regularly and after significant changes or upgrades to these systems.
h. Employ, encourage and support the use of, secure software and hardware technologies that meet the requirements of this Security Policy.
i. Take measures to detect, and take appropriate actions in response to any suspected information security compromises.
2) Data Stewards -The Steward of a given collection of data is the individual, department, or organization that has ultimate authority to authorize access to it, and which is responsible for its collection, retention, and destruction. Any given collection of data may be under the shared stewardship of multiple parties. Data Stewards have responsibilities to:
a. Determine what data they have collected or retained, where it is stored, and who has an authorized business need for privileges to access, modify, or destroy that data.
b. In coordination with the College Compliance Officers and TSS, and in compliance with relevant statutes and contractual obligations, determine if their data is restricted, sensitive, or public.
c. Regularly review and document User access requirements to their restricted and sensitive data, and provide this documentation to TSS
d. Work with TSS and the College Compliance Officers to ensure that any restricted or sensitive data is handled in compliance with this Security Policy, and with any other applicable policies, standards, or mandatory procedures, and with any applicable legislative, regulatory, or contractual requirements.
3) Data Managers -Themanagers of a given collection of data are the individuals, departments, organizations that are responsible for storing, handling, or managing systems related to that data, and any Users,including but not limited to employees, agents, or affiliates of the College,who handle or have access to that data. Data Managers shall:
a. Implement necessary security requirements should such data be considered restricted or sensitive.
b. Work with TSS and the College Compliance Officers to ensure that any restricted or sensitive data is handled in compliance with this Security Policy, and with any other applicable policies, standards, or mandatory procedures, and with any applicable legislative, regulatory, or contractual requirements.
4) Systems Administrators - These individuals are responsible for the technical administration of various Computer Systems. In addition to their responsibilities under this Security Policy and other policies and related documents, they shall:
a. Take precautions against theft of or damage to information resources.
b. Cooperate with TSS to find and correct problems caused by the use of the system under their control.
c. Take all appropriate actions to protect the security of information and information resources.
5) Supervisors -These individuals who have managerial oversight responsibility for others employed by,or contracted to the College, are responsible to:
a. Ensure that their subordinates' access to restricted and sensitive data is appropriate to their job duties.
b. Conduct periodic reviews of the access requirements of their subordinates to restricted or sensitive data.
c. Notify the Human Resources Office of employee reassignments and changes in employment status.
d. Notify TSS of changes in employee responsibilities that impact employee access requirements to restricted or sensitive data.
e. Ensure that their subordinates adhere to College policies, standards, and procedures related to information security.
f. Ensure that their subordinates receive appropriate training as directed by the department of Technology Systems and Services and the Human Resources Office.
g. Provide their subordinates with approved and sufficient resources and methods to properly handle restricted or sensitive information and associated information systems.
h. Identify any data their departments own or are in custody of, and work with the ISO to determine which if any of that data is restricted or sensitive.
6) Human Resources Office -The Human Resources Office has a responsibility to:
a. Notify TSS of employee reassignments and changes in employment status that impact employee access requirements to restricted or sensitive data.
b. Collect, maintain, and regularly audit signed acknowledgments of employee responsibilities and employee receipt of security awareness training.
This page was last updated on 08/11/2016.