Information Security Policy
Approved: 7/07/2008 (Presidents Cabinet)
Last Reviewed: 08/30/2011
Last Modified: 08/30/2011
Responsible Office: Information Technology Services
Santa Fe College has established standards for the protection and security of information, and for the use of information and technology resources. Information is secure only when its integrity can be maintained, its availability ensured, its confidentiality preserved and its access controlled. Security procedures protect information from unauthorized viewing, modification, dissemination, or destruction and provide recovery mechanisms from accidental loss. The security of information is the responsibility of all people who are authorized to access it and all who access it are expected to abide by these standards.
Purpose
This policy provides details about standards for the use of information and information technology resources. Santa Fe College is committed to respecting and protecting the security and privacy of information it creates, uses, transmits, stores and destroys in accordance with applicable laws and regulations as well as reasonable business judgment, discretion and common sense. Each person subject to this policy will sign a statement affirming that they have read, that they understand, and that they intend to comply with the provisions stated herein. The signing of this statement is a requirement for obtaining access to the college’s information systems and networks.
Scope and Application
The Information Technology Services (ITS) department is responsible for establishing and maintaining organizational information security policies, standards, guidelines and procedures. The focus of these activities is on information, regardless of the form it takes, the technology used to manage it, where it resides and which people possess it.
This policy applies to employees, students, volunteers, contractors, temporary workers and any others who use college information resources or who have access to information. The policy applies equally to any college information including but not limited to electronic data, written or printed information and any other intellectual property of the organization. The information resources also include hardware, software and manuals. All individuals agree not to disclose information improperly or to use information improperly or unethically for personal or professional gain, or to discredit or harass someone.
Introduction
Critical College Function: Reliable information and information systems are necessary for the performance of many of the essential activities of Santa Fe College. If there were to be a serious security problem with the information or information systems, the College could suffer serious consequences such as legal liability and tarnished reputation. Accordingly, information security is a critical part of our business environment.
Not withstanding the above statement, the following identifies certain restricted information that requires enhanced protections under the law.
- Personally Identifiable Information (PII) “
- Private Educational Records protected under the Family Education Rights and Privacy Act (FERPA)
- Credit card data regulated by the Payment Credit Card Industry (PCI)▪ Electronic Protected Health Information (ePHI) protected by the Federal Health Insurance Portability and Accountability Act (HIPAA) or Florida medical privacy
- Information specifically identified by contract or protected by Florida state law
Owners, Managers, Stewards, and Users of such information all have obligations to identify such information and take reasonable precautions to ensure that it is kept confidential. The following section describes the roles and responsibilities of Owners, Managers, Stewards and Users in further detail.
Supporting College Objectives. This policy has been prepared to ensure that the College is able to support its educational mission and maintain its reputation for integrity. Because the prevention of security problems is considerably less expensive than correction and recovery, this document may also reduce costs over time.
Consistent Compliance. A single unauthorized exception to security measures can jeopardize other users, the entire organization, and other external business partners. The interconnected nature of information systems requires that all users observe a minimum level of security. This document defines that minimum level of due care. In some cases, these requirements will conflict with other objectives such as improved efficiency and reduced costs. The tradeoffs have been examined and it has been concluded that the minimum requirements defined in this document are appropriate for all college workers. Therefore, as a condition of continued employment, all workers (employees, contractors, consultants, temporaries, volunteers) must consistently observe the requirements set forth in this document.
Team Approach: Users must play an important role in the information security area. Because information and information systems are distributed to desktop PC’s, and sometimes used in remote locations via portable devices, the user’s role is an essential part of information security. Information is no longer the exclusive domain of ITS – information security is a team effort requiring the participation of every worker who comes in contact with the College and its information systems.
Every user must understand college policies and procedures about information security, and must agree in writing to perform his or her work according to such policies and procedures. Responsibility for information security on a day-to-day basis is everyone’s duty. Specific responsibility for information security is NOT solely vested in ITS.
Information Security Responsibilities and Procedures
Information Owners: College administrative officers shall be designated as the information Owners of all types of information used for regular business activities. When Owners are not clearly implied by organizational design, the Chief Information Officer (CIO) in consultation with the Presidents Staff will make the designation. Owners do not legally own the information; they are instead members of the administrative team who have policy-making responsibility for a particular set of information assets and are authorized to make decisions on behalf of the College. Owners, or their designees, are responsible for implementing information security policies and standards concerning their information.
Information Owners will be responsible for their information and information systems; recommend appropriate business use of their information; authorize information access and privileges; communicate control and protection requirements to Stewards and Users; monitor compliance; and periodically review requirements of information protection.
Information Owners must designate a back-up person to act in their absence. Owners may not delegate ownership responsibilities to third party organizations (such as outsourcing firms or consultants) or to any individual who is not a full-time employee.
Information Managers: Owners do not ordinarily approve requests for access. Instead, a user’s immediate supervisor, usually the department or program administrator, approves a request for system access based on job profiles. If a profile doesn’t exist, the managers’ responsibility is to create the profile and obtain the approval of relevant Owners.
Similarly, when a worker leaves the College, the worker’s immediate supervisor is responsible for promptly informing the Steward and Owner that privileges associated with the worker’s user-Id must be revoked. User-Id’s are specific to individuals and should not be reassigned to, or used by, others unless they are approved for generic accounts.
Managers must review all user access rights at least once a term and after any change in a users’ employment status (promotion, demotion, transfer or termination), and more frequent review of users with access to sensitive information.
Managers and Owners are expected to oversee User compliance with this and other security policies.
Information Users: Users are not specifically designated, but are broadly defined as any worker with access to information or information systems. Users are responsible for acting in accordance with college information security policies and will seek access to data only through the authorized processes, access only the data needed to carry out job responsibilities, participate in information security training/awareness programs, report suspicious activity and security problems, and agree in writing to abide by college security policies
Information Stewards: Stewards are in physical or logical possession of information and/or information systems. Like Owners, Stewards are specifically designated for different types of information. In most cases, Information Technology Services (ITS) will act as the Steward.
If a Steward is not clear based on the operational arrangements of existing information systems, the CIO in consultation with the Owners will designate a Steward. Stewards follow the instructions of Owners, operate systems on behalf of Owners, but also serve Users authorized by Owners.
In cases in which the information being stored is paper-based, and not electronic, the Steward responsibilities will logically fall to the department gathering the information. For such systems, ITS can offer guidance and suggestions, but will not provide the steward services.
Stewards shall define information systems architectures and provide technical consulting to Owners so that information systems can be built and deployed to best meet college goals. If requested, Stewards additionally provide reports to Owners about information system operations, information security problems, and the like. Stewards are furthermore responsible for safeguarding the information in their possession, including implementing access control systems to prevent inappropriate disclosure, as well as developing, documenting, and testing information contingency plans.
Information Security: The Information Technology Services (ITS) department and more particularly, the Information Security Specialist is the central point of contact for all information security matters at Santa Fe College. Acting as internal technical consultants, ITS is responsible for creating workable information security compromises that take into consideration the needs of various Users, Managers and Owners. Reflecting these compromises, ITS shall define information security standards, procedures, policies, and other requirements applicable to the entire organization. ITS is responsible for handling all access to control management activities, monitoring the security of the College information systems, and providing information security training and awareness programs to college workers. The department is additionally responsible for periodically providing the President’s staff with reports about the current state of information security.
ITS shall also provide technical consulting assistance related to emergency response procedures and disaster recovery. ITS is responsible for implementing procedures to promptly respond to virus infection, hacker break-ins, system outages, and similar security problems. Guidance, direction, and authority for information security activities are centralized for the entire organization in the ITS department.
ITS shall provide the direction and technical expertise to ensure that College information is properly protected. This includes consideration of the confidentiality, integrity, and availability of both information and the systems that handle it. ITS will act as a liaison on information security matters between all departments, and shall be the focal point for all information security activities throughout the organization. ITS shall perform risk assessments, prepare action plans, evaluate vendor products, assist with control implementations, investigate information security breaches, and perform other activities that are necessary to assure a secure information-handling environment.
ITS has the authority to create, and periodically modify, both technical standards and standard operating procedures (SOP), which support this information security policy document. These SOPs, when approved by the CIO, have the same scope and authority as if they were included in this policy document. When a standard or procedure is intended to become an extension of this policy document, the document will include these words: “This standard or procedure has been created by the authority described in the Santa Fe College Information Security Policy, and shall be complied with as though it were part of the Policy document.”
Information Technology Services Responsibilities, Policies and Procedures
Information Technology Services shall establish and maintain sufficient preventive and detective security measures to ensure that Santa Fe College’s information is free from significant risk of undetected alteration.
Information Security Policy Document
- This Department is responsible for developing and maintaining this information security policy document.
- The policies and procedures in this document will be reviewed and evaluated on a regular basis.
- The President’s Cabinet fully supports the development and enforcement of these information security policies and procedures.
Information Security Organization
- The CIO will oversee and ensure compliance with policies and procedures within the IT organization.
- The Information Security Specialist will occasionally test users to ensure that consist compliance exists across the organization.
- Third Party connection access requirements to the computer network are documented in contracts and agreements.
- Information security requirements are fully specified in outsourcing contracts.
Asset Classification
- An IT Asset Management System shall be in place to track the movement of IT hardware, software and information assets.
- Sensitive information assets are classified as confidential.
- Classified information transmitted over insecure networks, such as the Internet, must be adequately encrypted.
Personnel Security
- Positions with specific information security job responsibilities have been documented in job descriptions.
- Applicants for positions that involve access to sensitive facilities receive a pre-employment background check and a thorough screening, including past criminal and credit checks.
- Information security awareness is recognized as a significant risk management issue.
- New employees receive information security policies as part of their orientation, and as part of ongoing communication activities.
- Information security breaches are logged and analyzed for patterns. A disciplinary process is in place for dealing with breaches.
Physical Security
- There are cipher or magnetic card locks on computer room doors, and codes / authorized cards are limited to authorized persons.
- Computer rooms have installed fire suppression equipment. Maintenance is performed at least annually.
- All computer systems (including PBX and communication rooms housed separately from the main data center) are tied into an Uninterrupted Power Supply (UPS) system. The computer room is equipped with a backup generator that is tested on a periodic basis.
- Computers and magnetic media are cleaned of sensitive information prior to disposal.
Computer and Network Security
- All computer systems and applications have documentation describing operational procedures. Documents are formally maintained and required for all applications. It is the responsibility of IT managers to ensure the accuracy of the system documentation, procedures and manuals.
- There is a documented change control process. Changes to most networks, operating systems or application systems are documented and approved.
- A formal capacity and resource planning effort has been established. New applications and machines are periodically reviewed. There is regular tracking of utilization and bottlenecks and some planning for future requirements.
- There is a documented virus policy and protection program. Virus detection software is installed on all file servers and personal computers. Virus signature updates are routinely posted. There are adequate preventative controls.
- Appropriate, frequent backups of business-critical systems are stored in remote, fireproof safes or hot sites. Thorough testing has proved that recovery processes work. Retention periods for all essential business information have been determined.
- Operations staff maintains a work log (system start and finish times, system errors and corrective actions, confirmation of input and output). Most systems are monitored, with critical systems given more attention.
- A network monitoring package and a commercial firewall and proxy servers are in place. Firewall configurations are based upon industry best practices or certified. Operating system and router settings are benchmarked on industry best practices, and kept up-to-date with patches/upgrades recommended by product vendors and/or other professional sources.
- Logs/lists of tapes to help trace or locate a backup tape are maintained. Media is physically secured and housed in locked rooms or cabinets.
- Basic controls secure e-commerce activities, including general e-mail policies, secure FTP, and web servers implemented with basic security controls including SSL encryption.
System Access Control
- A formal procedure for requesting and approving system access exists. A written request form must be completed in order to create, modify, or delete any user
- All users are made aware of their responsibilities with respect to the selection and use of strong passwords. Passwords expire at least every 90 days. Stricter controls exist on sensitive systems or accounts. There are no shared or guest
- Only authorized users are able to gain access to networked systems from a remote location. There are adequate controls over the authentication of remote users using Virtual Private Network (VPN). Network access is generally controlled through the use of firewalls at major access
- Unique user IDs and strong passwords are the rule in order to gain access at the operating system level on all systems. Logon processes are secure, and passwords would be difficult to guess. There are no anonymous or shared
- All powerful system utilities are fully protected against unauthorized access. Most have been removed from the live systems and special access procedures are in
- Event logs are kept automatically for most systems showing unauthorized access attempts, privileged operations, major system events, and system failures. Logs are reviewed daily or in response to
- Reasonable controls are provided to most laptops, such as access control software using passwords, regular backups and virus prevention. Remote or mobile users must access network information and information systems through firewalls via the
System Development and Maintenance
- Policy requires that encryption be used for critical or sensitive systems, and for some mail or files transmitted over public networks. Adequate encryption and public key management techniques are used. Users are responsible for managing their own encryption products and public
- Formal procedures have been established regarding the steps needed to update or upgrade Operating Systems and User Applications. System administrators, testing personnel, and network management are involved in testing before any migration from test to production systems is
- Modification of vendor-supplied packages is strongly discouraged, and they are only modified directly in-house as a last resort. The written consent of the vendor is always obtained, with potential impacts to future releases documented and
Business Continuity Planning
- Management supports the development and maintenance of Business Continuity Plans (BCP) across the organization. IT Managers are responsible for coordinating BCP's. BCP’s are updated regularly, and are occasionally tested to determine
- BCP's address most of the following: outline of responsibilities, conditions for activating the plan, emergency procedures, contact lists, fall back and resumption, and a program for awareness, education, and
- A comprehensive IT disaster recovery plan is an integral part of all applicable BCP’s.
- All BCP’s are tested at least annually, and testing is scheduled for specific departmental BCP’s in response to modifications to affected application systems or computer systems. All connections with critical third parties are
Compliance
- There are strong management controls in place to monitor and ensure compliance. A control framework is designed in conjunction with legal advisors and management responsibilities are clearly allocated. There are regular independent risk-based compliance reviews and management reporting. Users who break laws or contractual obligations are considered for discipline and possible prosecution.
- All managers and staff are educated about their responsibilities through orientation, policy and other awareness methods (e.g., newsletters, posters, flyers, etc.). Staff must demonstrate active compliance with the controls, and must re-affirm their understanding of policies by annual acknowledgement and review.
- Standards for secure configuration settings are comprehensive and regularly updated.
- A comprehensive program of regular reviews of compliance with secure configuration standards is scheduled, aided by automated technical security auditing tools.
- Information security audits are conducted on a regular basis, based on risk analysis results. Automated audit/security scanning and assessment utilities and tools are frequently used.
- Audit, scan, or verification processes are documented; controls over access to audit materials have been established. Logging facilities are in places that have been designed for most application systems. Access to system audit tools and system audit facilities is strictly controlled.
History
07/07/2008 – Approved
02/12/2010 – Revised
08/30/2011 – Revised
Information Technology Policy v20110830