Policies and Procedures Manual

08:00:00   Information Security Program
Related Polices and Guidelines

TBR B-090 Safeguarding Nonpublic Financial Information

Purpose

The purpose of this policy is to establish an Information Security Program to provide reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of Institutional Data as well as any Information Systems that store, process, or transmit Institutional Data in all their forms throughout their life cycle.

Definitions

For the purpose of this policy, the following definitions shall apply:
  1. Institutional Data is an information asset owned or licensed by Northeast State that is subject to classification and is managed by a Data Custodian.
  2. Data Custodians are administrators of institution offices or divisions or their designee who may make data within their charge available to others for the use and support of the office or division’s functions. The Data Custodian is responsible for the accuracy and completeness of data files in their areas and ensures the protection requirements are met before granting access to the data.
  3. Information Security Administrators are individuals, typically in the Office of Information Technology, responsible for implementing technical controls to protect information assets in accordance with business rules and other directions set by the Data Custodian(s). In most cases, the Information Security Administrator is not the Data Custodian.
  4. Information Systems are electronic systems that store, process, or transmit information.
  5. Data Users are any college employee that has access to system data, and as a result is entrusted with the protection of that data.
  6. Agent(s) are any third-party that has been contracted by the college to provide a set of services and who stores, processes, or transmits Institutional Data as part of those services.
Policy
  1. Roles and Responsibilities
    1. College President
      1. Delegates administration of the Information Security Program to OIT leadership.
    2. Data Custodians
      1. Ensure that the management and control of risks outlined in this policy are adhered to by employees in their areas.
      2. Determine the access rights and privileges for Institutional Data within their area of responsibility.
      3. Communicate to the delegated Information Security Administrator the legal requirements for access and disclosure for the Institutional Data within their area of responsibility.
    3. Information Security Administrators
      1. Work with Data Custodians to ensure that the Institutional Data are classified appropriately.
      2. Implement the access rights and privileges for Institutional Data as determined by the Data Custodian.
      3. Provide reports and documentation listing access rights and privileges as needed for periodic review.
    4. Data Use
      1. Follow current applicable IT Acceptable Use Policies.
      2. Protect sensitive information by not disclosing such data to unauthorized individuals.
      3. Complete specific confidentiality training if their job responsibilities require access to sensitive information.
      4. Complete annual security awareness training.
      5. Report any suspected or known security breaches to the Chief Information Officer.
    5. Office of Information Technology
      1. Implement and maintain an information security architecture to support this policy.
      2. Approve implementation of new Information Systems based on review.
      3. Implement adequate security measures for Information Systems containing Institutional Data.
      4. Implement security strategies for both the storage and transmission of Institutional Data.
    6. Chief Information Officer
      1. Develop and maintain security policies, plans, procedures, and best practices.
      2. Participate in risk awareness by identifying internal and external risks to the security of Information Systems and Institutional Data.
      3. Provide guidance for the security of information technology infrastructure.
      4. Provide guidance for the security of information technology vendors, contracts, and Agents.
      5. At least annually, advise and inform the college leadership on the overall status of compliance with the Information Security Program.
    7. Internal Auditor
      1. Evaluate the effectiveness of implemented safeguards for controlling security risks.
      2. Provide recommendations for revisions to this policy as appropriate.
      3. Perform audits testing implemented controls against prescribed policies.
  2. Information Security Program Related Policies
    1. Acceptable Use Policy
    2. Information Asset and Information Technology Resource Classification
    3. Handling Sensitive Information
    4. Risk Assessments
    5. Information Access
    6. Technology Evaluation and Procurement
    7. Information Integrity (Malware, Antivirus, Change Management)
    8. Disaster Recovery
    9. Remote Access
    10. Security Incident Response
    11. Training and Awareness
    12. Physical and Environmental Security
    13. Vendor Management
    14. Executive Reporting
    15. Data Retention
    16. Email Protection
    17. Identity and Access Management
    18. Mobile Device Policy
    19. Wireless Network and Guest Access
  3. Authority
    1. Exceptions to this policy must be approved by the Chief Information Officer and formally documented. Policy exceptions will be reviewed on an annual basis for appropriateness.
    2. Failure to comply with this policy may result in suspension or loss of the violator’s use privileges, with respect to Institutional Data and College owned Information Systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the College. Civil, criminal, and equitable remedies may apply.


Back to Top

Divisional Review Responsibilities Checklist: Information Technology

Revision History: April 2023