Board of Trustees Policy
Subject: IT Security
Date: January 2010
Security breaches of data and technology pose a very real and very expensive threat to Montgomery County Community College. Security safeguards must be in place to protect the College from these threats, based upon the risk they impose. The purpose of this policy is to enable Montgomery County Community College to help protect all College data and technology.
The scope of this policy includes IT security management for all Montgomery County Community College facilities, data, technology, faculty, staff, contractors, students, and third-parties. This policy does not include the management of non-IT related assets, such as paper records.
Montgomery County Community College will ensure the confidentiality, integrity, and availability of technology and data through the development and implementation of compliance standards which address various IT security requirements. These standards will follow industry-defined best practices in securing technology and data.
Roles and Responsibilities
The Board of Trustees delegates responsibility for the evaluation and approval of compliance standards that are part of the IT Security Program to the College President.
The Vice President of Information Technology will serve as the College’s Information Security Officer. In this role, the Vice President of Information Technology is responsible for the development, implementation, and continued administration of the IT Security Program’s compliance standards. Once approved by the President, the compliance standards will be implemented by the Vice President of Information Technology.
Compliance Standards Overview
Compliance standards will be added, removed, and modified within the IT Security Program depending on changes to best practices in the industry. These standards will require members of the College community to take steps to protect the College’s data and technology, such as
- Perform risk assessments of the College’s IT assets;
- Install, maintain, and review security safeguards to achieve acceptable levels of risk;
- Classify data according to its sensitivity and criticality to the College;
- Educate the College community of the importance of protecting sensitive data;
- Strategically and efficiently respond to IT security incidents;
- Maintain security safeguards to protect the College’s network devices;
- Define secure practices for the electronic transfer of sensitive data;
- Implement security safeguards to prevent, detect, and resolve IT security incidents arising from public networks (e.g. the Internet) and wireless network threats;
- Define the security requirements for users who access sensitive IT assets from remote (i.e. off campus) locations;
- Maintain security safeguards against the infection and propagation of malware;
- Properly manage user identification, authentication, and the creation and protection of strong passwords;
- Address vulnerabilities in IT assets with security updates in a timely manner;
- Limiting access to sensitive IT assets to permit users the ability to access only those resources required to perform their approved duties;
- Develop and follow appropriate data backup and recovery procedures;
- Implement security safeguards restricting physical access to areas which contain sensitive IT assets;
- Define the requirements for maintaining logs on the College’s systems and IT assets;
- Establish rules for managing third-party access to sensitive IT assets, as well as protecting the College’s IT assets after granting access to a third-party.
Consequences for Non-compliance
Whenever a faculty member, staff member, contractor, student, or third-party is found to be negligent in, or have a blatant disregard for, the compliance with an IT security compliance standard, the College’s first recourse will be in training the offender. Additional infractions will incur progressive discipline. The College reserves the right, however, to consider certain single incidents of non-compliance to be so harmful as to immediately rise to the level of more serious disciplinary consequences, up to and including a long term suspension of employment, termination of employment, removal of service, academic suspension, academic expulsion, termination of third-party relationship, or termination of contract.
The permission to enter, view, instruct, communicate with, store data in, retrieve data from, or otherwise make use of specific information resources.
The process of verifying that a user or computer is who it purports to be, via password, token, or other credential.
The assurance that information and communications services will be ready for utilization when expected.
The copying of data to a secondary medium (e.g., disk, tape) as a precaution in case the primary medium fails.
A document in the IT Security Program which addresses a specific area of IT security, and defines the appropriate security requirements for that area.
The assurance that information will be kept secret, with access limited to the appropriate users.
The classification given to data which determines the importance of maintaining its availability.
The assurance that information is not accidentally or maliciously altered or destroyed, and is timely, accurate, complete, and consistent with its intended purpose.
An IT-related hardware, software, and data resource which support the College’s mission.
IT Security Incident
An IT-related event which causes a breach of confidentiality, integrity, and/or availability of an IT asset.
IT Security Program
The collection of policies, compliance standards, procedures, and other documentation which support the College’s goals in regards to IT security.
The chronological record of events which occur against an IT asset, including connection, user login, access, and other various events, independent of whether or not any actual or attempted security violations occurred.
Malicious software (e.g., viruses, worms, Trojans) developed for the purpose of causing disruption to the confidentiality, integrity, or availability to an IT asset.
An IT asset which forms part of the underlying connectivity infrastructure for a network (e.g., router, switch, firewall, intrusion prevention system, content filtering system, remote access system).
A secret string of characters which provides authentication for a user account necessary to gain access to an IT asset.
The restoration of data to a secondary medium (e.g., disk, tape) in an instance where the primary medium fails.
The combination of the probability of an event and its consequence.
The process of discovering, analyzing, interpreting, and prioritizing IT security risks by examining threats to and vulnerabilities of IT assets, determine the magnitude of risks, and determine the acceptability of risks.
An administrative, technical, or physical entity that enforces or promotes the security of an IT asset.
A software patch which mitigates a security vulnerability in an IT asset.
The classification given to data which determines the importance of maintaining its confidentiality and integrity.
A person or organization not internal to Montgomery County Community College.
The potential for a threat-source to accidentally trigger or intentionally exploit a specific vulnerability.
The process of determining the identity of a user in an IT system (e.g., user names).
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system's security policy.