Administration

Board of Trustees Policy

Subject: IT Security

Number: 5.17

Date: May 2020

Supersedes: January 2010


Purpose

Security breaches of data and technology pose a very real and very expensive Threat to the College. Security Safeguards must be in place to protect the College from these Threats, based upon the Risk they impose. The purpose of this policy is to enable the College to help protect all College data, ensure Availability and Integrity of technology required to run the College (networks, applications, data warehouses, etc.), and to comply with laws and regulations governing data privacy and protection.

Scope

The scope of this policy includes IT security management for all the College facilities, data, technology, and all Users. This policy does not include the management of non-IT related assets, such as paper records.

Policy

The College will ensure the Confidentiality, Integrity, and Availability of technology and data through the development and implementation of Compliance Standards which address various IT security requirements. These standards will follow industry-defined best practices in securing technology and data.

Roles and Responsibilities

The Board of Trustees delegates responsibility for the evaluation and approval of Compliance Standards that are part of the IT Security Program to the College President.

The Vice President of Information Technology will serve as the College’s Information Security Officer. In this role, the Vice President of Information Technology is responsible for the development, implementation, and continued administration of the IT Security Program’s Compliance Standards. Once approved by the President, the Compliance Standards will be implemented by the Vice President of Information Technology.

Any User that Accesses any IT Asset play a crucial role in ensuring the success of the IT Security Program, and that responsibility must be viewed as a top priority of any User. For example, Users must create strong passwords, protect his or her login credentials, and utilize the College’s resources that are made available to ensure the safe storage and transmission of data.

Compliance Standards Overview

Compliance standards will be added, removed, and modified within the IT Security Program depending on changes to best practices in the industry. These standards will require the Vice President of Information Technology, and those members of the College information technology staff designated by the Vice President of Information Technology, to take steps to protect the College’s data and technology, such as:

  • Perform Risk Assessments of the College’s IT Assets;
  • Install, maintain, and review security Safeguards to achieve acceptable levels of Risk;
  • Classify data according to its Sensitivity and Criticality to the College;
  • Educate the College community of the importance of protecting sensitive data and methods for identifying and reporting suspected security incidents;
  • Strategically and efficiently respond to IT security incidents;
  • Maintain security Safeguards to protect the College’s Network Devices;
  • Define secure practices for the electronic transfer of sensitive data;
  • Implement security Safeguards to prevent, detect, and resolve IT Security Incidents arising from Threats that target networks, systems and Users;
  • Define the security requirements for Users who Access sensitive IT Assets from remote (i.e., off campus) locations;
  • Maintain security Safeguards against the infection and propagation of Malware;
  • Properly manage User Identification, Authentication, and the creation and protection of strong Passwords;
  • Maintain a program for ongoing Vulnerability management;
  • Address vulnerabilities in IT Assets with Security Updates in a timely manner;
  • Limit Access to sensitive IT Assets to permit Users the ability to Access only those resources required to perform their approved duties;
  • Develop and follow appropriate data Backup and Recovery procedures;
  • Implement security Safeguards restricting physical Access to areas that contain sensitive IT Assets;
  • Define the requirements for maintaining, reviewing and securing logs on the College’s systems and IT Assets so that potential security incidents are identified and addressed in a timely manner;
  • Establish rules for managing Third-Party Access to sensitive IT Assets, as well as protecting the College’s IT Assets after granting Access to a Third-Party;
  • Implement appropriate data loss prevention measures to prevent and detect data breaches.
Consequences for Non-compliance

Whenever a User is found to be negligent in, or have a disregard for, the compliance with an IT security Compliance Standard, the College will determine the appropriate action to take against the User. By way of example, the College may determine in a case of simple negligence or inadvertent mistake that training the User is appropriate. The College may consider certain single incidents of non-compliance to be so harmful as to immediately rise to the level of more serious disciplinary consequences, up to and including a long term suspension of employment, termination of employment, removal of service, academic suspension, academic expulsion, termination of Third-Party relationship, or termination of contract.

Definitions

Access
The permission to enter, view, instruct, communicate with, store data in, retrieve data from, or otherwise make use of specific information resources

Authentication
The process of verifying that a User or computer is who it purports to be, via Password, token, or other credential

Availability
The assurance that information and communications services will be ready for utilization when expected

Backup
The copying of data to a secondary medium (e.g., disk, tape) as a precaution in case the primary medium fails

College
Montgomery County Community College

Compliance Standard
A document in the IT Security Program which addresses a specific area of IT security, and defines the appropriate security requirements for that area

Confidentiality
The assurance that information will be kept secret, with Access limited to the appropriate Users

Criticality
The classification given to data which determines the importance of maintaining its Availability

Integrity
The assurance that information is not accidentally or maliciously altered or destroyed, and is timely, accurate, complete, and consistent with its intended purpose

IT Asset
An IT-related hardware, software, and data resource which support the College’s mission

IT Security Incident
An IT-related event which causes a breach of Confidentiality, Integrity, and/or Availability of an IT Asset

IT Security Program
The collection of policies, Compliance Standards, procedures, and other documentation which support the College’s goals in regards to IT security

Log
The chronological record of events which occur against an IT Asset, including connection, User login, Access, and other various events, independent of whether or not any actual or attempted security violations occurred

Malware
Malicious software (e.g., viruses, worms, Trojans) developed for the purpose of causing disruption to the Confidentiality, Integrity, or Availability to an IT Asset

Network Device
An IT Asset which forms part of the underlying connectivity infrastructure for a network (e.g., router, switch, firewall, intrusion prevention system, content filtering system, remote access system)

Password
A secret string of characters which provides Authentication for a User account necessary to gain Access to an IT Asset

Recovery
The restoration of data to a secondary medium (e.g. disk, tape) in an instance where the primary medium fails

Risk
The combination of the probability of an event and its consequence

Risk Assessment
The process of discovering, analyzing, interpreting, and prioritizing IT security Risks by examining Threats to and vulnerabilities of IT Assets, determine the magnitude of Risks, and determine the acceptability of Risks

Safeguard
An administrative, technical, or physical entity that enforces or promotes the security of an IT Asset

Security Update
A software patch which mitigates a security Vulnerability in an IT Asset

Sensitivity
The classification given to data which determines the importance of maintaining its Confidentiality and Integrity

Third-Party
A person or organization not internal to the College

Threat
The potential for a Threat-source to accidentally trigger or intentionally exploit a specific Vulnerability

User
Any faculty member, staff member, contractor, student, or Third Party having Access to an IT Asset or electronic data of the College

User Identification
The process of determining the identity of a User in an IT system (e.g., Usernames)

Vulnerability
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system's security policy