Board of Trustees Policy
Subject: IT Security
Date: May 2020
Supersedes: January 2010
Security breaches of data and technology pose a very real and very expensive Threat to the College. Security Safeguards must be in place to protect the College from these Threats, based upon the Risk they impose. The purpose of this policy is to enable the College to help protect all College data, ensure Availability and Integrity of technology required to run the College (networks, applications, data warehouses, etc.), and to comply with laws and regulations governing data privacy and protection.
The scope of this policy includes IT security management for all the College facilities, data, technology, and all Users. This policy does not include the management of non-IT related assets, such as paper records.
The College will ensure the Confidentiality, Integrity, and Availability of technology and data through the development and implementation of Compliance Standards which address various IT security requirements. These standards will follow industry-defined best practices in securing technology and data.
Roles and Responsibilities
The Board of Trustees delegates responsibility for the evaluation and approval of Compliance Standards that are part of the IT Security Program to the College President.
The Vice President of Information Technology will serve as the College’s Information Security Officer. In this role, the Vice President of Information Technology is responsible for the development, implementation, and continued administration of the IT Security Program’s Compliance Standards. Once approved by the President, the Compliance Standards will be implemented by the Vice President of Information Technology.
Any User that Accesses any IT Asset play a crucial role in ensuring the success of the IT Security Program, and that responsibility must be viewed as a top priority of any User. For example, Users must create strong passwords, protect his or her login credentials, and utilize the College’s resources that are made available to ensure the safe storage and transmission of data.
Compliance Standards Overview
Compliance standards will be added, removed, and modified within the IT Security Program depending on changes to best practices in the industry. These standards will require the Vice President of Information Technology, and those members of the College information technology staff designated by the Vice President of Information Technology, to take steps to protect the College’s data and technology, such as:
- Perform Risk Assessments of the College’s IT Assets;
- Install, maintain, and review security Safeguards to achieve acceptable levels of Risk;
- Classify data according to its Sensitivity and Criticality to the College;
- Educate the College community of the importance of protecting sensitive data and methods for identifying and reporting suspected security incidents;
- Strategically and efficiently respond to IT security incidents;
- Maintain security Safeguards to protect the College’s Network Devices;
- Define secure practices for the electronic transfer of sensitive data;
- Implement security Safeguards to prevent, detect, and resolve IT Security Incidents arising from Threats that target networks, systems and Users;
- Define the security requirements for Users who Access sensitive IT Assets from remote (i.e., off campus) locations;
- Maintain security Safeguards against the infection and propagation of Malware;
- Properly manage User Identification, Authentication, and the creation and protection of strong Passwords;
- Maintain a program for ongoing Vulnerability management;
- Address vulnerabilities in IT Assets with Security Updates in a timely manner;
- Limit Access to sensitive IT Assets to permit Users the ability to Access only those resources required to perform their approved duties;
- Develop and follow appropriate data Backup and Recovery procedures;
- Implement security Safeguards restricting physical Access to areas that contain sensitive IT Assets;
- Define the requirements for maintaining, reviewing and securing logs on the College’s systems and IT Assets so that potential security incidents are identified and addressed in a timely manner;
- Establish rules for managing Third-Party Access to sensitive IT Assets, as well as protecting the College’s IT Assets after granting Access to a Third-Party;
- Implement appropriate data loss prevention measures to prevent and detect data breaches.
Consequences for Non-compliance
Whenever a User is found to be negligent in, or have a disregard for, the compliance with an IT security Compliance Standard, the College will determine the appropriate action to take against the User. By way of example, the College may determine in a case of simple negligence or inadvertent mistake that training the User is appropriate. The College may consider certain single incidents of non-compliance to be so harmful as to immediately rise to the level of more serious disciplinary consequences, up to and including a long term suspension of employment, termination of employment, removal of service, academic suspension, academic expulsion, termination of Third-Party relationship, or termination of contract.
The permission to enter, view, instruct, communicate with, store data in, retrieve data from, or otherwise make use of specific information resources
The process of verifying that a User or computer is who it purports to be, via Password, token, or other credential
The assurance that information and communications services will be ready for utilization when expected
The copying of data to a secondary medium (e.g., disk, tape) as a precaution in case the primary medium fails
Montgomery County Community College
A document in the IT Security Program which addresses a specific area of IT security, and defines the appropriate security requirements for that area
The assurance that information will be kept secret, with Access limited to the appropriate Users
The classification given to data which determines the importance of maintaining its Availability
The assurance that information is not accidentally or maliciously altered or destroyed, and is timely, accurate, complete, and consistent with its intended purpose
An IT-related hardware, software, and data resource which support the College’s mission
IT Security Incident
An IT-related event which causes a breach of Confidentiality, Integrity, and/or Availability of an IT Asset
IT Security Program
The collection of policies, Compliance Standards, procedures, and other documentation which support the College’s goals in regards to IT security
The chronological record of events which occur against an IT Asset, including connection, User login, Access, and other various events, independent of whether or not any actual or attempted security violations occurred
Malicious software (e.g., viruses, worms, Trojans) developed for the purpose of causing disruption to the Confidentiality, Integrity, or Availability to an IT Asset
An IT Asset which forms part of the underlying connectivity infrastructure for a network (e.g., router, switch, firewall, intrusion prevention system, content filtering system, remote access system)
A secret string of characters which provides Authentication for a User account necessary to gain Access to an IT Asset
The restoration of data to a secondary medium (e.g. disk, tape) in an instance where the primary medium fails
The combination of the probability of an event and its consequence
The process of discovering, analyzing, interpreting, and prioritizing IT security Risks by examining Threats to and vulnerabilities of IT Assets, determine the magnitude of Risks, and determine the acceptability of Risks
An administrative, technical, or physical entity that enforces or promotes the security of an IT Asset
A software patch which mitigates a security Vulnerability in an IT Asset
The classification given to data which determines the importance of maintaining its Confidentiality and Integrity
A person or organization not internal to the College
The potential for a Threat-source to accidentally trigger or intentionally exploit a specific Vulnerability
Any faculty member, staff member, contractor, student, or Third Party having Access to an IT Asset or electronic data of the College
The process of determining the identity of a User in an IT system (e.g., Usernames)
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system's security policy