PURPOSE:
This policy serves as a foundation for the College's information security policies and is consistent with
the College's data management and records management standards. It is not the purpose of this
policy to create unnecessary restrictions to data access or use for those individuals who use the data
in support of College business or academic pursuits.
SCOPE:
This policy applies to all college administrative data and to all user-developed data sets and systems
that may access these data, regardless of the environment where the data reside (including cloud
systems, servers, personal computers, mobile devices, etc.). The policy applies regardless of the
media on which data resides (including electronic, printouts, external drives, etc.) or the form they
may take (text, graphics, video, voice, etc.). This applies to all college systems regardless of
geographic location.
This Policy applies to all faculty, staff, and third-party agents of the College as well as any other
college affiliate who is authorized to access institutional data. In particular, this policy applies to those
who are responsible for classifying and protecting institutional data.
DEFINITIONS:
Information System: an integrated set of components for collecting, storing, and processing data and
for providing information, knowledge, and digital products. Some examples of information systems
are HRIS (Human Resources Information System), SIS (Student Information System), LMS (Learning
Management System), or SRS (Student Response System).
POLICY:
As part of the information security program, information assets must be identified, classified, tracked
and assigned guardianship to ensure that they are protected against unauthorized exposure,
tampering, loss, or destruction and that they are managed in a manner consistent with applicable
federal and state law, the College’s contractual obligations, their significance to the College, and their
importance to any individual whose information is collected. In order to achieve this objective,
information must be classified to convey the level of protection expected by all employees or agents
who are authorized to access the information.
- Information Asset Collections. For purposes of managing information, the College’s various
types of information must be segregated into logical collections, e.g. student records,
financial records, employee benefit data, payroll data, medical records, personal
information regarding alumni, etc. The security requirements for each collection are
defined by the information’s needs for confidentiality, integrity, and availability. - Information Asset Classification.
To implement security at the appropriate level, establish guidelines for legal/regulatory compliance, and reduce or eliminate conflicting standards and controls over data, data will be classified into one of the following categories. By default, all institutional data that is not explicitly classified should be treated as confidential data.
- Restricted. Data is classified as restricted when there are legal, contractual, or regulatory requirements regarding the storage and disclosure of the data. Unauthorized disclosure or modification of Restricted data would necessitate notifying federal or state authorities and/or the affected individuals. Examples of Restricted data include Personal Health Information,
Personally Identifiable Information (Social Security Numbers), financial account or payment card information, authentication, or authorization information to electronic resources. - Confidential. Data is classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the College or its affiliates. This information can be shared only on a “need to know” basis with individuals who have been authorized by the appropriate Data Owner, Data Steward or designee, either by job function or by name. The disclosure of confidential data to unauthorized persons may be a violation of federal or state laws or college contracts. Examples of Confidential data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to confidential data.
- Internal. Data which the Data Owner or Stewards may choose to publish or make public, and data protected by contractual obligations. Sharing such information with individuals outside the College community requires authorization by the appropriate Data Owner, Data Steward, or designee.
- Public. This information can be freely shared with individuals on or off-campus in accordance with state and federal regulations without any further authorization by the appropriate Data Owner, Data Steward or designee. Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the College and its affiliates. Examples of Public data include press releases, course information, and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
- Restricted. Data is classified as restricted when there are legal, contractual, or regulatory requirements regarding the storage and disclosure of the data. Unauthorized disclosure or modification of Restricted data would necessitate notifying federal or state authorities and/or the affected individuals. Examples of Restricted data include Personal Health Information,
- Data in all categories will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the College, result in financial loss, or violate law, policy, or college contracts.
- Information integrity and availability. For purposes of integrity and availability, information systems will be classified as follows:
- Non-Critical Systems. Information systems fall into this category if the unavailability, unauthorized modification, loss, or destruction of the data residing on the system would cause little more than temporary inconvenience to the staff and user community and incur limited recovery costs. Reasonable measures to protect information deemed non-critical include storing information in locked office spaces or cabinets, using standard access control mechanisms to prevent unauthorized individuals from altering digital information, and making regular backup copies.
- Critical Systems. Information systems fall in this category if unavailability, unauthorized access/modification, loss or destruction through accident, malicious activity or irresponsible management could potentially cause the College to 1) be unable to conduct a portion of its required business for an extended period, 2) suffer significant damage to its reputation, 3) endure major financial loss, 4) fall out of compliance with legal, regulatory, or contractual requirements, or 5) adversely impact members of the extended ICOM community.
- Additional Safeguards
- Data Elements in systems should be sampled and checked for validity on a regular basis.
- A disaster recovery plan and/or business continuity plan to recover critical information that has been lost should be developed, documented, deployed and tested annually.
- Security. Security measures for data are set by the data custodian, working in cooperation with the data stewards.
- Additional Safeguards
- Responsibilities. The following roles and responsibilities are established for carrying out this policy:
-
-
-
- Data Owner: is a senior College official (CEO, CTO/CIO, or their designee) who has planning and policy-level responsibility and management responsibilities for institutional data. Responsibilities include assigning data stewards, participating in establishing policies, ensuring that data stewards and data custodians have access to appropriate resources, and promoting data resource management for the good of the entire College.
- Data Steward: Data stewards are college officials having direct operational-level responsibility for information management - usually department directors. Data stewards are responsible for data access and policy implementation issues. Procedures for performing data validation should be developed and implemented by data stewards in responsible departments.
- Data Custodian: Information Technology (IT) is the data custodian. The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data Owners or their designees (usually the data stewards), and implementing and administering controls over the information.
- Data User: Data users are individuals who need and use college data as part of their assigned duties or in fulfillment of assigned roles or functions within the college community. Individuals who are given access to non-public data have a position of special trust and as such are responsible for protecting the security and integrity of that data.
-
-
-
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 6/1/22
Last Reviewed: 1/25/24
Review Requirement: Annual