Skip to main content

Data Security

Updated

PURPOSE:

The Data Security Policy is intended to help employees determine the sensitivity and confidentiality level of information. Sensitive data should be handled in such a manner as to limit the risk of data loss, theft, or leakage of sensitive information.

This policy applies to information that is stored or shared in any way. This includes, but is not limited to: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

These guidelines explain the different levels of information sensitivity and illustrate common sense steps that you can take to protect ICOM's confidential information (e.g., confidential information should not be left unattended in conference rooms).

Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the department of Information Technology and administration.

 

SCOPE:

This policy applies to data safeguarded both by ICOM and/or by third-party vendors and contractors working with ICOM. This policy also covers data stored on all computer systems, network devices, third-party applications, and any additional systems and outputs containing or transmitting ICOM data.

 

DEFINITIONS:

  • Physical Security - Physical security means either having actual possession of an item at all times, or locking it in an unusable state to an object that is immovable. If it is a laptop or other portable computer or storage device, never leave it alone in a conference room, hotel room, or on an airplane seat, etc. In the office, always lock your door when not in use. When leaving the office for the day, secure laptops, and any other sensitive material in a locked drawer or cabinet. Paper materials of this nature should be kept in a locked cabinet.

 

POLICY:

All ICOM data will be assigned to one of the following categories:

  • LEVEL I: Public: Low Sensitivity
  • LEVEL II: Non-Public/Internal: Moderate Sensitivity
  • LEVEL III: Confidential: High Sensitivity

Public information is information that has been declared public knowledge by the College, and can freely be given to anyone without any possible damage to ICOM.

Non-public or internal information is information available only to ICOM employees and students. Examples of such information are: online directory, intranet content, and email. For non-electronic documents this includes business plans or projects.

Confidential information contains all other information. Included is information that should be protected very closely, such as student records, employee records, financial records, social security numbers, drivers license numbers and any other personal information classified as such under applicable state and federal laws. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact his/her manager.

PROCEDURES:

The sensitivity guidelines below provide details on how to protect information at varying sensitivity levels.

Level One--Public

  • Examples: Any public data that is associated with the College in an official manner. This may include and is not limited to websites, publications, white papers etc, as well as paper records or files.

  • Access: Public.

  • Storage Requirements: May be stored on local devices.

  • Distribution within ICOM: email, shared cloud storage, and other electronic file transmission methods.

  • Distribution outside of ICOM: U.S. mail and other public or private carriers, email, shared cloud storage, and other electronic file transmission methods.

  • Electronic distribution: No restrictions.

  • Disposal/Destruction: No restrictions.

 

Level Two--Non-Public/Internal

  • Examples: Project data, email, business transactions that do not include Level III data, internal directory information. This may include and is not limited to physical and or electronic media and paper records or files.

  • Access: ICOM employees and non-employees who have a business need to know. Protecting this data will prevent potential liability, data tampering, and/or negative publicity for the college.

  • Storage Requirements: May be stored on local devices, but storage on ICOM cloud storage service is strongly encouraged.

  • Distribution within ICOM: email, shared cloud storage, and other electronic file transmission methods.

  • Distribution outside of ICOM: U.S. mail and other public or private carriers, email, shared cloud storage, and other electronic file transmission methods.

  • Electronic distribution: No restrictions to approved recipients within ICOM, but should be securely transmitted when sent to recipients outside of ICOM premises. Examples: password protected cloud storage and HTTPS (secured web pages).

  • Disposal/Destruction: Electronic data should be expunged/cleared. Reliably erase or physically destroy media (USB drives etc.).

Level Three-Sensitive

  • Examples: Drivers license numbers; personal information ( DOB, maiden names ,etc ); financial data ( bank account numbers, W-2's-1099's); credit card numbers; social security numbers; official transcripts; and human resource records. This may include and is not limited to physical and or electronic media and paper records or files.

  • Access: Only those individuals (ICOM employees and non-employees) with a business need to access. Protection of data is required by law (e.g. HIPAA, FERPA). Protecting this data prevents potential liability, severe negative publicity, and long-term loss of critical campus or department services, data tampering, and/or legal action against the college.

  • Storage: Individual access controls (strong passwords) are required for electronic information. Physical security (see definition above) is required. Storage on desktops, laptops, and portable devices is strongly discouraged and should be avoided if possible. Encryption required. This includes but is not limited to USB sticks, portable hard drives, or by other means of electronic data storage . Paper records and or files must be kept in an area designated as secure with appropriate physical access controls such as card readers or locks.

  • Distribution within ICOM: Delivered direct or approved electronic file transmission methods.

  • Distribution outside of ICOM: Delivered direct or approved electronic file transmission methods.

  • Electronic distribution: It is required that all information be strongly encrypted.

  • Disposal/Destruction: Electronic data should be expunged/cleared. Reliably erase or physically destroy media. Paper materials should be shredded in accordance with the College's Record Retention and Destruction Policy.

  •  

RESPONSIBLE OFFICIALS:

Chief Information Officer/Information Security Authority, Faculty, Staff, and Students

 

POLICY OWNER:

Chief Information Officer/Information Security Authority

 

APPROVAL:

istockphoto-948531554-612x612.jpg

Related articles