PURPOSE:
This Information Security Policy establishes the overarching framework, principles, and strategic direction for protecting the confidentiality, integrity, and availability of all information assets owned, leased, managed, or used by the Idaho College of Osteopathic Medicine (ICOM). The purpose of this policy is to safeguard the Institution's academic mission, research activities, administrative operations, and reputation by providing a comprehensive approach to managing information security risks in compliance with applicable laws, regulations, accreditation standards, and best practices. This policy serves as a guiding document for all other information security-related policies, standards, and procedures within ICOM.
SCOPE:
This policy applies to all information assets of ICOM, regardless of format (electronic, paper, verbal), location (on-premises, cloud-based, remote), or system on which they reside. This includes, but is not limited to:
- Data and information in all forms
- IT infrastructure, systems, and applications (including SaaS applications)
- Network infrastructure (wired and wireless)
- End-user devices (desktops, laptops, mobile devices)
- Physical facilities housing information assets
- All individuals and entities who access, use, manage, or support ICOM's information assets, including faculty, staff, students, alumni, affiliates, volunteers, contractors, vendors, and guests.
DEFINITIONS:
- Personal Data: Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes, but is not limited to, student records, patient information (if applicable), employee records, contact information, and online identifiers.
- Data Subject: The individual to whom Personal Data relates.
- Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data (in this context, primarily ICOM).
- Data Processor: A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller (e.g., SaaS vendors, cloud service providers).
- FERPA: The Family Educational Rights and Privacy Act, a federal law that protects the privacy of student education records.
- HIPAA: The Health Insurance Portability and Accountability Act of 1996, a federal law that provides data privacy and security provisions for safeguarding medical information.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis.
POLICY:
ICOM is committed to establishing and maintaining a robust information security program based on the following principles:
- Confidentiality: Protecting sensitive information from unauthorized access and disclosure. Access to information will be granted based on the principle of least privilege and a demonstrated need-to-know.
- Integrity: Maintaining the accuracy, completeness, and reliability of information and protecting it from unauthorized modification or destruction.
- Availability: Ensuring that authorized users have timely and reliable access to information and systems when needed to support legitimate institutional purposes.
- Risk Management: Employing a systematic risk management approach to identify, assess, respond to, and monitor information security risks, aligning with the ICOM Risk Management Policy.
- Compliance: Adhering to all applicable federal and state laws, regulations, and accreditation standards, including but not limited to the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA) (if applicable), the Gramm-Leach-Bliley Act (GLBA) as it pertains to Title IV funding, and relevant Idaho state laws regarding data privacy and security.
- Data Governance and Classification: Establishing and maintaining a data governance framework that includes the classification of information assets based on their sensitivity and criticality, as outlined in the Data Classification Policy.
- Access Control: Implementing appropriate access control mechanisms (physical and logical) to ensure that only authorized individuals have access to information assets and systems, as detailed in the Access Control Policy.
- Network Security: Protecting the integrity, confidentiality, and availability of the ICOM network infrastructure and all connected systems, as outlined in the Network Security Policy.
- Endpoint Security: Implementing security measures to protect end-user devices (desktops, laptops, mobile devices) from threats and unauthorized access, as guided by the Anti-Malware Policy, Mobile Device Management Policy, and other relevant policies.
- Vulnerability Management: Proactively identifying, assessing, and remediating security vulnerabilities in ICOM's systems and applications in a timely manner, as described in the Vulnerability Management Policy.
- Incident Response: Establishing and maintaining a comprehensive plan for detecting, analyzing, containing, eradicating, recovering from, and learning from security incidents, as detailed in the Incident Response Policy and Incident Response Plan.
- Data Backup and Recovery: Implementing robust data backup and recovery procedures to ensure the availability and recoverability of critical information assets in the event of data loss or system failures, as outlined in the Backup Policy and Business Continuity and Disaster Recovery Plan.
- Physical Security: Protecting ICOM's physical facilities and assets that support information systems from unauthorized access, theft, damage, and environmental hazards, as outlined in the Physical Security Policy.
- User Awareness and Training: Cultivating a security-conscious culture by providing regular security awareness training to all users, ensuring they understand their roles and responsibilities in protecting information assets, as outlined in the User Awareness and Training Policy.
- Third-Party Vendor Security: Managing the security risks associated with engaging third-party vendors who provide products, services, or process institutional data, as outlined in the Third-Party Vendor Management Policy.
- Software Management: Ensuring that software is acquired, deployed, used, and retired in a secure, compliant, and efficient manner, as outlined in the Software Management Policy.
- System Monitoring and Logging: Implementing comprehensive system monitoring and logging practices to provide visibility into system operations, detect security incidents, and support investigations, as outlined in the System Monitoring and Logging Policy.
- Data Privacy: Processing Personal Data in a responsible and lawful manner, protecting the privacy rights of individuals, and complying with applicable data protection laws and regulations, as outlined in the Data Privacy Policy.
- Acceptable Use: Establishing guidelines and expectations for the appropriate and responsible use of ICOM's technology resources, as outlined in the Acceptable Use Policy.
- Email Security: Ensuring the secure and appropriate use of ICOM's email systems for official communication, as outlined in the Email Accounts Policy.
- Mobile Device Security: Establishing standards and procedures for managing and securing mobile devices used to access ICOM's institutional resources, as outlined in the Mobile Device Management Policy.
- Change Management: Implementing a controlled process for managing changes to ICOM's IT infrastructure and systems to minimize risks and disruptions, as outlined in the Change Management Plan.
- Data Retention and Destruction: Establishing standards and procedures for the retention and secure destruction of Institutional Records, as outlined in the Data Retention and Destruction Policy.
RESPONSIBILITIES:
- Data & Technology Executive Council: Provides oversight and sets the strategic direction for information security.
- President and Executive Leadership: Champions a culture of security awareness and ensures the allocation of resources for the information security program.
- Chief Information Officer (CIO): Bears overall responsibility for the development, implementation, and maintenance of the information security program.
- Virtual Chief Information Security Officer (vCISO): Responsible for the management and implementation of the information security program, including policy development, risk assessments, incident response, and security awareness training, with support from the CIO.
- Data Owner: The President or appropriate designee is responsible for all categories of information assets is accountable for their security and appropriate use.
- Data Stewards: Individuals with operational responsibility for managing information assets are responsible for implementing security controls and adhering to policies.
All Users: All members of the ICOM community are responsible for adhering to this policy and all other information security-related policies, standards, and procedures.
ENFORCEMENT:
Violations of this Information Security Policy and any supporting policies, standards, or procedures may result in disciplinary actions, up to and including warnings, suspension of access privileges, and termination of employment or student status, consistent with other ICOM policies and procedures, and may also result in legal penalties where applicable.
POLICY REVIEW AND UPDATES:
This Information Security Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, legal and regulatory requirements, accreditation standards, the threat landscape, institutional risk assessments, and best practices. The Chief Information Officer is responsible for coordinating policy reviews and updates, in consultation with relevant stakeholders.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 9/7/21
Last Reviewed: 7/8/25
Review Requirement: Annual