PURPOSE:
This policy defines the elements and mechanisms of the information security structure at ICOM. It ensures that the College:
-
Establishes a comprehensive approach to information security,
-
Complies with federal and state regulations regarding the collection of confidential and
restricted information as defined in ICOM's Data Classification Policy. These regulations
include GLBA, Federal Red Flag Rules, FERPA, HIPAA, eDiscovery as well as non-Idaho state
personal information laws. -
Establishes effective practices for the protection and security of information assets.
-
Develops procedures for responding to breaches of information security.
SCOPE:
This policy is intended to support the protection, control, and management of ICOM’s Information assets. It covers Level III data and information (as defined in the ICOM’s Data Classification Policy) that is:
-
Stored on databases
-
Stored on computers
-
Transmitted across internal and public networks
-
Printed or hand written on paper, white boards etc.
-
Stored on removable media such as removable hard drives, external hard drives, and other similar media
-
Presented on slides using visual and audio media
DEFINITIONS:
- Data Steward – Data stewards are college officials having direct operational-level responsibility for information management - usually department directors. Data stewards are responsible for data access, user roles & responsibilities, and policy implementation. Procedures for performing data validation should be developed and implemented by data stewards in responsible departments.
- Data Custodian – Information Technology (IT) is the data custodian. The custodian is responsible for providing system access and a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup, and recovery processes, granting access privileges to system users as authorized by data Owners or their designees (usually the data stewards), and implementing and administering controls over the information.
POLICY:
ICOM specifically prohibits unauthorized access to, tampering with, deliberately introducing
inaccuracies to, or causing loss of ICOM's information assets. It also prohibits using information
assets to violate any law, commit an intentional breach of confidentiality or privacy, compromise
the performance of systems, damage software, physical devices, or networks, or otherwise
sabotage College information assets.
ICOM shall protect its information assets from threats and exploits, whether internal or
external, deliberate, or accidental. ICOM recognizes that no single office, policy, or procedure
provides absolute security; therefore, all ICOM employees and authorized users of ICOM's
information systems are responsible for minimizing risks and securing information assets within
their control.
Security awareness, training, and education and compliance with policies and procedures are
vital to information security. Therefore, ICOM will provide an information security educational
program that is distributed and readily available to users. The goal of this program is to educate
users in safe and secure computing practices as well as proper handling and classification of
confidential and restricted data.
The College will take appropriate action in response to misuse of College information assets.
Any violation of this policy may result in legal action and/or College disciplinary action under
applicable College and administrative policies and procedures up to and including termination.
ICOM shall identify an Information Security Authority to monitor and report data security risks to
the administration, address any data security breaches as required by law and ICOM, and to serve
as a resource to the College for data security and regulatory requirements. The Information
Security Authority will review the information security program annually and report the results to
the President and administration.
RESPONSIBLE OFFICIALS:
Director of IT/Information Security Authority, Faculty, Staff, and Students
OTHER POLICIES AND PROCEDURES:
The following policies and procedures provide detailed information, which together constitute ICOM's information security policy:
- Acceptable Use Policy - used to provide guidance to ensure the integrity of ICOM information
resources - Data Security Policy - used to provide guidance to determine the sensitivity level of ICOM
data - Data Classification Policy - used to provide a deeper definition for each sensitivity level of
ICOM data as well as further definitions of criticality and responsibility to protect ICOM data - Password Policy - establishes proper use and handling of passwords to access ICOM
information systems and resources - Email Accounts Policy - used to provide guidance on the appropriate use and security of ICOM
issues email accounts - Records Retention Policy - used to provide guidance on retention and destruction of Institutional Records
- Data Breach Policy - used to provide guidance for responding to suspected or confirmed data
breaches and outline a response. - Network Security Policy - used to provide guidance for appropriate protection of information
traveling over ICOM computer networks.
PROCEDURES:
ICOM shall identify an IT Security Authority to monitor and report data security risks to the administration, address any data security breaches as required by law and ICOM, and to serve as a resource to the College for data security and regulatory requirements.
ACCESS TO INFORMATION SYSTEMS:
Access to Level III and/or confidential information, as defined in the ICOM Data Security Policy, is limited to the following groups and individuals: employees, temporary employees, third party contractors, and outside agencies, who are required to access this information to perform their job function or to fulfill contractual obligations. Third party contractors and outside agencies requesting access to this information must submit to the Information Security Authority a written request stating why they need access to the information. Exceptions to this rule are federal and state tax authorities with a need to know.
Access to ICOM systems and services will be limited to active users and accounts only. Users should refer to the ICOM Password Policy for authentication guidance. Users who attempt to access the College's information systems with expired passwords will be blocked after multiple unsuccessful attempts. Faculty or staff who have voluntarily terminated their employment may request to retain an account for up to two months after the last day of employment and have their e-mail forwarded to a non-ICOM account for that period. Notification will be sent via email one week prior to the pending account deletion date.
Faculty or staff members who have been terminated involuntarily from College employment will have their accounts suspended on the last day of employment.
SYSTEMS SECURITY RESPONSIBILITIES:
The ICOM Information Technology department is the "owner" of the College's information systems infrastructure, and is responsible for ensuring that network and software systems are effectively designed and maintained to provide optimal confidentiality, integrity, and availability. ICOM IT is primarily responsible for network and operating software maintenance, network storage, data transmission, information retrieval controls, and asset disposal. ICOM IT develops and implements controls and processes relating to access, systems performance, systems monitoring to detect intrusion and/or malicious code, and deploying security software for these systems.
PHYSICAL SECURITY:
Designated secure areas must be locked at all times. Designated secure areas will be labeled as such by appropriate signage.
Emergency access to secure areas can be provided by Campus Security. The Director of Information Technology and/or the Information Security Authority, will be notified of such access via telephone or email in a timely fashion. Vendors/guests (non-ICOM employees) must be accompanied by appropriate ICOM Information Technology or Public safety staff while in any protected location.
Areas used to store Level III records as defined in the ICOM Data Security Policy should be physically secured. File cabinets and other means of storage must be locked and secured. Access to areas containing Level III materials will be provided only to authorized personnel only as outlined above.
The department who owns the material in question will log access to these areas.
DATA RETENTION AND DESTRUCTION:
Level III materials will be retained and destroyed in accordance with the ICOM Records Retention Policy.
POLICY VIOLATIONS:
Employees who violate this policy are subject to disciplinary action, up to and including
termination.
TRAINING:
All new employees of the College must participate in the on-line security awareness and training program. This program is provided as a component delivered through the office of Human Resources. Employees who handle Level III data as defined in the ICOM Data Security Policy will also be required to undergo annual security training.
ENCRYPTION OF DATA:
All Level III data, as classified by the ICOM Data Classification Policy that is transmitted across public networks, including wireless, must be encrypted using standards outlined in the ICOM Encryption Policy.
STORAGE OF LEVEL III INFORMATION:
All Level III data, as classified by the ICOM Data Security Policy, that is transmitted across public networks, including wireless, must be encrypted using standards outlined in the ICOM Encryption Policy.
DATA BREACH:
All Level III data, as classified by the ICOM Data Security Policy, that is transmitted across public networks, including wireless, must be encrypted using standards outlined by the Information Technology Department.
POLICY OWNER:
Chief Information Officer/Information Security Authority
APPROVAL:
Effective: 9/7/21
Last Reviewed: 1/25/24
Review Requirement: Annual