Hillsborough Community College (HCC) has established standards for the protection and security of information, and for the use of information and technology resources. Information is secure only when its integrity can be maintained, its availability ensured, its confidentiality preserved, and its access controlled. Security procedures protect information from unauthorized viewing, modification, dissemination, or destruction and provide recovery mechanisms from accidental loss. The security of information is the responsibility of all people who are authorized to access it. All employees are expected to abide by these standards.
The policy will provide details about standards for the use of information and resources. We affirm that as part of our policy that we will protect customer confidentiality and employee privacy in accordance with applicable laws and our personnel policies. Each person subject to this policy will sign a statement affirming that they have read, that they understand, and that they intend to comply with the provisions stated herein. The signing of this statement is a requirement for obtaining access to the organization’s data systems and networks.
3. SCOPE AND APPLICATION
The Office of Information Technology (OIT) is responsible for establishing and maintaining organizational information security policies, standards, guidelines, and procedures. The focus of these activities is on information, regardless of the form it takes, the technology used to manage it, where it resides, and which people possess it.
The policy applies to employees, customers, volunteers, vendors, contractors, Board members, affiliates and any others who use our information resources or who have access to information. The policy applies equally to any information of the organization, including but not limited to electronic data, written or printed information and any other intellectual property of the organization. The information resources include hardware, software, manuals and office equipment. All individuals agree not to disclose information improperly or to use information improperly or unethically for personal or professional gain.
4.1. Critical Business Function: Reliable information and information systems are necessary for the performance of many of the essential activities of Hillsborough Community College. If there were to be a serious security problem with our information or information systems, Hillsborough Community College could suffer serious consequences such as legal liability and degraded reputation. Accordingly, information security is now a critical part of our business environment.
4.2. Supporting Business Objectives: This policy has been prepared to ensure that the college is able to support our educational mission. This document is also intended to support our reputation for integrity. Because the prevention of security problems is considerably less expensive than correction and recovery, this document may also reduce costs over time.
4.3. Consistent Compliance: A single unauthorized exception to security measures can jeopardize other users, the entire organization, and other external business partners. The interconnected nature of information systems requires that all users observe a minimum level of security. This document defines that minimum level of due care. In some cases, these requirements will conflict with other objectives such as improved efficiency and reduced costs. We have examined these tradeoffs and concluded that the minimum requirements defined in this document are appropriate for all workers at Hillsborough Community College. As a result, as a condition of continued employment, all workers (employees, contractors, consultants, temporaries, volunteers) must consistently observe the requirements set forth in this document.
4.4. Team Approach: The tools now available in the information security field are still rather unsophisticated. This means that Users must play an important role in the information security area. Because information and information systems are distributed to desktop PC’s, and sometimes used in remote locations via laptop, the user’s role is an essential part of information security. Information is no longer the exclusive domain of OIT; information security is a team effort requiring the participation of every worker who comes in contact with the college and its information systems.
Every user must understand our policies and procedures about information security, and must agree in writing to perform his or her work according to such policies and procedures. Responsibility for information security is on a day-to-day basis is everyone’s duty. Specific responsibility for information security is NOT solely vested within OIT.
5. INFORMATION SECURITY RESPONSIBILITIES AND PROCEDURES
5.1. Information Owners: Administrators in user departments must be designated as the Owners of all types of information used for regular business activities. When information Owners are not clearly implied by organizational design, the Vice President of Information Technology will make the designation. Information Owners do no legally own the information in question; they are instead members of the college’s administrative team who make decisions on behalf of the organization. Information Owners, or their delegates, are required to make the following decisions and perform the following activities:
5.1.1. Approve information-oriented access control privileges for specific job profiles
5.1.2. Approve information-oriented access control requests, which do not fall within the purview of existing job profiles
5.1.3. Select a data retention period for their information, relying on legal advice
5.1.4. Designate a system-of-record (original source) for information from which all management reports will be derived.
5.1.5. Select special controls needed to protect information (such as additional input validation checks or more frequent back-up procedures)
5.1.6. Define acceptable limits on the quality of their information (accuracy, timeliness, time from capture to usage, etc.)
5.1.7. Approve all new and different uses of their information
5.1.8. Approve all new or substantially enhanced application systems that use their information before these systems are moved into operational status
5.1.9. Review reports about system intrusions and other events relevant to their information
5.1.10. Review and correct reports that indicate the job profiles which currently have access to their information
5.1.11. Review and correct reports which indicate the job profiles which currently have access to their information
5.1.12. Select a sensitivity classification category relevant to their information and review this classification periodically for possible downgrading
5.1.13. Select a criticality category relevant to their information so that appropriate contingency planning can be performed
5.1.14. Define procedures to assure information is being stored and handled in accordance with all relevant laws, regulations, and applicable professional standards
Information Owners must designate a back-up person to act they are absent or unavailable. Owners may not delegate ownership responsibilities to third party organizations (such as outsourcing firms or consultants) or to any individual who is not a full-time employee. When both the Owner and the back-up Owner are unavailable, the Vice President of Information Technology may make Owner decisions.
5.2. Supervisors: Owners do not approve ordinary access control requests. Instead, a user’s immediate supervisor approves a request for system access based on existing job profiles. If a profile doesn’t exist, the manager’ responsibility is to create the profile, obtain the approval of relevant Owners, and inform OIT.
Similarly, when a worker leaves Hillsborough Community College, the worker’s immediate supervisor is responsible for promptly informing OIT that the privileges associated with the worker’s user-ID must be revoked. User-ID’s are specific to individuals, and must not be reassigned to, or used by, others. Shortly after separation from Hillsborough Community College, a worker’s supervisor is additionally responsible for reassigning the involved duties and files to other workers.
Also may be helpful here to specify if/how the departing employee’s electronic mail/documents/file shares are archived and for what duration (not just for handing over to the next employee, but in case of later investigations seeking to confirm wrongdoing by the ex-employee).
5.3. Information Custodians: Custodians are in physical or logical possession of information and/or information systems. Like Owners, Custodians are specifically designated for different types of information. In most cases, OIT will act as the Custodian. If a Custodian is not clear based on existing information systems operational arrangements, the Vice President of Information Technology will designate a Custodian. Custodians follow the instructions of Owners, operate systems on behalf of Owners, but also serve Users authorized by Owners.
In cases in which the information being stored is paper-based, and not electronic, the Information Custodian responsibilities will logically fall to the department gathering the information. For such systems, OIT can offer guidance and suggestions, but will not provide the custodian services.
Custodians must define the technical options, such information criticality categories, and then allow Owners to select the appropriate options for their information. Custodians also define information systems architectures, and provide technical consulting assistance to Owners so that information systems can be built and run to best meet business objectives. If requested, Custodians additionally provide reports to Owners about information system operations, information security problems, and the like. Custodians are furthermore responsible for safeguarding the information in their possession, including implementing access control systems to prevent inappropriate disclosure, as well as developing, documenting, and testing information contingency plans.
5.4. Information Users: Users are not specifically designated, but are broadly defined as any worker with access to internal information or internal information systems. Users are required to abide by all security requirements defined by Owners, implemented by custodians, and/or established by OIT. Users are required to familiarize themselves with, and act in accordance with all college information security requirements. Users are also required to participate in information security training and awareness efforts. Users must request access from their immediate supervisor, and report all suspicious activity and security problems (see the section below entitled Reporting Problems).
5.5. Information Security: OIT (and, more particularly, an appointed manager identified by title acting as the senior-most accountable Information Security responsibility owner) is the central point of contact for all information security matters at Hillsborough Community College. Acting as internal technical consultants, this Department’s responsibility is to create workable information security compromises that take into consideration the needs of various Users, Custodians, and Owners. Reflecting these compromises, this Department defines information security standards, procedures, policies, and other requirements applicable to the entire organization. OIT is responsible for handling all access to control management activities, monitoring the security of the organization’s information systems, and providing information security training and awareness programs to the college’s employees. The department is additionally responsible for periodically providing management with reports about the current state of information security.
OIT must also provide technical consulting assistance related to emergency response procedures and disaster recovery. OIT is responsible for organizing a Computer Emergency Response Team (CERT) to promptly respond to virus infection, hacker break-ins, system outages, and similar security problems. Guidance, direction, and authority for information security activities are centralized for the entire organization within OIT.
OIT must provide the direction and technical expertise to ensure that the college’s information is properly protected. This includes consideration of the confidentiality, integrity, and availability of both information and the systems that handle it. The Department will act as a liaison on information security matters between all departments, and must be the focal point for all information security activities throughout the organization. The Department must perform risk assessments, prepare action plans, evaluate vendor products, assist with control implementations, investigate information security breaches, and perform other activities that are necessary to assure a secure information-handling environment.
OIT has the authority to create, and periodically modify, both technical standards and standard operating procedures (SOP), which support this information security policy document. These SOP, when approved by appropriate organizational administrators, have the same scope and authority as if they were included in this policy document. When a standard or procedure is intended to become an extension of this policy document, the document will include these words: “This standard or procedure has been created by the authority described in the Hillsborough Community College’s Information Security Policy, and must be complied with as though it were part of the Policy document.”
6. OIT RESPONSIBILITIES, POLICIES AND PROCEDURES
OIT must establish and maintain sufficient preventive and detective security measures to ensure that the college’s information is free from significant risk of undetected alteration.
6.1. Information Security Policy Document
6.1.1. This Department is responsible for developing and maintaining this information security policy document.
6.1.2. The policies and procedures in this document will be reviewed and evaluated on a regular basis.
6.1.3. Management fully supports the development and enforcement of these information security policies and procedures.
6.2. Information Security Organization
6.2.1. The Vice President of Information Technology is the person who will oversee and ensure compliance with policies and procedures within the organization.
6.2.2. OIT will occasionally test users to ensure that consist compliance exists across the organization.
6.2.3. Third Party connection access requirements to the computer network are documented in contracts and agreements.
6.2.4. Information security requirements are fully specified in outsourcing contracts.
6.3. Asset Classification
6.3.1. A formal IT Asset Information Management System (IMS) is in place that tracks the movement of IT assets.
6.3.2. The IMS is detailed and covers the movement of hardware and software assets.
6.3.3. Sensitive information assets are classified as Confidential.
6.3.4. Classified information transmitted over insecure networks, such as the Internet, must be adequately encrypted.
6.4. Personnel Security
6.4.1. Positions with specific information security job responsibilities have been documented in job descriptions.
6.4.2. Applicants for positions that involve access to sensitive facilities receive a pre-employment background check and a thorough screening, including past criminal and credit checks.
6.4.3. Information security awareness is recognized as a significant risk management issue. New employees receive information security policies as part of their orientation, and as part of ongoing communication activities.
6.4.4. Information security breaches are logged and analyzed for patterns. A formal disciplinary process is in place for dealing with breaches.
6.5. Physical Security
6.5.1. There is cipher or magnetic card locks on computer room doors, and codes / authorized cards are limited to authorized persons.
6.5.2. Computer rooms have installed fire suppression equipment. Maintenance is performed at least annually.
6.5.3. All computer systems (including PBX and communication rooms housed separately from the main data center) are tied into the Uninterrupted Power Supply (UPS) system. The computer room is equipped with a backup generator that is tested on a periodic basis.
6.5.4. Computers and magnetic media are checked for sensitive information prior to disposal.
6.6. Computer and Network Security
6.6.1. All computer systems and applications have written documentation describing operational procedures. Documents are formally maintained and required for all applications. Vendor manuals exist for all purchased packages. It is someone’s responsibility to ensure the accuracy of the system documentation, procedures, and manuals.
6.6.2. There is a documented change control process. Changes to most networks, operating systems or application systems (both legacy and client-server or web) are documented and approved.
6.6.3. A formal capacity and resource planning effort has been established. New applications and machines are periodically reviewed by group of individuals from across the organization. There is regular tracking of utilization and bottlenecks and some planning for future requirements.
6.6.4. There is a documented virus policy and protection program. Virus detection software is installed on all file servers and personal computers. Virus signature updates are routinely posted. There are adequate preventative controls. Users have been instructed to check files, mail attachments and downloads of uncertain origin.
6.6.5. Appropriate, frequent backups of business systems are stored in remote, fireproof safes or hot sites. Thorough testing has proved that the processes work. Retention periods for all essential business information has been determined.
6.6.6. Operations staff maintain a work log (system start and finish times, system errors and corrective actions, confirmation of input and output). Systems are monitored for most systems, with critical systems given more attention.
6.6.7. A network monitoring package and a commercial firewall and/or proxy server is in place. Firewall configurations are based upon industry best practices or certified. Operating system and router settings are benchmarked on industry best practices, and kept up-to-date with patches/upgrades recommended by product vendors and/or other professional sources.
6.6.8. There are basic logs/lists of tapes to help trace or locate a backup tape. Media is physically secured and housed in locked rooms or cabinets.
6.6.9. Basic controls secure e-commerce activities, including general e-mail policies, secure FTP, and web servers implemented with basic security controls but no SSL encryption.
6.7. System Access Control
6.7.1. A formal system access request procedure exists. A written request / form must be completed in order to create, modify, or delete any user account. Approvals are required and usually obtained. User privileges may not be revoked / deleted within one month.
6.7.2. All users are made aware of their responsibilities with respect to the selection and use of strong passwords. Passwords expire at least every 90 days. Stricter controls exist on sensitive systems or accounts. There are no shared or guest accounts.
6.7.3. Only authorized users are able to gain access to networked systems from a remote location. There are adequate controls over the authentication of remote users using dial-back modems or at least two levels of passwords. Network access is generally controlled through the use of firewalls at major access points.
6.7.4. Unique user IDs and strong passwords are the rule in order to gain access at the operating system level on all systems. Logon processes are secure, and it would be difficult to guess. There are no anonymous or shared accounts.
6.7.5. All powerful system utilities are fully protected against unauthorized access. Most have been removed from the live systems and special access procedures are in place.
6.7.6. Event logs are kept automatically for most systems showing unauthorized access attempts, privileged operations, major system events, and system failures. Logs are reviewed daily or in response to problems. Logs from sensitive systems are taken offline and stored securely.
6.7.7. Reasonable controls are provided to most laptops, such as access control software using one-time passwords or similar strong authentication, regular backups, virus prevention, cable locks. Telecommuters must use approved security methods when accessing the corporate network, or access will not be granted.
6.8. System Development and Maintenance
6.8.1. Policy requires that encryption be used for critical or sensitive systems, and for some mail or files transmitted over public networks. Adequate encryption and public key management techniques are used. Users are responsible for managing their own encryption products and public keys.
6.8.2. Formal procedures have been established regarding the steps needed to update or upgrade Operating Systems and User Applications. System administrators, testing personnel, and network management are involved in testing before any migration from test to production systems is permitted.
6.8.3. There is a strict policy against modification of vendor-supplied packages, and they are only modified directly in-house as a last resort. The written consent of the vendor is always obtained, with potential impacts to future releases documented and understood.
6.9. Business Continuity Planning
6.9.1. Management supports the development and maintenance of Business Continuity Plans (BCP) across the organization. Someone is responsible for coordinating BCP's. BCP’s are updated regularly, and are occasionally tested to determine effectiveness.
6.9.2. BCP's address most of the following: outline of responsibilities, conditions for activating the plan, emergency procedures, contact lists, fall back and resumption, and a program for awareness, education, and testing.
6.9.3. A comprehensive IT disaster recovery plan is an integral part of all applicable BCP’s.
6.9.4. All BCP’s are tested at least annually, and testing is scheduled for specific departmental BCP’s in response to modifications to affected application systems or computer systems. All connections with critical third parties are tested.
6.10.1. There are strong management controls in place to monitor and ensure compliance. There is evidence of a comprehensive, control framework, designed in conjunction with legal advisors, and management responsibilities are clearly allocated. There are regular independent risk-based compliance reviews and management reporting. There is almost no risk of managers being prosecuted for non-compliance. Users who break laws or contractual obligations are considered for discipline and possible prosecution.
6.10.2. All managers and staff are educated about their responsibilities through orientation, policy and other awareness methods (e.g., newsletters, posters, flyers, etc.). Staff must demonstrate active compliance with the controls, and must re-affirm their understanding of policies by annual acknowledgement and review.
6.10.3. Standards for secure configuration settings are comprehensive and regularly updated. A comprehensive program of regular reviews of compliance with secure configuration standards is scheduled, aided by automated technical security auditing tools.
6.10.4. Information security audits are conducted on a regular basis, based on risk analysis results. Automated audit/security scanning and assessment utilities and tools are frequently used.
6.10.5. Audit, scan, or verification processes are documented; controls over access to audit materials have been established. Logging facilities are in places that have been designed for most application systems. Access to system audit tools and system audit facilities is strictly controlled.
7. REVISION HISTORY
Initial policy draft.
Official Policy designation