Information Security Program: 9.12

ADMINISTRATIVE PROCEDURES

PURPOSE

The purpose of this procedure is to provide details about standards for using, protecting, and accessing information and resources in accordance with applicable laws and institutional policies.

PROCEDURE

Hillsborough Community College (HCC) has established standards for protecting and securing information and using information and technology resources. Information is secure only when its integrity can be maintained, its availability ensured, its confidentiality preserved, and its access controlled. Security procedures protect information from unauthorized viewing, modification, dissemination, or destruction and provide recovery mechanisms from accidental loss. The security of information is the responsibility of all people who are authorized to access it.

The Office of Information Technology (OIT) establishes and maintains organizational Information Security policies, standards, guidelines, and procedures. The focus of these activities is on information, regardless of the form it takes, the technology used to manage it, where it resides, and which people possess it.

The procedure applies equally to any of HCC's information, including but not limited to electronic data, written or printed information, and any other intellectual property of the organization. The information resources include hardware, software, manuals, and office equipment. All individuals agree not to improperly disclose or unethically use the information for personal or professional gain.

OIT Responsibilities, Policies, and Procedures

OIT will establish and maintain sufficient preventive and detective security measures to ensure the college's information is free from significant risk of undetected alteration.

• Information Security Policy Document

  • OIT is responsible for developing and maintaining this information security policy document.

  • OIT will conduct regular policies and procedure reviews and recommend updates and revisions as necessary.

  • The policies and procedures referenced in this document will be reviewed and evaluated bi-annually to ensure compliance.

  • Management fully supports the development and enforcement of these information security policies and procedures.

• Information Security Organization

  • The Vice President of Information Technology, or their designee, will oversee and ensure compliance with Information Technology policies and procedures within the organization.

  • OIT will occasionally audit users to ensure that compliance exists across the organization as appropriate.

  • Third-Party connection access requirements to the computer network are documented in contracts and agreements.

  • Information security requirements are fully specified in outsourcing contracts.

  • The Office of Information Technology will designate a person to:

    • Coordinate the development and maintenance of information security policies and standards.

    • Investigate security incidents and coordinate their resolution as defined in the Incident Response Policy.

    • Oversee the institutional Information Security Awareness program.

    • Serve as liaison to the Local, State, and Federal Law Enforcement, Internal Audit, and College Legal Services.

  • Separation of Duties - Separate individuals must perform tasks involved in critical business processes. Responsibilities of developers, operations, and security administrators must not overlap unless authorized by the Information Owner.

Asset Classification

• An IT Asset Information Management System (IMS) is in place that tracks the inventory and configuration of IT assets.

• Data information assets are classified as Restricted or Sensitive according to the Data Classification Policy and the Data Classification Guidelines.

• Classified information transmitted over insecure networks, such as the Internet, must be adequately encrypted.

• Information Security Reviews must be performed in the following scenarios:

  • Implementation of new Information Systems and services or significant changes to existing college information services or systems that may store or transmit Restricted or Sensitive data.

  • Implementation of new critical infrastructure or significant changes to existing critical infrastructure.

  • Implementation of a new enterprise system or significant changes to existing enterprise systems.

  • Implement new systems or significant changes to existing systems, permitting third-party access to HCC systems or data.

  • Implementation of cloud services for the storing or processing of Restricted or Sensitive data

Personnel Security

• Positions with specific information security job responsibilities have been documented in job descriptions.

• Information security awareness is recognized as a significant risk management issue. New and existing employees receive information security policies as part of their orientation and annual training.

Physical Security

• All Information Technology facilities must be physically protected in proportion to the importance of their function at Hillsborough Community College.

• There are physical access controls on restricted areas that track access by authorized persons.

• Computer rooms have installed fire suppression equipment. Maintenance is performed at least annually.

• The Datacenter is equipped with an Uninterrupted Power Supply (UPS) system and a backup generator that is tested periodically.

   

Computer and Network Security

• The college utilizes Endpoint Detection and Response (EDR) software to mitigate and remediate malware and threats to computers and servers. The college ensures that:

  • EDR software is installed on all file servers and institution-owned computers.

  • EDR software is routinely updated on managed computers.

  • A user is prohibited from disabling or removing EDR software from computers and servers.

• There are preventative security controls to address threats to the security of computers and data.

• Appropriate and regular backups of business systems are maintained. Routine testing verifies that the backups are restorable and that the process meets the retention requirements for each resource backed up. Retention periods for all essential business information have been determined, documented, and shared with relevant stakeholders.

System Access Control

• A formal system access request procedure exists. Requests must be completed to create, modify, or delete any user account.

• Unique user IDs and passwords are required to access information systems. Anonymous or shared accounts are prohibited unless authorization by OIT is provided.

• All users are made aware of their responsibilities concerning creating and using strong passwords, and passwords must comply with the College’s password policy.

• Only authorized users can gain access to networked systems from a remote location. Adequate controls exist governing the authentication of remote users.

• Event logs are kept for most systems showing unauthorized access attempts, privileged operations, major system events, and system failures. Event Logs are reviewed regularly and in response to problems.

Compliance

• There are management controls in place to monitor and ensure compliance with this Information Security Policy.

• To comply with regulatory requirements, regular independent risk-based compliance reviews of controls, policies, and procedures exist. The results of these reviews will be provided to all applicable management and the Board of Trustees.

• All managers and staff are educated about their responsibilities through orientation, policy, and Security Awareness training.

• Information security audits are conducted regularly based on risk analysis results. Automated audit/security scanning and assessment utilities and tools are frequently used.

• Audit, scan, or verification processes are documented; controls over access to audit materials have been established. Logging systems are in places that have been designed for most application systems. Access to system audit tools and system audit facilities is strictly controlled.

Reference

• AP-9.08 Data Classification

• AP-9.18 Vulnerability Assessment Policy

HISTORY

New