91¿´Æ¬Íø

ITS Policies & Procedures

OVERVIEW

91¿´Æ¬Íø has an obligation to comply with various regulations which require it to create effective administrative, technical, and physical safeguards to protect personal information. Failure to protect this information – or the electronic resources it typically resides in – could have financial, legal, and ethical ramifications. Mitigating risks to 91¿´Æ¬Íø operations preserves the ability of the College to perform its mission and meet its responsibilities to students, faculty, staff, and the community it serves. Additionally, many government regulations and granting agencies already require a higher level of security to safeguard government information included in research and university projects. In the future, many of these sponsors will not accept grant applications from institutions that do not meet these higher standards of data security. As such, the College acknowledges its obligation to implement appropriate security mechanisms for information systems in its domain of ownership and control.
To meet these obligations, the College is publishing this Information Security Policy (hereafter the “Policy”) and has established an associated internal Comprehensive Information Security Program (hereafter “Program”) to guide these endeavors. The Policy covers all forms of Personal Information (hereafter “PI”) whether it is maintained digitally, on paper, or other media. Such information may be called Confidential Personal Information (CPI), Personally Identifiable Information (PII), Non-public Financial Information (NFI), or Personal Health Information (PHI) by various regulatory acts or information security frameworks, but the general concept is the same. As the nature of the work is complex and the scope of the project extensive, the Program will be implemented through an Information Security Plan (hereafter “Plan”) in a phased approach.
In formulating and implementing the Program, the College’s objectives are to:
  • Identify reasonably foreseeable internal and external risks to the confidentiality and/or integrity of any electronic, paper, or other records containing personal information;
  • Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;
  • Evaluate the sufficiency of existing policies, procedures, information systems, internal controls and security practices, in addition to other safeguards in place to control risks;
  • Design and implement a plan that puts safeguards in place to minimize those risks, consistent with the requirements of federal regulatory acts and Illinois state laws; and
  • Periodically monitor the effectiveness of those safeguards and adjust them as necessary.

1. PURPOSE

91¿´Æ¬Íø is committed to protecting the confidentiality, integrity, and availability of all sensitive data that it accesses, collects, distributes, processes, stores, uses, transmits, disposes of, or otherwise handles. The College has implemented multiple policies to protect such information, and this Policy should be read in conjunction with these other policies that are linked at the end of this document. The Program and Plan are aligned with security best practices recommended in widely adopted cybersecurity frameworks and associated publications:
  • (NIST) (CSF) and other NIST publications;
  • The (CPGs) published the federal (CISA);
  • The (v8);
  • The
  • With additional materials available to members of the .
The specific goals in publishing this Policy are to:
  • Describe how 91¿´Æ¬Íø complies with the Gramm-Leach-Bliley Act ("GLBA") Safeguards Rule and other federal and state laws and regulations;
  • Identify baseline security standards for 91¿´Æ¬Íø;
  • Detail administrative, technical, and physical safeguards being implemented to protect systems and data maintained by the College;
  • Establish procedures which align with current Information Security best practices;
  • Ensure clear communication of information security policies and standards;
  • Communicate how Information Technology Services (ITS) will identify and mitigate information security risks to the College; and
  • Assign responsibility for the security of departmental, administrative, and other critical 91¿´Æ¬Íø e-resources.

2. SCOPE

This Policy applies to all 91¿´Æ¬Íø employees, whether full- or part-time, including faculty, staff, contracted and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the College community (hereafter the “Community”). The Policy also applies to contracted third-party vendors.
This policy refers to all college hardware, software, applications, and services henceforth “e-resources”, defined in more detail in the Acceptable use of E-Resources Policy, whether individually controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted by the College. This includes all networked devices, including but not limited to desktop and portable computers, mobile devices (tablets, phones, etc.), any personal devices which users handle PI with, shared lab workstations, instructional systems, other wireless devices, and any associated peripherals and software, regardless of whether used for administration, research, teaching, or other purposes.
For the purposes of this Policy, "Personal Information" is defined by the State of Illinois in the (815 ILCS 530/) as:
“(1) An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security:
(A) Social Security number.
(B) Driver's license number or State identification card number.
(C) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.
(E) Health insurance information.
(F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
(2) User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”
The definition of PI under GLBA is slightly different and can be found here: .
Examples of Personal Information which may directly – or in combination with other pieces of data – reveal a person’s identity include but are not limited to:
names of known aliases fingerprints
names of family members DNA profile
maiden names handwriting
postal/mailing addresses biometric data - retina or iris scan, voice analysis, facial geometry
date of birth place of birth
driver's license or state ID number photos, especially of face or other identifying characteristics
social security number digital signature
passport number license plate number
tribal identification card number health account numbers
email addresses health account payment information
social media addresses health insurance information, subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history
educational information, including performance evaluations bank or other financial account numbers
credit or debit card numbers other insurance numbers
any unique identifying number, characteristic, or code, including electronic ID number medical (physical or mental) history information
password, PIN, or other access code that permits access to financial accounts medical (physical or mental) condition information
medical (physical or mental) treatment or diagnosis information
taxpayer ID number or tax return information medical records or record numbers
other government-issued id card number device identifiers and serial numbers
certain information 91¿´Æ¬Íø collects through an Internet "cookie"
The Policy is not intended to supersede any existing 91¿´Æ¬Íø policy that contains more specific requirements for safeguarding certain types of data, except in the case of PI as defined above. If such a policy exists and it conflicts with the requirements of the Information Security Policy, the other policy takes precedence.

3. RISK ASSESSMENT & MANAGEMENT

Risk Assessments: 91¿´Æ¬Íø recognizes that it has both internal and external risks to the security, integrity, and confidentiality of College information. These risks include, but are not limited to:
  • Unauthorized access of confidential data;
  • Compromised system security following unauthorized access;
  • Interception of data during transmission;
  • Loss of data integrity;
  • Physical loss of data in a disaster;
  • Errors introduced into systems;
  • Corruption of data or systems;
  • Unauthorized access of confidential data by employees;
  • Unauthorized requests for confidential data
  • Unauthorized access through hard copy files or reports;
  • Unauthorized transfer of confidential data through third parties; and
  • Employee compliance with security training and security policies and standards
The Program shall be based on a risk assessment which will detail these and other reasonably foreseeable internal and external risks to institutional data and systems in a Risk Register, which shall also assess the adequacy of existing security controls to safeguard College systems and data. Risk assessments shall be updated regularly to evaluate the sufficiency of elements of the Program to meet the current and foreseeable threats to College data and systems.
3.2 Risk Management: To successfully manage risk for 91¿´Æ¬Íø, senior leadership must be committed to making information security an underlying principle of operating the College to protect the institution and its community. This top-level commitment ensures that sufficient resources are available to develop and implement an effective, institution-wide security program. Effectively managing information security risk requires the following key elements:
  • Assignment of risk management responsibilities to appropriate senior leadership;
  • Ongoing recognition and understanding by senior leadership and IT Governance of the information security risks to 91¿´Æ¬Íø information assets, operations, and personnel;
  • Establishment of the tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance impacts ongoing decision-making activities;
  • Providing accountability for senior leadership for their risk management decisions; and
  • Ongoing assessments of internal and external risks, tracked with a Risk Register.
3.3 Risk Remediation or Acceptance: As the Risk Register is updated with newly identified risks, risk scores are calculated by analyzing the impact of each risk and the likelihood of its occurrence, and then prioritized by the immediacy of the risk. The Information Security Manager (ISM) shall maintain the Risk Register and advise the Chief Information Office (CIO) of additions, who in consultation with the Executive Leadership Team may choose to accept risks, assign risks to other owners, or select methods and schedules for their remediation. Some risks may be accepted due to the finite resources of the College and the cost or scope of potential remediation. Where likelihood or immediacy of risks are unclear, the ISM and/or CIO shall consult subject matter experts as needed.
3.4 Third-party Risk: All third-party service providers shall be subject to a security risk review prior to entering into an agreement and on a regular basis afterward. The ISM and/or CIO will review the security controls that the Third Party has in place to ensure its standards, policies, and practices are consistent with applicable state and federal regulations and 91¿´Æ¬Íø policies. Vendors who either refuse to disclose security controls and practices or otherwise indicate a lack of consistent safeguards for IT risk management shall be barred from accessing, storing, processing, or otherwise handling College protected data. Compliance with reasonable security controls will be mandated through contractual requirements. Vendor reviews shall be performed using the Higher Education Community Vendor Assessment Toolkit (HECVAT) developed by EDUCAUSE. Any vendors that handle PI under our data classification policy will be required to fill out the full assessment. Vendors handling less sensitive data may use the shorter version of the assessment. Additionally, the College shall enforce the following Vendor Management policies:
3.4.1 Supply Chain Risk Management: The College shall develop a matrix of requirements to assess and score 3rd- and 4th-Party Risks, which shall be included in the Risk Register.
3.4.2 Technology Adoption/Acquisition: All technology hardware and software under consideration for use at the College shall be reviewed and approved by ITS prior to purchasing, adopting, or otherwise committing to a method of acquisition, per the Technology Procurement & Vendor Management Policy. In short, such reviews shall consist of:
  • A thorough review for technical compatibility
  • A review of the technology’s technical and administrative risks; and
  • An analysis of any impact to the College’s regulatory compliance requirements.
3.4.3 Service Provider Oversight Methods: Whenever the College retains a service provider that will maintain, process, or have access to PI or other confidential data, the College will ensure that the provider has in place an information security program sufficient to protect it. The College will include in the contracts with service providers having access to confidential data a provision requiring the providers to have in place security measures consistent with the requirements of Illinois Law and regulations thereto and to assure that such data is used only for the purposes set forth in the contract.
[ ]

4. ROLES AND RESPONSIBILITIES

Every user of 91¿´Æ¬Íø e-resources has a general responsibility to protect College assets, while some offices and individuals have specific responsibilities:
Executive Leadership Team (also, Senior Leadership Team): Responsible for making a final review and approval of this policy. Comprised of the President and the members of the Senior Leadership Team.
Executive Response Team: Responsible for determining the level of incident response needed during an incident. Comprised of the CIO and other members of the Senior Leadership Team as determined by the President.
Chief Information Officer (CIO): Responsible for Information Technology Services (ITS) and the overall operations and security of the e-resources and data it manages. The CIO is responsible for the creation, maintenance, and regular review of this and other policies prior to final approval by Executive Leadership team. The CIO must also report all compliance-related activities pertaining to this policy to the Executive Leadership team.
Information Security Manager (ISM): Reporting to the Chief Information Officer (CIO), has the principal obligation for Information Security. Develops and – in partnership with the CIO – implements procedures and standards to meet security requirements outlined in this policy. The ISM must report all matters pertaining to compliance with this policy to the CIO or other designated IT Governance bodies. The ISM is responsible for the development of the Program and executes the Plan.
College Services: Various officers within the college have the primary responsibility and authority to ensure 91¿´Æ¬Íø meets external and internal requirements for intellectual property, research and institutional data, and the privacy and security of confidential and business information. Multiple departments are responsible for general security issues (legal issues, security compliance, physical security, communications, and ITS infrastructure security). These individuals or departments are responsible for assisting in the development of college information security policies, standards, and best practices in their areas of responsibility. They are also responsible for advising departments and individuals in security practices related to areas they oversee, as follows:
  • Personnel information and confidentiality - Human Resources
  • Student information and confidentiality - Registrar’s Office
  • Financial information and transactions - Finance and Administration
  • Financial aid information – Financial Aid
  • Perkins Loan information – Student Accounts
  • Infrastructure, communication, and systems security and audit - ITS
  • Legal Issues – Business and Finance for engaging legal counsel service
  • Health information - Student Affairs
  • Alumni, parent, and donor information - Advancement Office
Departments and Other Units: Departments and other units are responsible for the security of any information they create, manage, or store, and for any information they acquire or access from other college systems (i.e., student records, personnel records, business information).
Employees: All 91¿´Æ¬Íø employees, including contract and temporary workers, hired consultants, interns, student employees, and others granted access to and the use of College data and systems are expected to understand the data classification levels defined in this policy, classify data appropriately for which they are responsible, access data only as needed to meet legitimate business needs, and not divulge, copy, release, sell, loan, alter, or destroy any College data without a valid business purpose and/or authorization.
Product Owner: Every information technology system, application, server, or other service used at 91¿´Æ¬Íø (hereafter “IT Service”) must have a designated Product Owner, a named individual maintained on file in Information Technology Services. This individual is responsible for ensuring that each such IT Service complies with this policy, and the Product Owner must report any discovered non-compliance or possible security events promptly to the Information Security Manager. Product Owner designations are determined at the Vice President or division head level, and VPs/division heads must promptly name a new Product Owner upon reassignment or the departure of a Product Owner from 91¿´Æ¬Íø employment. All information and data at 91¿´Æ¬Íø, including that which is stored, processed, or transmitted by IT Services, is subject to the Data Protection Policy (see section 6.) Product Owners are responsible for ensuring their IT Services are compliant with the Data Protection Policy. For student-developed IT Services in use at the College, a student may be the Product Owner under the supervision of an authorized faculty or staff member, but the faculty or staff member or relevant department or division must name a Product Owner upon the student’s graduation or termination of enrollment from 91¿´Æ¬Íø. The supervising faculty or staff member will become the Product Owner by default if a new Product Owner is not named.
Note: The security of applications and data administered by departments and individuals outside of ITS is the responsibility of the administering department. ITS staff will provide advice and support for implementing security measures when requested.

5. SECURITY STANDARDS POLICIES

5.1 Accounts, Authentication, and Authorization Policy: This section defines required account management and access control standards for all College IT systems and applications to protect the privacy, security, and confidentiality of College e-resources and confidential data.
5.1.1 Accounts (Identification): 91¿´Æ¬Íø provides computing accounts (UserIDs) for persons who have a current or future official status with the college that requires the use of computing resources. Information Technology Services is responsible for managing employee and student access to applications, servers, network, and telecommunication resources including but not limited to Microsoft Office 365, My.LakeForest, Moodle, Panopto, PaperCut, and the College administration system. 91¿´Æ¬Íø user credentials providing access to email and other general-purpose applications and services shall be provisioned and terminated as detailed in the Eligibility for Accounts Policy.
Additional accounts which provide access to systems containing PI or other confidential data will be provided on an as-needed basis, based on job role, function, department, division, or duties, and are subject to regular monitoring to ensure PI is being handled appropriately.
5.1.2 Authentication: Authentication is a process by which users, processes, or services provide proof of their identity. 91¿´Æ¬Íø IT systems shall require strong, complex, and unique passwords reinforced by the use of Multi-Factor Authentication (MFA) whenever technically possible.
  • Passwords: Passwords to 91¿´Æ¬Íø systems, services, and applications shall be robust, non-default, and changed when ITS staff has reason to believe a password has been reused or there is evidence a password has been stolen, exposed, or otherwise compromised. More specifics are contained in the 91¿´Æ¬Íø Password Policy, published separately to promote convenient access.
  • MFA: Also known as 2-Factor Authentication or Multi-Factor Authentication, MFA combines two elements across three categories of information: something you know (a password, PIN, or other secret), something you have (like a hardware token or mobile phone), and something you are (biometric information, such as a retina scan or fingerprint.) Combining two or more factors to perform strong authentication in this fashion provides the College with a reasonable degree of confidence that e-resources remain secure, and that College data is accessed only by authorized users. All members of the College community, including contracted third-party vendors, shall perform MFA as required by ITS to access and use 91¿´Æ¬Íø e-resources. ITS may, at its discretion, add or remove user-selectable methods of performing MFA as new methods mature – or existing methods become too easy to compromise – as the technology landscape evolves. For users who cannot perform MFA using ITS-accepted methods (example: Microsoft Authenticator on a mobile phone) requests for hardware tokens will be reviewed by either the ISM or CIO and issued on a case-by-case basis. The use of a hardware token will only be granted for exceptional cases, such as not owning a mobile phone capable of modern MFA methods.
  • Single Sign-On (SSO): All 91¿´Æ¬Íø IT Services must leverage the College’s authorized single-sign on (SSO) solution unless an exception has been approved by the CIO.
5.1.3 Authorization: 91¿´Æ¬Íø IT systems shall be governed by the following standards for authorization to perform actions on College e-resources:
  • Least Privilege: Only the minimum privileges necessary to complete required tasks will be assigned to an individual.
  • Separation of Privileges When Privileged Access is necessary to complete administration duties of an IT systems, separate accounts must be used. For example, Active Directory domain administrator privileges shall not be assigned to the same account that the employee uses for general use of their computer, email, web browsing, etc. As soon as the phased approach of the Plan allows, the College shall adopt the use of Privileged Administrative Workstation (PAW) virtual machines, to complete tasks requiring elevated privileges.
  • Changes of Authorization: Privileges assigned to each individual must be reviewed and either modified or revoked upon a change in status with the College. (e.g., due to a change in role or responsibilities, termination of employment, withdrawal, or completion of degree-seeking activities), access to 91¿´Æ¬Íø e-resources must be adjusted accordingly. For employees, it is the responsibility of Human Resources to notify ITS of the change in role or status.
5.2 Auditing Policy: All College identities, credentials, and permissions shall be audited annually to ensure no unauthorized devices, users, or processes retain access which would be inappropriate to their current status.
5.3 Encryption Policy: The College shall always use sufficiently robust encryption to protect confidential data in use, in transit, and at rest. Technological discoveries which render chosen methods of encryption insufficiently protected against likely attack methods shall result in the encryption method being changed to a suitably protective method with an immediacy pursuant to the sensitivity of the data being secured. The College shall use NIST-approved encryption wherever technically feasible.
5.4 Continuous Monitoring Policy: The 91¿´Æ¬Íø network environment and other e-resources shall be continuously monitored for threat actor footholds, malicious software, probing for vulnerabilities, and other security risks as follows:
  • 5.6.1 Endpoints: Endpoint devices shall have their system and activity logs forwarded to a Security Information and Event Manager (SIEM) or comparable solution for analysis.
  • 5.6.2 Servers: Server access logs shall also be monitored by the College SIEM (or equivalent) for unauthorized access or activity, and additionally shall be scanned weekly for security vulnerabilities. Software with major vulnerabilities which cannot be patched, effectively remediated, or otherwise secured shall be considered “legacy” and all efforts to retire or replace the platform should be undertaken as soon as possible.
  • 5.6.3 Network: The College shall, as soon as feasible under the phased approach of the Plan, adopt a Network Detection & Response (NDR), Next-Generation Firewall (NGFW), and/or other tool(s) capable of monitoring for and detecting suspicious activity occurring on the network.
  • 5.6.4 IoT Devices: IoT devices shall be avoided when possible, placed in sequestered portions of the network, and continuously monitor to identify abnormal traffic and emergent threats.
  • 5.6.5 Automated Logging & Analysis: As much as technically possible, logs from all networked IT devices should be monitored by the College SIEM and have automated analytics performed to detect unusual activity.
  • 5.6.6 Human Review of Surfaced Anomalies: Once automated behavior analytics have identified a potentially suspicious event, it shall be reviewed by a human analyst to determine if additional actions need to be taken to respond to a potential threat.
5.5 Network Segmentation and Limited Access Policy: As soon as feasible under the phased approach of the Plan, the College network shall be segmented, and Access Control Lists (or an equivalent solution) employed to limit network traffic to proper work, study, and research activities. Network management traffic shall be limited to its own virtual local area network (VLAN), as shall network security functions, such as firewalls, intrusion detection and/or prevention systems (IDS/IPS), log management, and Identity Access & Management (IAM) solutions. Personally-owned or “BYOD” computing devices that lack ITS-managed security controls shall be placed in dedicated VLANs for those devices and have limited access to internal resources. Servers shall also be placed in their own dedicated VLAN and traffic to and from servers shall be inspected to ensure the authorization and appropriateness of connections and activities.
5.6 Identity Access & Management Policy: As soon as feasible under the phased approach of the Plan, the College shall implement a Privilege and Identity Management (PIM) or Identity Access & Management (IAM) solution to provide a more streamlined and reliable central identity and authentication system, establish procedures for verifying the identity and eligibility of individuals seeking to access and use College IT resources, to assign permissions to e-resources based on roles defined in administrative and/or HR systems (also known as Role-Based Access Controls or RBAC), increase the speed of provisioning accounts, improve deprovisioning processes and controls, and to gain additional auditing capabilities to facilitate data compliance management.
5.7 Penetration Testing Policy: The College shall perform penetration testing annually to maintain compliance with regulatory acts and identify weaknesses in the institution’s security posture. Discoveries of vulnerabilities shall be evaluated and remediated through the development of more effective security controls as determined by the CIO.
5.8 Vulnerability Management Policy: The College shall employ vulnerability assessment and management tools to discover and address vulnerabilities present in College e-resources.
5.8.1 Remediation Schedule: Vulnerabilities shall be addressed by severity and deployed as follows:
  • High Severity: within 30 days
  • Moderate Severity: within 60 days
  • Low Severity: within 90 days
5.8.2 Responsibility for Remediation: Product Owners are responsible for reviewing reports from deployed vulnerability assessment tools on a weekly basis and applying patches or updates to remediate identified vulnerabilities on their systems and/or applications as described in the Remediation Schedule.
5.8.3 Compensating Controls: When vendors do not promptly issue a patch, or an issued patch is problematic for technical or administrative reasons, the ISM may determine that compensating or mitigating controls may be an acceptable alternative. Such controls shall be implemented on the same Remediation Schedule. If a Product Owner independently develops a compensating control, it must be approved by the ISM or the CIO.
5.8.4 Patch Audits: Product owners must have a written and auditable procedure addressing remediation steps.
5.9 Web Application Security Policy: Web application security assessments must be performed to identify potential or realized weaknesses (e.g., insecure coding, inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage) per the Vulnerability Management Policy (see next section, 5.8.)
  • Web applications must follow regular security or out-of-band assessments if one of the following criteria are met:
    • New or significant application releases should be subject to a Secure Software Development Life Cycle review prior to approval of the change control documentation or release into the live environment.
    • Third-party or acquired web applications (i.e., commercial applications for which source code is not available) must be scanned when installed or upgraded. The vulnerabilities must be reported to the ISM for recording in the Risk Register and to the vendor for correction.
  • Shared accounts are prohibited, except where it is not technically possible to individually provision accounts.
  • All Internet-facing web applications should be protected by appropriate technical controls (e.g., Web Application Firewall (WAF) or Intrusion Prevention System (IPS)).
  • Other security controls include but are not limited to, the following:
    • Access controls,
    • Configuration changes,
    • Authentication (MFA must be used for except where it is not technically possible),
    • Data protection (e.g., encryption, data masking),
    • Error handling and logging,
    • Input and output handling, and
    • Session management.
5.10 Application Development and Secure Coding Policy: [ ] Secure development practices will be established, implemented, and documented for all applications developed or purchased to include appropriate security controls to prevent unauthorized access or modification of the system or information coded or stored. The Chief Information Officer in consultation with the Director of Enterprise Applications shall establish required controls for applications that will access, store, transmit, or manipulate protected and confidential information. These controls shall be required for all life cycle stages of development. Additionally:
  • Secure Coding guidelines from the Open Web Application Security Project (or equivalent) shall be followed.
  • Test environments shall be separate from the production environment.
  • A risk assessment will be performed prior to production for all applications that will store, access, create, and/or transmit confidential or protected information.
  • Authentication credentials for College e-resources shall not be coded into programs or queries unless they are encrypted, and only when no other reasonable options exist, and must be rotated annually. A security policy exception request is required to code authentication credentials into programs or queries if unencrypted.

6. DATA PROTECTION POLICY

The purpose of this policy is to protect the information resources of the College from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access. All College data shall be classified into levels of sensitivity to provide a basis for understanding and managing it. Accurate classification provides the basis to apply an appropriate level of security to college data. These classifications of data take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth. Data may also be classified under the guise of “prudent stewardship”, where there is no reason to protect the data other than to reduce the possibility of harm or embarrassment to individuals or to the institution. Henceforth, any data classified as either Sensitive or Restricted may be collectively referred to as “Confidential.”
6.1 Data Classification Policy: [ ]
  • Public (low level of sensitivity): Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate owner or manager must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals.
  • Sensitive (moderate level of sensitivity): Access to “Sensitive” data must be requested from, and authorized by, a Data Steward responsible for it. Data may be accessed by employees as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Sensitive data include purchasing data, financial transactions that do not include restricted data, information covered by non-disclosure agreements and Library transactions. By default, all non-public 91¿´Æ¬Íø data will be designated "Sensitive" at a minimum.
  • Restricted (highest level of sensitivity): Access to “Restricted” data must be controlled from creation to destruction and will be granted only to those persons affiliated with the College who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to restricted data must be requested from, and authorized by, the Data Steward responsible for the data. Restricted data includes information protected by law or regulation whose improper use or disclosure could:
    • Adversely affect the ability of the college to accomplish its mission
    • Lead to the possibility of identity theft by release of personally identifiable information of college constituents
    • Put the college into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA, and GLBA
    • Put the college into a state of non-compliance with contractual obligations such as PCI DSS
The specification of data as restricted should include reference to the legal or externally imposed constraint that requires the restriction, the categories of users typically given access to the data, and under what conditions or restrictions access is typically given. Examples of Restricted data include social security numbers, student registration, grades, financial aid data and bank account numbers.
6.2 Data Backup & Retention Policy: Data that is important to the operations of the College should be backed up to at least two locations to protect against loss of use. One backup should reside offsite to protect against natural disasters. Data backups should periodically be tested for validity, and at least one copy of critical data should be air-gapped and/or immutable so it cannot be modified until it has reached its expiration date. Backups of Restricted data shall use a solution that provides encryption in transit and at rest. College backups maintained by ITS shall be retained for a period of no less than 6 months. [ ]
6.3 Data Expiration Policy: PI will only be retained for as long as needed for the College’s reasonable business purposes, including for the purpose of complying with any state or federal law. Each department that stores PI will annually review the data it has retained for the purpose of determining which information may be purged.
6.4 Secure Data Storage Policy:
  • Employees are not permitted to transport PI electronically on portable storage devices (e.g. USB flash drives, external hard drives, etc.) unless the transported data is encrypted;
  • PI and other confidential data must not be stored on cloud-based storage solutions that are unsupported by 91¿´Æ¬Íø;
  • Employees must lock rooms or file cabinets where records containing PI are kept;
  • Employees must secure paper files containing PI in their work area when they are not present;
  • Mobile computing devices such as laptops, tablets, or phones which can access, process, store, or otherwise handle PI or other confidential data must be stored in a secure place when not in use or personally attended;
  • Upon separation of an employment relationship with 91¿´Æ¬Íø, the separated individual's electronic and physical access to documents, systems, or networks containing PI must be immediately terminated. Separated employees must return to 91¿´Æ¬Íø all records containing PI, in any form, in their possession at the time of separation. All keys, keycards, access devices, badges, company IDs, and the like, shall be surrendered at the time of separation.
6.5 Secure Transit Policy: Confidential data at the College shall always be protected in transit by adequate encryption (see section 5.3.) It is a violation of policy to transmit PI and other confidential information via unencrypted methods such as plaintext email or SMS text messaging. The requirements for transmitting College data classified as Restricted, Sensitive, or Public via email or other electronic methods are listed in the table below. The type of data dictates the method of transmission as per the Data Classification guidelines (see section 6.1.)
Restricted Data Sensitive Data Public Data
Email Not permitted without express authorization or unless required by law.

If authorized, data shall only be included in messages within an encrypted file attachment or via secure authorized services.
  • HyperText Transfer Protocol Secure (HTTPS)
  • Transport Layer Security (TLS 1.2+)
  • Encrypted email
  • Encrypted file
Messages shall only be sent to authorized individuals with a legitimate need to know.

Messages can be sent via a secure protocol and/or process.
  • Hyper Text Transfer Protocol Secure (HTTPS)
  • Transport Layer Security (TLS 1.2+)
  • Encrypted email
  • Encrypted file
No protection requirements
Electronic Transmission or Secure, authenticated connections or Forwarding (LAN, Bluetooth, Wi-Fi, etc.) Secure, authenticated connections or secure protocols must be used for transmission of protected data via:
  • Hyper Text Transfer Protocol Secure (HTTPS)
  • Secure File Transfer Protocol (SFTP) server
  • Transport Layer Security (TLS)
Data must be transmitted in either an encrypted file format or over a secure protocol or connection via:
  • Hyper Text Transfer Protocol Secure (HTTPS)
  • Secure File Transfer Protocol (SFTP) server
  • Transport Layer Security (TLS)
No protection requirements
6.6 Data Disposal Policy: All college-owned computing devices capable of data storage must be properly sanitized according to modern computing best practices for data disposal to protect PI and other confidential information as well as ensuring compliance with software licensing agreements:
  • All electronic storage media should be sanitized when it is no longer necessary for business use, provided that the sanitization does not conflict with College data retention policies.
  • All electronic storage media should be sanitized prior to sale, donation, or transfer of ownership. A transfer of ownership may include transitioning media to someone in your department with a different role, relinquishing media to another department, or replacing media as part of a lease agreement.
  • All College employees are responsible for the sanitization of non-reusable electronic media before disposal. Similar to shredding paper reports, CDs and other non-rewritable media should be destroyed before disposal.
  • Deans, directors, and department heads are responsible for returning all 91¿´Æ¬Íø-owned electronic devices and computer systems in their units to ITS for proper data disposal. This responsibility may be delegated as deemed appropriate.
  • Any disposal of computer equipment and media storage devices must comply with all surplus disposal procedures as defined by ITS.
  • Paper documents containing PI or other confidential data shall be disposed of by shredding or an equivalent destructive process which guarantees the information could not be read or reconstructed.

7. MINIMUM ACCESS POLICY

Considering the escalating risks associated with ransomware attacks and other cybersecurity threats, it is imperative that all endpoint computing devices meet baseline security standards prior to connecting to the College’s network. While methods for securing computing devices may differ depending on their type and intended use, the objective is to ensure that all endpoints that connect to the College network are reasonably secured. To achieve this, computing devices must meet minimum security requirements outlined in this Minimum Access policy. Devices which will handle College data classified as sensitive will be required to meet a stricter set of requirements, while systems which will handle College data classified as restricted must meet the strictest requirements. College-owned devices which fail to meet the minimum access requirements outlined in this policy are prohibited from accessing, processing, storing, or otherwise handling confidential data, and as soon as feasible under the phased approach of the Plan, shall have access to all College systems containing confidential data limited or denied.
7.1 Exceptions: In some instances, exceptions to portions of this policy may be sought from the ISM, the CIO, or their designees. Requests for such exceptions must be submitted in writing to the ISM and the CIO, be supported by an employee’s department chair or equivalent, and await review. Exception requests must include the scope and duration of the exception, business justification, and for exceptions that are temporary, a committed remediation plan to achieve compliance. The ISM will review the request to ensure proper consideration has been given to the business needs and benefits and weighed against the security risk to the institution. Requests for policy exceptions must be submitted to and approved by the ISM or the CIO prior to implementation of the requested exception. The exception request shall be reviewed by ITS and answered in writing within ten standard business days, presuming the owner of said device promptly answers any additional queries from ITS staff about the configuration or use of that device. Any devices granted exceptions shall be moved to a logically separate portion of the network with limited access to internal e-resources, or provided only with Internet access, as deemed appropriate by the ISM, the CIO, or their designees as soon as the Plan’s phased approach shall allow.
7.1.1 Exceptions for Endpoints: Endpoint devices ultimately granted such exceptions may only handle sensitive data (see definition, section 6.1) as long as said data remains stored on College servers or cloud-hosted application platforms and not the local device. Compliance with the Policy may be assessed through the following hypothetical: if the user’s enterprise directory credentials were disabled by ITS, access to confidential College data must not remain possible. Endpoints granted exceptions to the Minimum Access policy may never access, use, store, or otherwise handle data classified as restricted.
7.1.2 Exceptions for Infrastructure: College infrastructure e-resources which provide services to endpoints (colloquially “servers”) are not bound by this policy and must instead meet different and more rigorous standards enforced internally within ITS. Additionally, devices used for research purposes may be subject to specific data protections (e.g., federal regulations, data use agreements, NDAs) that require exceeding the requirements identified within this Policy due to the sensitivity of the data associated with the device. All equipment classified as servers must be deployed, managed, maintained, and ultimately disposed of under the purview of ITS. It is a violation of this Policy to deploy a server in the 91¿´Æ¬Íø networked environment without prior approval from authorized ITS staff and meeting ITS requirements for adequately securing confidential data.
7.1.3 Exceptions for IoT Devices: An “Internet of Things” (IoT) device is defined by having an embedded operating system that does not support the installation of security agents such as antivirus and does not lend itself to frequent software updates. This can include devices such as printers, security cameras, smart speakers, smart lights, industrial controls such as HVAC sensors, smart TVs, video streaming devices, personal network attached storage devices, VOIP phones, conference room systems, and digital signage. IoT devices which cannot be securely managed by ITS through endpoint management solutions or other tools shall be placed into a logically separated portion of the College network where they shall have limited access to other internal e-resources, or may only access the Internet, as deemed appropriate by authorized ITS staff in accordance with the risks presented by the device.
7.2 Approved Operating Systems: An operating system is the software that communicates with the various pieces of hardware that make up a computer and provides a base upon which other software programs can run. All computers, tablets, and smartphones have an operating system. All College-owned computing devices shall run sanctioned, currently supported, and regularly updated operating systems. Any use of out-of-date or “legacy” operating systems that are not being actively updated to address new security concerns is prohibited without explicit authorization from the CIO. For already deployed systems that cannot be upgraded, compensating controls must be in place.
7.3 Endpoint Management: College-owned computing devices shall be managed by ITS through an IT Device Management System – also known as a Mobile Device Management (MDM) solution – to allow full asset inventory and endpoint management to occur. Enrollment in the College MDM allows ITS to obtain remote status information, ensure baseline system configuration, monitor and manage software updates, and ingest system logs for security purposes. To provide for this management, all College-owned computing devices shall be configured with an administrative account with remote access enabled with which ITS staff may manage the device. Such accounts shall be configured with unique passwords for each endpoint such that a leaked administrative password to a single endpoint does not pose a security concern beyond that endpoint.
7.4 Endpoint Protection: All college-owned computing devices running non-sandboxed operating systems (Windows, macOS, various Linux distributions) shall be equipped with ITS-provided Endpoint Protection software and other required packages to aid in security-focused technical logging, monitoring, and analysis. College-owned devices with highly sandboxed operating systems (i.e. iOS, iPadOS, ChromeOS) – which make endpoint software largely ineffective – may receive limited access to sensitive College cloud-hosted e-resources such as email, but accessing, processing, storing, or otherwise handling PI locally on these devices is forbidden, and handling sensitive data on these devices is strongly discouraged.
7.5 Required Software Updates: Software updates and security patches must be deployed to College devices as soon as practically possible through the College IT Device Management Systems (Intune, Jamf) but not longer than ninety (90) calendar days after the patch becomes available. Patches should be evaluated by ITS on dedicated test devices prior to being rolled out to campus, whenever possible. Whenever feasible, systems and applications should be configured to receive and install updates automatically. Out-of-date software or software that is no longer supported by the vendor is strongly discouraged. Critical patches which address major vulnerabilities – as determined by the ISM or the CIO – must be implemented within 30 days. If a College-owned device will use Microsoft Office, a current Microsoft-supported version of Office is required; the most up-to-date version of Office 365 provided by the College is preferred.
7.6 Lock When Idle: All College-owned computing devices must be configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes unless the device is used solely for classroom presentation (i.e., podium computers.)
7.7 Device Health Checks: All College-owned computing devices must be configured to allow ITS to obtain status information such as operating system version and patch level, fetch security-related activity logs, scan the device for potential vulnerabilities, etc. Devices which ITS deems as having failed such “health checks” shall be subject to limited or no network access, being remotely locked out, or other actions as appropriate to secure the College network environment and protect other e-resources.
7.8 Authenticate to the Enterprise Directory: All College-owned general-purpose computing devices must be configured to authenticate against the College directory so that only users with active accounts may use them. Systems not bound to the College directory (currently Azure Active Directory) should never be used to access, process, store, or otherwise handle PI or other confidential data.
7.9 Whole Disk Encryption: All College-owned computing devices which access PI or other confidential data must have their storage mechanisms (SSDs, hard drives, USB flash drives, etc.) protected with whole-disk encryption such as Bitlocker or Filevault.
7.10 Host-Based Firewall: All College-owned computing devices shall have their host-based firewall feature enabled and configured to block all inbound traffic that is not explicitly required for the intended use of the device to protect against compromised endpoints which may be introduced to the College network.
7.11 Cloud Sync Services: All College-owned computing devices are prohibited from using individual personal cloud storage accounts for syncing or backing up College data. Where cloud accounts are necessary for required functionality of an endpoint (example: Apple IDs on computers running macOS, iPads, iPhones, etc.) ITS shall provide Managed Apple IDs under the control of the College.
7.12 Compromised Devices: College-owned computing devices deemed “compromised” by threat actors, malicious software, or other threats to the College shall be disabled and removed from the College network as expediently as possible by ITS. It is the device owner’s obligation to bring any such devices being used off-campus to ITS for remediation promptly after the state of compromise is discovered.
7.13 Secure Remote Access: All College-owned mobile computing devices (e.g., laptops, tablets, and phones) which access, process, store, or otherwise handle PI or other confidential data shall be configured with an always-on Virtual Private Network (VPN) connection which shall employ an encrypted connection to the College VPN solution when off-campus. Employees are not permitted to access data classified as Sensitive at home or on their personal computers except when utilizing the College VPN. Accessing PI or other College data classified as Restricted from personal computing devices is prohibited, regardless of VPN use.
7.14 Medium-Risk Access All College-owned computing devices which store College sensitive data or access confidential data (see definitions, section 6.1) shall meet every requirement of this policy without exceptions, and may, depending on the risk level, have additional restrictions placed on them via the College IT Device System Management tools.
7.15 High-Risk Access: All College-owned computing devices storing or serving College data classified as Restricted to other users shall be owned or managed by authorized ITS staff and shall be subject to regular configuration reviews and access auditing to ensure said data is protected and remains secured. Storing or serving data classified as Restricted on devices not owned by the College and managed by ITS is strictly prohibited.

8. ADMINISTRATIVE COMPUTER RIGHTS POLICY

8.1 Standard User Profile as Default: As of January 1, 2024, all computers issued, loaned, or otherwise provided to college personnel, including ITS staff, shall have the primary user profile configured as a "standard" user account. Technical provisions will be established to allow users to obtain temporary administrative rights under certain conditions to perform tasks necessary for their work, research, or study, as deemed appropriate by the CIO.

9. PHYSICAL AND ENVIRONMENTAL SECURITY POLICY

Confidential data shall be stored securely. Appropriate security controls shall be used to protect College assets from unauthorized physical access and safeguard them against reasonable environmental hazards, active and passive electronic penetration, and to prevent unauthorized physical access, damage, and interference. Regular physical and environmental risk assessments should be undertaken to identify the appropriate level of protection to be implemented to secure College ITS facilities and the information stored therein. Weaknesses identified in these assessments shall be addressed by the College within a period of one year.
9.1 Secure Facilities: Access to facilities housing network and server equipment is limited to authorized ITS personnel only. Visitors must be escorted at all times. Cleaning Personnel or others on-site after normal business hours who are not authorized to access data classified as Restricted must not have access to areas where such data is stored. Periodic cleaning of such areas must take place during normal business hours when employees authorized to access Restricted data are present.
9.2 Environmental Security: Proper safeguards should be implemented to protect critical College ITS equipment and physical (paper) records containing PI and other confidential data from reasonable environmental hazards such as loss of power, fire, flood, interference, vandalism, and other threats.
9.3 Documentation and Testing: Procedures for protecting mission critical College e-resources from environmental hazards and other disruptions must be documented, updated, and tested at least annually.
9.4 Employee Training: Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.

10. CYBERSECURITY AWARENESS & TRAINING POLICY

10.1 Information Security Awareness Training: 91¿´Æ¬Íø shall provide all faculty, staff, students, and appropriate third-parties with information security awareness education, to be completed at least annually. College employees shall be adequately trained to perform their information security-related duties and responsibilities in a manner consistent with related policies, procedures, legal requirements, regulations, and agreements. To this end, 91¿´Æ¬Íø has implemented an information security awareness program that discusses common security shortcomings that can be strengthened through individual action. The College reviews the information security awareness program annually and appropriate updates are applied based on the findings of the annual reviews. The College collaborates with Human Resources to verify annually that employees have completed their information security awareness training, are aware of their data security responsibilities and College information security policies, and obligations under the College's contract with its cybersecurity policy carrier are being met. Senior Managers and Department Heads will be alerted about any employee in their division who does not complete assigned Information Security Awareness training within assigned timeframes. New hires shall complete required training materials regarding information security and review the College Acceptable Use of Electronic Resources Policy and other such policies within their first 30 days. Supervisors will be expected to encourage compliance with this policy in a timely manner.
10.2 PI Data Handling Training: When deemed appropriate by the CIO, the College shall supplement the baseline information security awareness training with role-based training commensurate with an employee’s role(s) within the institution. The College shall also provide specific training regarding the handling of restricted and sensitive data to business units which handle this data as part of their regular duties as defined by regulatory compliance requirements.
10.3 Phishing Simulations: Phishing simulation campaigns must be conducted for all employees to increase awareness and test employee knowledge of the tactics and techniques used by malicious actors. Employees must be enrolled in supplemental phishing training following three failed phishing simulations within a given calendar year. Failure to take this supplemental training within 30 days of assignment may result in employee risk mitigation, up to and including network account suspension.
10.4 Promoting Security Awareness: The College may also foster additional broad-based information security awareness activities as the CIO deems necessary through methods such as:
  • Websites
  • Email
  • Social media
  • Posters on campus
  • In-person or online training sessions
  • Conferences or events
  • New employee or student orientations
  • Social engineering campaigns

11. INCIDENT RESPONSE POLICY

Despite explicit policies and guidelines for securing confidential electronic data, breaches and other types of cybersecurity incidents can still occur. At such times, it is important that the college respond as quickly and as professionally as possible. Computer theft or loss should be reported immediately to the ITS Service Desk by sending email to: servicedesk@lakeforest.edu or by calling ext. 5544 (847-735-5544).
11.1 Security Incident Handling: Steps that 91¿´Æ¬Íø will take in the event of a data security incident are as follows:
  1. Determination of the incident nature and scope shall include:
    1. identification of the person reporting the incident (name, contact info, etc.)
    2. record of the location, timeframe, and apparent source of the incident
    3. preliminary identification of confidential data that may be at risk
    4. identify if ransomware, malware, or other type of incident has occurred
  2. Reporting of a suspected or confirmed incident shall involve:
    1. Chief Information Officer (CIO)
    2. Director of Public Safety (if physical security has been compromised)
    3. President and senior officers (depending on sensitivity and scope of data involved)
    4. Legal counsel (depending on sensitivity and scope of data involved)
    5. Law enforcement (depending on the nature/scope of incident)
    6. VP of Marketing and Communications (depending on sensitivity and scope of data involved)
    7. College's cybersecurity insurance policy carrier
  3. Investigation
    1. Identify potential ongoing exposure of data and take immediate steps to eliminate gaps
    2. Conduct preliminary forensic analysis (retain outside assistance as needed)
    3. Prepare inventory of data at risk
    4. Determine if exposed data was encrypted
    5. Identify security measures that were defeated (and by what means)
  4. Incident Assessment
    1. Identify affected individuals at risk of identity theft or other harm
    2. Assess financial, legal, regulatory, operational, reputational and other potential institutional risks to the College
  5. Incident Remediation
    1. Implement password changes and other security measures to prevent further data exposure
    2. Determine if exposed/corrupted data can be restored from backups; take appropriate steps
    3. Determine if value of exposed data can be neutralized by changing account access, ID information, or other measures
  6. Incident Notification
    1. Based on regulatory requirements (e.g., Illinois Personal Information Protection Act) and other factors, Executive Response Team (in consultation with legal counsel as appropriate) determine whether notifications are required for:
      • Government agencies
      • Affected individuals
      • 91¿´Æ¬Íø community
      • Business partners
      • Public
      • Other
    2. If Executive Response Team determines that notifications are needed:
      • The CIO will notify the College's cybersecurity insurance policy carrier and/or their incident handling designees who will coordinate notifications to affected individuals; unless directed otherwise by law enforcement, such notifications will be made without delay.
      • The Vice President of Business and Finance and/or CIO will notify government agencies and business partners.
      • CIO and the VP of Marketing and Communications will coordinate notifications to the 91¿´Æ¬Íø community, the public, and others as necessary.
    3. Communications will address the following points (as needed):
      • Nature and scope of incident
      • General circumstances of the incident (e.g., stolen laptop, hacked database etc.)
      • Approximate timeline (e.g., date of discovery)
      • Steps the college has taken to investigate and assess the incident
      • Involvement of law enforcement or other third parties
      • Information about any misuse of the missing data
      • Recommended steps for affected individuals
      • Steps that the college is taking to prevent future incidents of this nature
11.2 Incident Classification: The 91¿´Æ¬Íø method for classifying the severity of a cyber incident shall be as follows:
  • Major Incidents
    • impact the majority of our community (i.e., everyone), and
    • prevent the College from being able to conduct normal operations for more than 24 hours, and
    • may have a major impact to the reputation of the institution.
  • Significant Incidents
    • impact a significant portion of our community (ie. teaching/learning),
    • can have a significant impact on the College’s ability to be able to conduct normal operations, and
    • may have a significant impact to the reputation of the institution.
  • Minor Incidents
    • impact a small portion of our community (ie. a department or small group),
    • can have a minor impact on the College’s ability to be able to conduct normal operations, and
    • may have a minor impact to the reputation of the institution.
  • Isolated Incidents
    • impact a single community member,
    • have little or no impact on the College’s ability to be able to conduct normal operations, and
    • do not impact the reputation of the institution.
11.3 Incident Handling Procedures: Information Security Incidents shall be handled based on their severity as follows:
  • The response to isolated and minor information technology incidents will be managed by ITS, with notifications to the CIO (and also to the ISM for any information security incidents.)
  • The response to significant information technology incidents will be managed by ITS, with direction from the CIO, the Executive Response Team (ERT), and the ISM. Executive Leadership Team shall be kept informed.
  • In the event of a major information technology incident, the CIO or ISM will activate the 91¿´Æ¬Íø Incident Response (IR) Team, who shall collectively be responsible (in collaboration with the ERT) for:
    • Facilitating communication,
    • Formulating and enacting a mitigation plan, and
    • The resolution of the incident.
The IR Team will have representatives from ITS, Human Resources, Student Life, Academic Affairs, the Business Office, and Public Safety. Depending on the nature of the incident, not all members may be required to be involved. Representatives from other areas may be called upon to join the IR Team, if needed.
This policy does not preclude ITS from taking prompt action to mitigate a known technology risk while a longer-term resolution is being developed. During any information security incident, ITS has the authority to access any relevant institution-owned system and to remove any system or user account from the network to protect the College and its community from damage or harm.
11.4 Disaster Recovery & Business Continuity Plans: The College shall have Disaster Recovery and Business Continuity Plans, which shall be annually reviewed and updated as deemed appropriate by the Executive Leadership Team.
11.5 Tabletop Exercises: Information Technology Services shall conduct Tabletop Exercises to test the effectiveness of incident response, disaster recovery, and business continuity plans with the College’s Incident Response team on an annual basis.

12. OPERATIONAL SAFEGUARDS AND OTHER CONCERNS

12.1 Data Inventory: 91¿´Æ¬Íø will work to develop and periodically review inventory of all services, applications, computing devices, or other systems on which Personal Information is stored.
12.2 Annual Reporting: The CIO and/or designated appointee shall provide to the president and the board of trustees an executive report outlining the cybersecurity posture of the college, progress made in the security program, and state of compliance with applicable regulations on an annual basis.
12.3 Continual Improvements: This Policy and the associated Plan shall be subject to periodic review, evaluation, and adjustment. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the CIO, who may assign specific responsibility for implementation and administration as appropriate.

APPENDIX: DEFINITIONS

Access: The ability to view, use, or change information in College e-resources.
Authorization: the function of establishing an individual’s privilege levels to access and/or handle information.
Availability: ensuring that information is ready and suitable for use.
Confidentiality: ensuring that information is not disclosed to unauthorized individuals.
Compensating control: a data security measure that is designed to satisfy the requirement or some other security measure that is deemed too difficult or impractical to implement.
Control: A safeguard or countermeasure to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Controls help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Data Owner: A member of the Executive Leadership Team or their designees who have policy-making and planning responsibilities for data. They designate data stewards and assign data management roles for their units and set priorities for external reporting for their academic or administrative units.
Data Steward: Data stewards are administrators with direct operational responsibility for one or more types of institutional data and have been designated by the data owner. They determine data access in the administrative unit.
E-resources: include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, physical facilities, contracted cloud-based vendors and platforms, Software as a Service (SaaS) and other X as a Service providers, and any related materials and service.
Encryption: the use of an algorithm to transform data into a form where the content is masked and can only be viewed by those having a key or other confidential means to reveal the data.
End User (or “User”) The person that a software program or hardware device is designed for and who uses the software or hardware after it has been fully developed, marketed, and installed. End Users include students, faculty, staff, contractors, consultants, and temporary employees.
Endpoint: A computer or other device, whether or not owned by the Colllege, used to access College data. The term can refer to desktop or laptop computers, servers, tablets, smartphones, thin clients, printers, or other specialized hardware such as Point of Sale terminals and smart meters. This list is non-exhaustive.
Enterprise Directory Services: : Information about centrally created accounts and identities are stored in central directory run by Information Technology Services. The most common implementations of the directory service are Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). College-owned IT systems should use enterprise directory services whenever possible and avoid creating local accounts and authorizations.
Inherent Risk: the level of risk before controls are applied.
Integrity: ensuring the accuracy, completeness, and consistency of information.
Information Security: The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. The focus is on the confidentiality, integrity, and availability of data.
ITS: The College’s Information Technology Services division, which manages computing hardware and software, networks, servers, licensed third party software, services, and systems, telecommunications systems, other technology or communications platforms, and other resources and the data stored therein.
Intrusion detection: process of monitoring computer system or networks for unusual events and analyzing them to determine if an incident has occurred.
Intrusion prevention: process of performing intrusion detection and attempting to stop detected possible incidents.
Least Privilege: user access is limited to resources needed to perform work for the college.
Legacy System: Any outdated computing system, hardware or software that is still in use. Legacy systems include computer hardware, software applications, file formats and programming languages.
NIST-approved encryption: The National Institute of Standards and Technology (NIST) develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect College data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.
Patch: a software update comprised of code inserted (i.e., patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. Patches include, but are not limited to, the following:
  • Upgrading software
  • Fixing a software bug
  • Installing new drivers
  • Addressing new security vulnerabilities
  • Addressing software stability issues
Product Owner: The individual with primary responsibility for overseeing the collection, storage, use, and security of a particular ITS system, service, or application.
Risk: A probability or threat of damage, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.
Risk Assessment: the process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.
Risk Management: the ongoing management process of assessing risks and implementing plans to address them.
Security Incident: An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information; interference with ITS operations; or violation of information security policy.
Service Accounts: A service account is used when it is necessary for systems or applications to authenticate to other systems or applications without any association to a person. These accounts should be created sparingly and documentation of the purpose for them should be kept. Their use must be periodically reviewed. Further, the password requirements for service accounts must be no less stringent than user accounts. Finally, service accounts may not be used by people to authenticate aside from initial testing. Service accounts with elevated privileges must be closely monitored for abuse.
Standalone: a computer that is not connected to a network. A standalone device may also be referred to as “air-gapped.”
Threat: An event or condition that has the potential for causing the loss of confidentiality, integrity, and accessibility of 91¿´Æ¬Íø ITS e-resources or data.
Unauthorized Access or Access in Excess of Authorization: viewing, modifying, or destroying information without proper authorization/approval and/or legitimate business need.

RELATED POLICIES:

Document Control:

Entry#: Date Version Notes
1 2014 1.0 Original policy, approved by LITS Advisory Commitee
2 11/28/2023 2.0 Rewritten, submitted for review
3 12/07/2023 2.0 Reviewed and approved by LITS Advisory Committee
4 01/11/2024 2.0 Reviewed and approved by the Senior Leadership Team