Information Security Plan

Approved by: George Pimentel

Original Date Effective: 2019-09-03

Last Modified: 2021-02-09

PURPOSE

The purpose of this plan is to ensure the confidentiality, integrity, and availability of data resources.

Internal controls provide a system of checks and balances intended to identify irregularities, prevent waste, fraud and abuse from occurring, and assist in resolving discrepancies that are accidentally introduced in the operations of the business. When consistently applied throughout the College, these policies and procedures assure that the information assets are protected from a range of threats in order to ensure business continuity.

This plan reflects Jackson State Community College’s (JSCC) commitment to stewardship of sensitive personal information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of College constituents, safeguarding vital business information, and fulfilling legal obligations. This plan will be reviewed and updated at least once a year or when the environment changes

This plan applies to the entire Jackson State community, including students, faculty, staff, alumni, temporary workers, contractors, volunteers and guest who have access to JSCC information assets. Such assets include but are not limited to data, images, text, and software whether stored on hardware, paper or other storage media.

COMMITTEE MEMBERS

The duties/role of the security officer at JSCC is the following:

Chairperson of the Information Protection Committee
Makes sure security training is complete each year
Make sure penetration test is ran yearly and follow-up work completed
Make sure policies are reviewed yearly
Work with OIT on security needs that arise

The Information Protection Committee (IPC) is responsible for oversight of the Information Security Plan, which incorporates the needs of the Gramm-Leach Bliley Act. Each member of the committee has a stake in securing the institution’s information assets and sensitive data. This committee is responsible for creating and updating the information security program and any policies or guidelines relating to securing information.

The committee consists of the positions below:

Financial & Administrative Analyst (Chair)

Internal Auditor (non-voting member)

Director, Information Technology

Director, Business Services

Director, Curriculum and Adjunct Services

Director, Financial Aid

Director, Records & Admissions

System Analysts, Information Technology

Manager, Business Services

Technology Services Coordinator, Information Technology

Vice President, Student Affairs

ERP Manager/DBA, Information Technology

Director, Human Resources

DEFINITIONS

Access Control refers to the process of controlling access to systems, networks, and information based on business and security requirements.

Availability- “Ensuring timely and reliable access to and use of information…”

A loss of availability is the disruption of access to or use of information or an information system.

Confidentiality- “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…”

A loss of confidentiality is the unauthorized disclosure of information.

Confidential Data or PII – Generalized term that typically represents data classified as confidential, according to the data classification scheme defined in this document. This term is often used interchangeably with sensitive data.

Control Activities are the policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out.

Encryption- Process of converting information so that it is humanly unreadable except by someone who knows how to decrypt it.

Information Assets- Equipment or definable pieces of information in any form, recorded or stored on any media that is recognized as “valuable” to the College.

Information Security Program – Security Plan as dictated by the Gramm-Leach Bliley Act.

Institutional Data – All data owned or licensed by the College.

Integrity-“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”

A loss of integrity is the unauthorized modification or destruction of information.

IPS (Intrusion Prevention System) - A device (or application) that identifies malicious activity, logs information about said activity, attempts to block/stop activity, and reports activity.

Mobile Device – Includes any portable device capable of collecting, storing, transmitting, or processing electronic data or images.

Non-public information – Any information that is classified as Internal/Private Information according to the data classification scheme define in the Data Classification and Handling Policy.

Security Incident – Any occurrence that involves the security of Information Assets or Institutional Data.

Sensitive Data – Generalized term that typically represents data classified as Confidential according to the data classification scheme defined in the Data Classification and Handling Policy.

VPN (Virtual Private Network) - A network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to the College’s network. VPN’s use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

COLLEGE POLICY STATEMENT

This policy defines expectations and processes that are necessary for an effective and comprehensive information security plan that protects institutional information assets and sensitive data.

Each department will protect College resources by adopting and implementing, at a minimum, these security standards and procedures. Departments are encouraged to adopt standards that exceed the minimum requirements for the protection of College resources that are controlled exclusively within the Department.

Individuals within the scope of this policy are responsible for complying with this policy and the Department’s policy, if one exists, to ensure the security of College’s resources.

ENFORCEMENT

All individuals accessing Institutional data are required to comply with federal and state laws, College and TBR policies and procedures regarding security of highly sensitive data. Any College employee, student or non-college individual with access to College data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this plan and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

INFORMATION SECURITY PROGRAM

Through this document and associated policies, Jackson State Community College has established, documented, and implemented a plan designed to result in improving the effectiveness of Information Technology operations. This program has been implemented to ensure the confidentiality and integrity of College information while maintaining appropriate levels of accessibility.

In order to ensure the security and confidentiality of sensitive information and to protect against any anticipated threats or hazards to the security or integrity of data, the College has put in place all reasonable technological means, (i.e., security software, hardware) to keep information and facilities secure.

CONTROL ACTIVITIES

Control activities are the policies, procedures, techniques, and mechanisms that help ensure management's response to reduce risks. In other words, control activities are actions taken to minimize risk. Control activities occur throughout the College, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

CONTROL ENVIRONMENT

The control environment, as established by the College’s administration, sets the tone of the College and influences the control consciousness of its people. Leaders of each department, area, or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure.

Managers and employees are to have personal and professional integrity to maintain a level of competence that allows them to accomplish their assigned duties, and understand the importance of developing and implementing good internal controls.

This requires managers and their staff to maintain and demonstrate at all times:

Personal and professional integrity and ethical values
A level of skill necessary to help ensure effective performance
An understanding of information security and internal controls sufficient to effectively complete their responsibilities

Managers and supervisors are also responsible for ensuring their employees are aware of the relevance and importance of their activities and how they contribute to the achievement of the control environment.

ESTABLISHED POLICY CONTROLS

The Institutional computing resources support the educational, instructional, and administrative activities of the College and the use of these resources is a privilege that is extended to members of the College community. Any employee using the College network for any reason must adhere to the following strict policies regarding its use.

IT Acceptable Use Policy

Email Acceptable Use Policy

Personally Identifiable Data (PII) Policy

Access Control Policy

Information Technology Resource Policy

Data Classification and Handling Policy

Mobile Device Policy

Wireless Network Policy

Downtime Policy

Enterprise Information System Updates Policy

Credit Card Security Policy

Technology Purchases Policy

Employees are entrusted with the safety and security of the College’s information assets.

Any person or organization within the College’s community who uses or provides information resources has a responsibility to maintain and safeguard these assets. Each individual student, staff, and faculty member at Jackson State Community College is expected to use these shared resources with consideration for others.

Individuals are also expected to be informed and be responsible for protecting their own information resources in any environment, shared or stand alone. It is unacceptable for anyone to use information resources to violate any law or College policy or perform unethical academic or business acts.

TRAINING

The Institution recognizes that one of the most serious threats to the security, confidentiality, and integrity of information is through errors made on the part of employees not familiar with proper procedures for handling such information. Yearly training will be offered in a live, online, or recorded format with content designed for end users to understand data information security at all levels.

INFORMATION CLASSIFICATION

Information classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control. The Data Classification and Handling Policy establishes a baseline derived from federal laws, state laws, regulations, and College policies that govern the privacy and confidentiality of data.

The Data Classification and Handling Policy applies to all data (e.g., student, financial, academic, and employee data collected in electronic or hard copy form that is generated, maintained, and entrusted to the Institution except where a different standard is required by grant, contract, or law.

All institutional data must be classified into one of three sensitivity levels, or classifications that the College has identified, which are referred to as Confidential, Internal/Private, and Public. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values.

All College data is to be reviewed on a periodic basis and classified according to its use, sensitivity and importance to the College and in compliance with federal and/or state laws.

TIER 1: CONFIDENTIAL

Confidential information is information whose unauthorized disclosure, compromise or destruction would result in severe damage to the College, its students, or employees (e.g., social security numbers, dates of birth, medical records, credit card, official student grades, financial aid data or bank account information). Tier 1 data is intended solely for use within the College and is limited to those with a “business need-to-know”.

TIER 2: INTERNAL/ PRIVATE

Internal use information must be guarded due to proprietary, ethical or privacy considerations. Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss or deletion of information at this level could cause financial loss, damage to Jackson State’s reputation, or violate an individual’s privacy rights (e.g., unofficial student records, employment history, and alumni biographical information). Internal use information is information intended for use by College employees, contractors, and vendors covered by a non-disclosure agreement.

TIER 3: PUBLIC

This is information that is not publicly disseminated, but assessable to the general public. These data values are either explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on and off campus (e.g., an employee’s work email addresses or student directory information), or not specifically classified elsewhere in the protected data classification standard. Knowledge of this information does not expose Jackson State to financial or reputational loss, or jeopardize the security of College assets. Publicly available data may be subject to appropriate review or disclosure procedures to mitigate potential risks of inappropriate disclosure data in order to organize it according to its risk of loss or harm from disclosure.

IDENTITY & ACCESS MANAGEMENT

Identity and access management ensures accurate identification of authorized College community members and provides secure authenticated access to and use of network-based services. Identity and access management is based on a set of principles and control objectives to:

Ensure unique identification of members of the College community and assignment of access privileges
Allow access to information resources only by authorized individuals
Ensure periodic review of membership in the community and review of their authorized access rights
Maintain effective access mechanisms through evolving technologies

Access Control refers to the process of controlling access to systems, networks, and information based on business and security requirements. The objective is to prevent unauthorized disclosure of Jackson State’s information assets. College access control measures include secure and accountable means of identification, authentication, and authorization.

IDENTIFICATION

Identification is the process of uniquely naming or assigning an identifier to every individual or system to enable decisions about the levels of access that should be given. The key feature of an identity process is that each user of the College community, and any other entity about which access decisions need to be made, is uniquely identifiable from all other users.

AUTHENTICATION

The authentication process determines whether someone or something is, in fact, who or what it is declared to be. Authentication validates the identity of the person. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Jackson State’s entire network. Adhering to secure password procedures will help reduce the compromise of user accounts on the College’s systems. As such, all users (including students, faculty, staff, guests, contractors and vendors) are responsible for selecting and securing their passwords.

AUTHORIZATION

Authorization is the process used to grant permissions to authenticated users. Authorization grants the user, through technology or process, the right to use the information assets and determines what type of access is allowed (read-only, create, delete, and/or modify).

Criteria must be established by the Data Owner for account eligibility, creation, maintenance, and expiration.
Data Owners must periodically review user privileges and modify, remove, or inactivate accounts when access is no longer required.
Procedures must be documented for the timely revocation of access privileges and return of institutionally owned materials (e.g., keys) for terminated employees and contractors.

REMOTE ACCESS

Remote access to information technology resources (switches, routers, computers, etc.) and to sensitive or confidential information (social security numbers, credit card numbers, bank account numbers, etc.) are only permitted through secure, authenticated and centrally-managed access methods. Systems that contain sensitive student, personnel and financial data will have limited availability for off campus access. If access is permitted then the user must access through a centrally managed VPN that provides encryption and secure authentication. Laptops owned by the institution will be encrypted before they are given to the user.

It should also be understood that when accessing sensitive data from off campus, it is prohibited to store cardholder or other sensitive data onto local hard drives, floppy disks, or other portable media (including laptops, smartphones, iPads, flash drives, etc).

External computers that are used to administer College resources or access sensitive information must be secured. This includes patching (operating systems and applications), possessing updated anti-virus software l and being configured in accordance with all relevant College policies and procedures.

COMMUNICATION AND OPERATIONS MANAGEMENT

System communications protection refers to the key elements used to ensure data and systems are available, and exhibit the confidentiality and integrity expected by owners and users to conduct their business. The appropriate level of security applied to the information and systems is based on the classification and criticality of the information and the business processes that use it. The System's integrity controls must protect data against improper alteration or destruction during storage, during processing, and during transmission over electronic communication networks.

The key elements of system and communications protection are backup protection, denial of service protection, boundary protection, use of validated cryptography (encryption), public access protection, and protection from malicious code.

Operations management refers to implementing appropriate controls and protections on hardware, software, and resources; maintaining appropriate auditing and monitoring; and evaluating system threats and vulnerabilities.

Proper operations management safeguards all of the College’s computing resources from loss or compromise, including main storage, storage media (e.g., tape, disk, etc.), communications software and hardware, processing equipment, standalone computers, and printers.

NETWORK SECURITY

Network attacks launched from the Internet or from College networks can cause significant damage and harm to information resources including the unauthorized disclosure of confidential information. In order to provide defensive measures against these attacks, firewall and network filtering technology must be used in a structured and consistent manner.

Jackson State maintains appropriate configuration standards and network security controls to safeguard information resources from internal and external network mediated threats. Firewalls and Intrusion Prevention Systems (IPS) are deployed at the campus to prevent denial of service attacks, malicious code, or other traffic that threatens systems within the network.

All campus desktop computers are configured with antivirus protection to protect against malicious virus attacks.

SECURITY MONITORING

Security Monitoring provides a means by which to confirm that information resource security controls are in place, are effective and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. Early detection and monitoring can prevent possible attacks or minimize their impact on computer systems.

Any equipment attached to Jackson State’s network is subject to security vulnerability scans. The goal of the scans is to reduce the vulnerability of College computers and the network to hacking, denial of service, infection, and other security risks from both inside and outside the College. Information Technology scans College servers using a mixture of commercial and open source software to monitor and assess the security of the network.

Information Technology also coordinates the vulnerability scans for departments that are required to use this service to meet the Payment Card Industry Data Security Standards (PCI DSS) for credit card processing. Suitably strong encryption measures are employed and implemented, whenever deemed appropriate, for information during transmission and in storage.

TRANSMISSION

In order to protect the confidentiality and integrity of the College sensitive data; any data classified as Level 1, Confidential data, and having a required need for confidentiality and/or integrity, shall only be transmitted via encrypted communication to ensure that it does not traverse the network in clear text. It is further recommended that data classified as Level 2, Internal/Private, be transmitted via encrypted communications when possible.

STORAGE

Encryption of information in storage presents risks to the availability of that information, due to the possibility of encryption key loss. All portable devices, such as laptops, flash drives (USB drives), and external drives must be encrypted for use in order to protect the confidentiality and integrity of the College’s data. It is recommended that individuals who have access to Tier 1, Confidential, data should never download data that would reside on their personal computer or flash drive but instead use a network shared drive.

DISPOSAL

All records should be disposed of according the TBR Guideline G-070 Disposal of Records - RDA 2161. When data is stored on computer resources, at the time of disposal all the devices such as hard drives, tape, etc. should be wiped so that data cannot be recovered from the device.

MOBILE DEVICES

Mobile devices both personal and JSCC owned that connect to the Institutional network and have potential access to Institutional data must abide by the JSCC Mobile Device Policy.

HARD COPY PII DATA

Never leave sensitive PII data in hard copy unattended and unsecured.

Physically secure Sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know. Sensitive PII data may be stored in a space where access control measures are employed to prevent unauthorized access by members of the public or other persons without a need to know (e.g., a locked room or floor, or other space where access is controlled by a guard, cipher lock, or card reader), such measures is not a substitute for physically securing Sensitive PII in a locked container when not in use.

Sensitive data should not be sent by fax machine unless absolutely necessary. If possible, scan and encrypt the document(s) and then email. If the information must be sent by fax, do not send sensitive data to a fax machine without contacting the recipient to arrange for its receipt.

EMAILING PII DATA

Email Sensitive PII data only within an encrypted attachment with the password provided separately (e.g., by phone, another email, or in person).

Email encryption should be used if sensitive PII data is within the body of the email.