ADMINISTRATIVE POLICY TYPE: ADMINISTRATIONPOLICY TITLE: College Information Security Charter
The college’s information resources support and advance the goals of the organization and community. Risk to information assets and systems must be managed to protect their value and the goodwill of the greater college community. Through implementation of an information security program as guided by this charter, the college strives to ensure that the confidentiality, integrity and availability of information entrusted to us by our employees, students and partners are safeguarded. To accomplish this we agree to pursue these control objectives according to the roles and responsibilities delegated in this document.
POLICYI. Information Security Control Objectives
The college uses the following control objectives to guide the information security program and activities of its employees:
A. Information Classification and Risk Management
In order to properly and cost-effectively protect information and to determine the appropriate means and levels of protection, the college will take such measures as necessary to identify information, its value to the organization, and risks related to its management.
B. Accountability and Awareness
The use of information assets and systems is a privilege provided by the college. When staff and students are provided access to college information resources, the use may be explicitly or implicitly limited, and users will be held accountable for their actions. The college will conduct such activities as necessary to ensure all staff and students are aware of their information security responsibilities and the standards of acceptable use.
C. System Access Management
The college will implement access approval and documentation procedures in order to ensure that information users such as employees, students, partners and vendors have logical and physical access appropriate to their business purpose.
D. Vulnerability Management
The college will protect its information systems from technical vulnerabilities by performing assessments of all new technologies before their release into the production computing environment. Technical configuration standards for commonly used technologies will be developed according to industry best practices. Once in production, emerging vulnerabilities will be guarded against through appropriate monitoring and maintenance practices.
E. Change Management
To ensure that security risks associated with ongoing operations are identified and managed appropriately, the college will work to ensure that all information system changes are documented, assessed for risk, and receive appropriate approval from college management.
F. Incident Management
The college will identify all events that expose information to security risk, and report these incidents to the appropriate college authorities. These events will also be communicated to employees, students and the community as appropriate.
II. Roles and Responsibilities
Information security is the fundamental responsibility of college management and shared by all those who use college information and systems. Specific responsibilities are as follows:
A. All Users of College Information Assets/Systems
- Read, understand and comply with the college’s policy, Computers and Electronic Media, Acceptable Use of, and support its adherence.
- Comply with all applicable information security policies, standards and procedures to ensure that college information systems and assets related to their business areas are protected.
- Report suspected violations of any information security policy.
B. College Management
- Identify information assets for which they have primary responsibility and classify information assets in accordance with the college’s policy, Information Classification and Risk Management.
- Designate data owners.
- Ensure that all individuals under their management authority, including contractors and students, are aware of and understand their information security responsibilities.
- Determine and authorize the appropriate level of access required by all individuals under their management.
C. Information Technology Management
- Establish such policy, procedures, and technology standards within the Information Technology Department to support the control objectives set forth in the charter in alignment with industry best practices.
- Operate information systems in compliance with the information security program documents.
- Represent the requirements and interests of information security within college’s governance structure.
- Provide guidance and oversight for the college as is necessary to implement and comply with all information security measures.
- Review and audit information security activities for improvement and to address emerging risks.
- Respond and communicate to the greater college community regarding security incidents.
- Conduct ongoing security awareness programs.
III. Disciplinary Action
Exceptions to college information security policies require prior authorization from the Executive Team. Any violations of these policies may result in disciplinary action.
Administrative Policy I.DAdministrative Policy I.D.2