Purpose

The purpose of this policy is to protect the College’s information resources from accidental or intentional unauthorized access, modification, or damage, while also preserving the open information-sharing requirements of its academic culture. It prescribes comprehensive security controls that include administrative, technical, and physical safeguards that are required by regulatory obligations, insurance requirements, or best practice.

Policy

Designated Qualified Individual

The Information Security Officer is responsible for overseeing and implementing and enforcing the College’s information security program.

Assessment

The information security program will be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the confidentiality, integrity, and availability of institutional data and systems and assesses the adequacy of the security controls in place to safeguard these systems and data.

Risk assessments will be performed regularly to evaluate the sufficiency of elements of the information security program to meet the current and foreseeable threats to institutional data and systems.

Policies

The information security program will include policies appropriate to the size and complexity, the nature and scope of College activities, and the sensitivity of the data and systems in scope. These will include, at a minimum:

Security Controls

The information security program will include platforms, processes, and procedures appropriate to the size and complexity, the nature and scope of College activities, and the sensitivity of the data and systems in scope. These elements will include, at a minimum:

Periodic Re-evaluation and Adjustment

The information security officer will re-assess and adapt the information security program based on the findings from testing, monitoring, and assessment activities, significant changes to the operations or business arrangements, security incidents, the threat environment, or any other circumstances might reasonably have a significant influence on the risk posture of College data or systems.

Reporting

The information security officer will provide regular reports, either in person or in writing, to the audit committee of the board of trustees or equivalent governing body. These reports, which should occur at least annually, will encompass various aspects such as the overall status of the information security program, compliance with applicable regulations, and existing risks. The reports will also cover assessments, outcomes, and concerns pertaining to service providers, security incidents and responses, as well as recommendations for enhancing the information security program.

Revision History

Date of change: June 21, 2023
Responsible: J. Scannell and K. George
Summary of change: Moved policy from draft to released status

References

Code of Federal Regulations, Title 16, Part 314, Standards for Safeguarding Customer Information

Issuing Authority

CIO/CTO

Code of Federal Regulations, Title 16, Part 314, Standards for Safguarding Customer Information, Section 4, Paragraph (a)
16 CFR 314.4(b)
16 CFR 314.4 (c) (2)
16 CFR 314.4 (c) (4)
16 CFR 314.4 (c) (6) (ii)
16 CFR 314.4 (c) (7)
16 CFR 314.4 (f)
16 CFR 314.4(h)
16 CFR 314.4 (c)
16 CFR 314.3 (a)
16 CFR 314.4 (c) (1)
16 CFR 314.4 (c) (3)
16 CFR 314.4 (c) (5)
16 CFR 314.4 (c) (6) (i)
16CFR 314.4 (c) (8)
16 CFR 314.4 (d) (1)
16 CFR 314.4 (d) (2) (i)
16 CFR 314.4 (d) (2) (ii)
16 CFR 314.4 (e)
16 CFR 314.4 (e) (1)
16 CFR 314.4 (e) (2)
16 CFR 314.4 (e) (3)
16 CFR 314.4 (e) (4)
16 CFR 314-4 (g)
16 CFR 314.4 (i)