The purpose of this policy is to protect the College’s information resources from accidental or intentional unauthorized access, modification, or damage, while also preserving the open information-sharing requirements of its academic culture. It prescribes comprehensive security controls that include administrative, technical, and physical safeguards that are required by regulatory obligations, insurance requirements, or best practice.
The Information Security Officer is responsible for overseeing and implementing and enforcing the College’s information security program.
The information security program will be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the confidentiality, integrity, and availability of institutional data and systems and assesses the adequacy of the security controls in place to safeguard these systems and data.
Risk assessments will be performed regularly to evaluate the sufficiency of elements of the information security program to meet the current and foreseeable threats to institutional data and systems.
The information security program will include policies appropriate to the size and complexity, the nature and scope of College activities, and the sensitivity of the data and systems in scope. These will include, at a minimum:
- Data classification policy that Identify and manage the data, personnel, devices, systems, and facilities in accordance with their importance and risk
- Secure coding practices for “in-house” development
- Data and log retention policies
- Change management plan
- Oversight of service providers policy
- Incident response plan
The information security program will include platforms, processes, and procedures appropriate to the size and complexity, the nature and scope of College activities, and the sensitivity of the data and systems in scope. These elements will include, at a minimum:
- Periodic review of both logical and physical access
- Protect by encryption all customer information both in transit and at rest.
- Multi Factor authentication
- Secure disposal of customer information
- Monitoring and logging of the activity of authorized users and the detection of unauthorized access or use of customer information by such users
- Continuous monitoring and intrusion detection
- Penetration testing
- Vulnerability management
- Training to include end user cybersecurity training, phishing simulation, and training of information security personnel
The information security officer will re-assess and adapt the information security program based on the findings from testing, monitoring, and assessment activities, significant changes to the operations or business arrangements, security incidents, the threat environment, or any other circumstances might reasonably have a significant influence on the risk posture of College data or systems.
The information security officer will provide regular reports, either in person or in writing, to the audit committee of the board of trustees or equivalent governing body. These reports, which should occur at least annually, will encompass various aspects such as the overall status of the information security program, compliance with applicable regulations, and existing risks. The reports will also cover assessments, outcomes, and concerns pertaining to service providers, security incidents and responses, as well as recommendations for enhancing the information security program.
Date of change: June 21, 2023
Responsible: J. Scannell and K. George
Summary of change: Moved policy from draft to released status
Code of Federal Regulations, Title 16, Part 314, Standards for Safguarding Customer Information, Section 4, Paragraph (a)
16 CFR 314.4(b)
16 CFR 314.4 (c) (2)
16 CFR 314.4 (c) (4)
16 CFR 314.4 (c) (6) (ii)
16 CFR 314.4 (c) (7)
16 CFR 314.4 (f)
16 CFR 314.4(h)
16 CFR 314.4 (c)
16 CFR 314.3 (a)
16 CFR 314.4 (c) (1)
16 CFR 314.4 (c) (3)
16 CFR 314.4 (c) (5)
16 CFR 314.4 (c) (6) (i)
16CFR 314.4 (c) (8)
16 CFR 314.4 (d) (1)
16 CFR 314.4 (d) (2) (i)
16 CFR 314.4 (d) (2) (ii)
16 CFR 314.4 (e)
16 CFR 314.4 (e) (1)
16 CFR 314.4 (e) (2)
16 CFR 314.4 (e) (3)
16 CFR 314.4 (e) (4)
16 CFR 314-4 (g)
16 CFR 314.4 (i)