IS-1013 Information Security (Policy)
Communications
Release Date: 9/15/09
Policy
Administrative Directive
The purpose of this administrative directive is to ensure the protection of CNM's data/information assets, resources and systems/networks from accidental or intentional unauthorized access or damage while also preserving the academic need for open information sharing. This document states requirements for the protection of CNM's data/information assets, resources and systems. Simply stated, It defines a comprehensive system to secure and protect CNM's data/information assets, electronic information and systems/networks.
This administrative directive is applicable to all CNM employees, students and to all others granted use of CNM information resources and systems/networks. Every user has responsibility toward the protection of the College's data/information assets, resources and systems.
1. Executive Management Statement of Commitment
The CNM Executive Management Team is committed to this Information Security Administrative Directive. The team establishes charter, accepts risk and governance of this policy. They authorize and delegate to the Office of Information Technology Services the responsibility to maintain this document and to take the lead on all matters associated with information security.
2. Threat Assessment and Risk Management
CNM will take into account likely threats, assess risk, and consider cost when making decisions relative to the implementation of safeguards for the protection of College information systems/networks and data.
The ITS Management Team bears the primary responsibility for facilitating the development of information security administrative directives for the College. They identify, assess, and make decisions relative to the mitigation of risk, involving the Executive Team when appropriate. As needed they will call upon members of the College departments for their feedback. Additionally, the ITS Management Team assumes the lead in responding to information security incidents.
The IT Technical Team are security subject matter experts in their functional area and are charged with the development and implementation of detailed (low level) information security departmental directives and procedures. They are the technical members who will be called upon to participate if an information security incident should occur.
The Marketing and Communications Office and the Employee Training will assist with raising the level of information security awareness across the College Community.
Managers (Vice-presidents, Deans, Directors, Department Heads, Supervisors…) are accountable for information security and must ensure compliance with security directives, policies, procedures, and standards within their respective areas of responsibility. When requesting access to data/information for their employees, they are responsible to ensure that only enough access is requested for an employee to fulfill their job responsibilities. In addition, when job responsibilities change or an employee leaves CNM they are responsible for adjusting that access at the correct time. In the event an employee leaves CNM that time is the last day on the job, not when they are taken off CNM's payroll. These individuals must visibly promote and provide support for information security initiatives throughout the College.
Employees who maintain, manage, or have responsibility for IT resources used to support daily operations at the College have broad range special access to College data. They must remain prepared to implement CNM and applicable departmental IT directives. In addition, because ITS Professionals have varying levels of access to information, they must sign a confidentiality/non-disclosure agreement and attend any required training.
CNM is the owner of all College data/information. To that extent, all data/information received, created and maintained by CNM staff is the property of CNM.
The Office of Planning, Budget and Institutional Research performs the role of Data Steward for CNM data. This office acts as the conduit between ITS and the business and academic units at CNM with both decision support and operational help. They have the challenge of ensuring that entities within the College have the appropriate level of access to data using the principle of least privilege. That is to say that the level of access that should be granted is only that level required to fulfill an employee's job responsibilities. This organization is responsible for approving the release of any data/information outside the College. However, all information that is requested under the "Inspection of Public Records Act" will be submitted and approved by the VP for Administrative Services, serving in the role of Records Custodian for CNM.
Fulfilling the role of Data Custodians, the ITS Department, Department Heads, Directors, Manager, Deans, Banner Module Coordinators, have been entrusted with receiving, creating and maintaining College data/information under the guidance of The Office of Planning, Budget and Institutional Research as Data Steward.
These individuals are responsible for:
- ensuring compliance with all CNM policies and all statutory and regulatory requirements.
- providing access control measures to protect sensitive data.
- ensuring appropriate disposal of all media on which data is stored at the end of its use.
- supporting access control of data by acting as a control point for all access requests.
- ensuring appropriate security measures for the transmission of data.
- reporting and submitting documented reports to the ITS Service Desk (Help Desk) or the CNM Information Security Officer if there is a potential information security incident (i.e., a compromise of personally identifiable information). Refer to the Information Security Incident Response Administrative Directive.
- ensuring that access is requested based on the principle of least privilege. (The level of access that should be requested is only that level dictated by the needs to fulfill an individual's job responsibilities.)
- supporting regular review and control procedures that ensure that all access privileges are current and appropriate, ensuring that when an employee's job responsibilities at CNM change, so does the level of access.
- ensuring that access is granted based on the principle of separation of duties.
Of course, all employees, students, community members, and contractors are accountable for following security related directives, for following appropriate regulations, and maintaining their security awareness by taking the appropriate training
4. Data Classification and Handling - Asset Management
Data/information assets will be clearly identified, classified, and handled appropriately in order to achieve and maintain the appropriate protection of CNM's data/information. The Office of Planning, Budget and Institutional Research fulfilling the role of Data Steward shall provide guidance to CNM departments when appropriate.
5. Personnel Information Security
As part of the Employee Code of Conduct, all CNM employees are held accountable for protecting CNM data/information.
All CNM employees who are granted access to sensitive data/information will be required to sign a non-disclosure (confidentiality) agreement and shall be trained with respect to their specific job responsibilities.
Department Heads shall determine when background checks need to be performed on job applicants when the position requires access to sensitive CNM Information.
Because security awareness, is the most cost-effective security measure that the College can adopt, a continuous on-going Security Awareness Program with various avenues of communication will be implemented. Formal Information Security Training will be required for all CNM employees. The training content will be developed by the Information Security Officer and administered by The Employee Training. This training will be tailored to an individual's role at the College. In addition, there may be special training required as well (i.e., based on an individual's job type…).
6. Physical and Environmental Survey
Centralized computer facilities that house core data will be protected in a physically secure location with controlled access. Computer facilities that process departmental data may require physical security depending on the value and sensitivity of the data they process, the resources they access, and their cost. Controlling departments shall ensure that access to computer data centers will be limited to those individuals based on their role at the College.
7. Communications and Operations Management
Access to and use of campus network services are privileges accorded at the discretion of CNM. Devices connected to the College's electronic communications network must be approved in advance by the ITS Department and comply with the minimum standards set for security. Devices that do not meet minimum standards for networked host security configurations may be disconnected at any time. Institutional data transmitted outside the organization requires additional safeguards.
Specific to information systems that maintain sensitive information, College employees who perform the responsibilities of a system administrator must ensure information systems access controls that provide for the assurance that only persons with a business need can access specific information. This means that appropriate access is given only to that information an individual requires in order to perform their role.
9. Enterprise Application Development and Maintenance
The Office of Information Technology Services shall ensure that critical enterprise applications maintain separate environments for development, testing and production.
Security best practices shall be employed with respect to key IT processes:
- Change Management
- IT Project Development
- Technical Reviews
- System Administration
- Cryptographic controls (Encryption controls)
- Quality Management
- Standards
- …
10. Business Continuity and Management
The College ITS Department has established and continues to enhance a viable disaster recovery program for the protection and recoverability of its critical Enterprise System. In time this program will expand to include business continuity on a broader scope that will encompass additional mission critical functions. The Disaster Recovery Plan shall be tested at a minimum annually
All violations of this policy (depending on the specific severity of the situation) may be subject to disciplinary action, up to and including termination of employment and/or criminal action.
12. Security Incident Response and Reporting
The ITS Information Security Officer will establish and maintain a formal Information Security Incident Response Administrative Directive and Process. The formal plan will ensure appropriate reactive measures for suspected system compromises or misuse.
13. Operational Security Departmental Directives
The Information Technology Services Department will develop additional information security operational directives at a more detailed level and they will remain consistent with this high level security administrative directive. They will provide direction to facilitate measures designed to provide for the protection of critical information systems, networks and data/information assets. All CNM IT Staff or those performing IT responsibilities will be required to comply with these operational policies.
Forms
Not Applicable
Support Materials:
Not Applicable
Reference Materials:
Not Applicable