Lakeshore Technical College Official Policy

Similar documents
MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Information Security Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Cyber Security Program

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Subject: University Information Technology Resource Security Policy: OUTDATED

POLICY 8200 NETWORK SECURITY

EXHIBIT A. - HIPAA Security Assessment Template -

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

ADIENT VENDOR SECURITY STANDARD

SECURITY & PRIVACY DOCUMENTATION

Department of Public Health O F S A N F R A N C I S C O

Checklist: Credit Union Information Security and Privacy Policies

Trust Services Principles and Criteria

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Oracle Data Cloud ( ODC ) Inbound Security Policies

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Security and Privacy Policies & Procedures

Cyber Risks in the Boardroom Conference

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

DETAILED POLICY STATEMENT

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Table of Contents. PCI Information Security Policy

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Employee Security Awareness Training Program

HIPAA For Assisted Living WALA iii

7.16 INFORMATION TECHNOLOGY SECURITY

01.0 Policy Responsibilities and Oversight

University of North Texas System Administration Identity Theft Prevention Program

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

HIPAA Federal Security Rule H I P A A

UTAH VALLEY UNIVERSITY Policies and Procedures

Cybersecurity in Higher Ed

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Security and Privacy Breach Notification

Putting It All Together:

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Data Processing Agreement

The Common Controls Framework BY ADOBE

IAM Security & Privacy Policies Scott Bradner

VMware vcloud Air SOC 1 Control Matrix

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Table of Contents. Sample

ICT Security Policy. ~ 1 od 21 ~

CLOUD COMPUTING READINESS CHECKLIST

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Regulation P & GLBA Training

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Canada Life Cyber Security Statement 2018

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Security and Privacy Governance Program Guidelines

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

WHITE PAPER- Managed Services Security Practices

Master Information Security Policy & Procedures [Organization / Project Name]

ISO27001 Preparing your business with Snare

Information Security Incident Response Plan

Data Privacy Breach Policy and Procedure

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Internal Audit Report DATA CENTER LOGICAL SECURITY

LCU Privacy Breach Response Plan

Terms and Conditions between Easy Time Clock, Inc. And Easy Time Clock Client

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Information Security Incident Response Plan

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Apex Information Security Policy

It s Not If But When: How to Build Your Cyber Incident Response Plan

Swanson School of Engineering University of Pittsburgh

Cybersecurity: Incident Response Short

Credit Card Data Compromise: Incident Response Plan

Acceptable Use Policy

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Network Security Policy

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Standard for Security of Information Technology Resources

Cybersecurity Auditing in an Unsecure World

Baseline Information Security and Privacy Requirements for Suppliers

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

[DATA SYSTEM]: Privacy and Security October 2013

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

AUTHORITY FOR ELECTRICITY REGULATION

Policies & Regulations

DEFINITIONS AND REFERENCES

Responsible Officer Approved by

Access to University Data Policy

SDR Guide to Complete the SDR

Virginia Commonwealth University School of Medicine Information Security Standard

Education Network Security

Security Policies and Procedures Principles and Practices

Department of Public Health O F S A N F R A N C I S C O

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Version 1/2018. GDPR Processor Security Controls

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Handbook Webinar

Transcription:

Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director of Information Technology Policy Statement I. PURPOSE This policy defines the technical controls and security configurations Information Technology (IT) administrators are required to implement in order to ensure the integrity and availability of the data environment at Lakeshore Technical College. II. STATEMENT A. Access Control Information resources are protected by the use of access control systems. Access control systems include both internal (i.e. passwords, encryption, etc.) and external (i.e. firewalls, etc.). Rules for access to resources are based upon the principle of least privilege; employees are granted access only to that data or level of access needed to complete their job duties, and only for the length of time required to complete those duties. Access is granted only by the completion of a System Access Request Form (Appendix A). This form can only be initiated by the appropriate hiring manager or department VP/Director. The System Access Request Form is also used when an employee changes positions at the college and requires a different access level. User Logon Entitlement Reviews Annually, the IT System Administrator shall review privileged system access with department managers to ensure that all employees have the appropriate level of access necessary to perform their job functions effectively while being limited to the minimum necessary data to facilitate FERPA and HIPAA compliance and protect student and patient data. To do this, the System Administrator shall provide a list of all active user accounts for both network and application access, including access to the email system and the SIS/ERP system to department managers for review. Managers shall review the employee access lists within ten (10) business days of receipt. If any of the employees on the list are no longer employed by LTC, the department head will immediately notify IT of the employee s termination status so privileges may be revoked. Termination of User Logon Account Upon termination of an employee, whether voluntary or involuntary, HR initiates a process in the ERP system that disables all user account access within (1) business day. In cases where termination is immediate, HR may alert IT verbally to expedite access removal. HR shall be responsible for insuring that all keys, LTC-owned equipment and property is returned to the College prior to the employee leaving the college on their final day of employment.

Access Control in Third Party Contracts Access to LTC computer systems or networks for outside contractors/vendors should not be granted until a review of the following concerns have been made, and appropriate restrictions are included in a statement of work ( SOW ) with the party requesting access. Applicable sections of the LTC Information Security Policy have been reviewed and considered. An LTC Vendor Security Management Checklist (Appendix B) has been completed by the party requesting access. Each service, access, account, and/or permission made available should be only the minimum necessary for the third party to perform their contractual obligations. A detailed list of users that have access to LTC computer systems must be maintained and auditable. Dates and times when the service is to be available should be agreed upon in advance. Procedures regarding the handling and protection of information resources should be agreed upon in advance and a method of audit and enforcement implemented and approved by both parties. The right to monitor and revoke user activity should be included in each agreement. C. Change Management Tracking changes to networks, systems and workstations allows IT to efficiently troubleshoot issues that arise due to an update, new implementation, reconfiguration or other change to its systems. IT staff member or other designated LTC employee who is updating, implementing, reconfiguring, or otherwise changing an LTC information system shall carefully log all changes made to the system in the designated repository for such documentation (located on the private IT website on the Bridge (staff intranet)). The employee implementing the change will ensure that all necessary data backups are performed prior to the change. The employee implementing the change shall also be versed with the appropriate rollback process in the event that the change causes an adverse effect within the system and needs to be removed. D. Information System Activity Review LTC shall conduct, on a periodic basis, an operational review of system activity including, but not limited to, user accounts, system access, file access, security incidents, audit logs and access reports to minimize security violations IT shall be responsible for conducting reviews of LTC s information systems activities. Such person(s) shall have the appropriate technical skills with respect to the operating system and applications to access and interpret audit logs and related information appropriately. Review findings will be compiled in a report that shall include the reviewer s name, date and

time of performance, and significant findings describing events requiring additional action (e.g. additional investigation, employee training and/or discipline, modifications to safeguards). Such reviews shall be conducted annually. Audits shall also be conducted if LTC has reason to suspect wrongdoing. In conducting these reviews, IT shall examine audit logs for securitysignificant events including, but not limited to, the following: o Logins- Scan successful and unsuccessful login attempts. Identify multiple failed login attempts, account lockouts, and unauthorized access. o File accesses- Scan successful and unsuccessful file access attempts. Identify multiple failed access attempts, unauthorized access, and unauthorized file creation, modification, or deletion. o Security Incidents- Examine records from security devices or system audit logs for events that constitute system compromises, unsuccessful compromise attempts, malicious logic (e.g. viruses, worms), denial of service, or scanning/probing incidents. o All significant findings shall be recorded using the report format referred to above. IT shall forward all completed reports, as well as recommended actions to be taken in response to findings, to the IT Director for review. The IT Director shall be responsible for maintaining such reports. The IT Director shall consider such reports and recommendations in determining whether to make changes to LTC s administrative, physical and technical safeguards. In the event a security incident is detected through such auditing, such matter shall be addressed promptly by the Information Security Team. E. Security Awareness and Training All LTC employees shall receive appropriate training concerning LTC s security policies and procedures. Such training shall be provided on an ongoing basis to all new employees and repeated periodically for all employees. Security Training Program o The Network Security Administrator and IT Director shall have responsibility for the development and delivery of initial security training. All staff members shall receive such initial training addressing IT security best practices and policies. Attendance and/or participation in such training shall be mandatory for all staff members. The Organizational Development Center shall be responsible for maintaining appropriate documentation of all training activities. o The Network Security Administrator and/or IT Director shall have responsibility for the development and delivery of ongoing security training provided to staff members in response to environmental and operational changes impacting the security of LTC s information resources. Security Reminders o The IT Director shall generate and distribute routine security reminders on a regular basis. o The IT Director and/or Network Security Administrator shall generate and distribute special notices to all staff members providing urgent updates such as new threats, hazards, vulnerabilities and/or countermeasures.

F. Risk Analysis IT shall conduct a thorough risk analysis to serve as the basis for LTC s ongoing information security compliance efforts. IT shall also then re-assess the security risks to its information assets and evaluate the effectiveness of its security measures in light of changes to business practices and technological advancements. The IT Director shall be responsible for coordinating LTC's risk analysis and shall identify appropriate persons within the college to assist with the risk analysis. The IT Director shall be responsible for identifying appropriate times to conduct follow-up evaluations and coordinating such evaluations. Such evaluations shall occur at least annually or upon the occurrence of one or more of the following events: o changes in the FERPA Security Regulations; o new federal, state or local laws or regulations affecting the security of PII; o changes in technology, environmental processes or business processes that may affect FERPA Security policies or procedures; the occurrence of a serious security incident. Reason for Policy This policy is needed to prescribe security safeguards and controls for LTC information systems operating in an increasingly volatile cyber threat landscape. A data breach and/or other major security incident could be extremely damaging to the college s financial resources and reputation and impair its ability to continue business operations. As such, all possible precautions must be implemented to mitigate the risk of such an incident occurring. Historical Data, Cross References and Legal Review Reviewed/Revised: 05/12/2015 Legal Counsel Review and Approval: N/A Board Policy: Definitions

Appendix A. System Access Form (from Staff Recruitment Requisition form)

Appendix B. Vendor Security Management Checklist VENDOR CONTACT INFORMATION Vendor Company Name: Primary Business Address: City: State: Zip: Years In Business: Primary Industry Classification: (e.g., ISP/Network, ASP/Hosting, Application Development, Managed Security, Consultancy) Primary Business Contact Name: Title: Telephone: Email: Primary Security Contact Name: Title: Telephone: Email: TYPES OF SERVICES TO BE PROVIDED TO CLIENT Identify which services are being offered/provided to LTC by vendor (check all that apply): Internet Service Provider (ISP) or Other Data Network Services. Commercial Co-location/Cloud Hosting (Physical, Network, and/or System-Level Only). Commercial Co-location/Cloud Hosting (P, N, and S plus Application/ASP-Level).

Original Application Development. Payment Processing Services. Outsourced Retail Sales/Fulfillment/Service. Outsourced Commercial Business Operations Processing. Outsourced Healthcare-Related Provider, Back-Office, or Insurance Services. Managed Service Services Provider. Business/Marketing Consultancy Services. IT/Technical Consultancy Services. Independent Audit/Compliance Services. Other (include description):

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback