Staff Policy D-508.01
Institutional Effectiveness Criterion: Operations

Information Security Policy

The Information Security Plan establishes and states the policies governing Northwestern Michigan College’s Information Technology (IT) standards and practices. These policies define the College’s objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information systems as well as compliance with the requirements imposed on the College. The IT procedures mentioned in this policy are available for review and are maintained by the office of the VP for Student Services and Technologies.

1           EXECUTIVE SUMMARY

An Information Security Plan (ISP) is designed to protect information and critical resources from a wide range of threats in order to ensure information technology continuity, minimize security risk, and maximize technology resource availability.  Information Technology (IT) security is achieved by implementing a suitable set of controls including policies, processes, procedures, organizational structures, and software and hardware functions. These controls need to be established, implemented, and continuously monitored, reviewed, and improved where necessary, to ensure that the specific security and business objectives of Northwestern Michigan College are met.

 

This plan governs the privacy, security, and confidentiality of College data, especially highly sensitive data, and the responsibilities of departments and individuals for such data. IT security measures are intended to protect information assets and preserve the privacy of Northwestern Michigan College employees, students, sponsors, suppliers, and other associated entities. Inappropriate use exposes Northwestern Michigan College to risks including virus attacks, compromise of network systems and services, and legal issues.

 

All users of Northwestern Michigan College’s (IT) resources are required to follow the D-508.00 Information Security Compliance Policy and are bound by this plan as well as other College policies and procedures as terms of their employment. All employees share responsibility for the security of the information and resources in their respective departments.

2           PURPOSE

The purpose of this plan is to ensure the confidentiality, integrity, and availability of data, to define, develop, and document the information policies and procedures that support College goals and objectives, and to allow the College to satisfy its legal and ethical responsibilities with regard to its IT resources.

 

Information security policies serve as overarching guidelines for the use, management, and implementation of information security throughout Northwestern Michigan College.  Internal controls provide a system of checks and balances intended to identify policy irregularities, maintain efficient practices, prevent fraud and abuse from occurring, and assist in resolving discrepancies that are accidentally introduced in the operations of the business. When consistently applied throughout the College, these policies and procedures assure that IT resources are protected from a range of threats in order to ensure information technology continuity, and maximize technology resource availability. 

 

This plan reflects Northwestern Michigan College’s commitment to stewardship of sensitive personal information and critical business information. In addition, this plan acknowledges the numerous threats to information security and the importance of protecting the privacy of College constituents, safeguarding vital business information, and fulfilling legal obligations.

 

This plan will be reviewed and updated at least once a year or when the environment changes.

 

 

3           SCOPE

This plan applies to the entire Northwestern Michigan College community, including the President, Vice Presidents, Deans, Directors, department heads, students, former students, faculty, staff, trustees, temporary employees, contractors, volunteers, and guests who have access to Northwestern Michigan College information technology resources. Such assets include but are not limited to data, images, text, or software that are stored on hardware, paper, or other storage media.

 

4           DEFINITIONS

Confidentiality preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.  A loss of confidentiality is the unauthorized disclosure of information.

 

Integrity - guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.  A loss of integrity is the unauthorized modification or destruction of information.

 

Availability ensuring timely and reliable access to and use of information.  A loss of availability is the disruption of access to or use of information or an information system.

 

Risk Assessment a process which determines what information resources require protection in addition to documenting and evaluating potential risks from IT security failures that may cause the loss of information confidentiality, integrity, or availability.

 

Control Activitiesthe policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out.

 

Information Assets definable pieces of information in any form, recorded or stored on any media that is recognized as “valuable” to the College.

 

Access Controlrefers to the process of controlling access to systems, networks, and information based on institution and security requirements.

 

ISO (International Organization for Standardization) an international standard-setting body composed of representatives from various national standards organizations.

 

NIST (National Institute of Standards and Technology) a non-regulatory federal agency within the U.S. Department of Commerce whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

 

VPN (Virtual Private Network) a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to enterprise networks. VPN’s use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

 

IDS (Intrusion Detection System) a device or application that monitors network and/or system activities for malicious activities or policy violations.

 

IPS (Intrusion Prevention System) a device or application that identifies, logs, and reports malicious activity while attempting to block/stop said activity.

 

Encryption the process of converting intelligible information so that it is humanly unreadable except by someone who knows how to decrypt it.

 

5           IT GOVERNANCE COMMITMENTS & RESPONSIBILITIES

Information Technology governance is the responsibility of the Vice President for Student Services and Technologies and consists of the leadership, organizational structures, and processes that ensure the College’s information technology sustains and extends Northwestern Michigan College’s strategies and objectives.

The Vice President for Student Services and Technologies has established the overall approach to governance and control by providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the College's resources are used responsibly.

Systems and LAN Management and other administrative and instructional technology-serving departments show their commitment by developing and implementing strong internal controls as well as ensuring the promotion and awareness of IT requirements and plans throughout the College.   The ultimate responsibility of these departments is to assure that the College meets customer and legal requirements while undergoing continual improvement.

 

6           COLLEGE POLICY STATEMENT

Each department will protect College resources by adopting and implementing the security standards and procedures developed and approved by the Northwestern Michigan College’s Policy Council that are included within this Information Security Plan. All departments must meet the minimum standards. Individuals within the scope of this policy as defined in §3 are responsible for complying with this policy to ensure the security of College resources.

 

7           ENFORCEMENT

All individuals accessing College data at Northwestern Michigan College are required to comply with federal and state laws, College policies, and procedures regarding the security of highly sensitive data. Any College employee, student, or non-college individual with access to College data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this plan and will be subject to appropriate disciplinary action, including but not limited to possible dismissal and/or legal action.

 

8           INFORMATION SECURITY PROGRAM

Through this document and associated policies, Northwestern Michigan College has established, documented, and implemented an Information Security Program. The system is designed to improve the efficacy of Information Technology operations and to satisfy regulatory requirements. This program has been implemented to ensure the confidentiality and integrity of College information while maintaining appropriate levels of accessibility.

In order to ensure the security and confidentiality of sensitive information and to protect against any anticipated threats or hazards to the security or integrity of data, the College has put in place all reasonable technological means, (i.e., security software, hardware) to keep information and facilities secure

 

8.1       RISK ASSESSMENT

A risk assessment is a process which determines what information resources require protection in addition to documenting and evaluating potential risks from IT security failures that may cause the loss of information confidentiality, integrity, or availability. The purpose of a risk assessment is to help management create appropriate strategies and controls for stewardship of information assets. Due to frequent changes in economic, regulatory and operating conditions, special mechanisms are needed to identify and deal with the risks associated with change.

Objectives must be established before administrators can both identify and take the necessary steps to manage risks. Operations objectives describe the efficacy and efficiency of the operations, including performance and financial goals as well as safeguarding resources against loss. Financial reporting objectives describe the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives confirm the College’s adherence to laws and regulations that establish minimum standards of behavior.

 

Systems and LAN Management (SLM), with the assistance of other departments, will conduct an annual risk assessment and/or business impact analysis in order to:

  • Inventory and determine the nature of campus information resources.
  • Understand and document the risks associated with security failures that may potentially result in the loss of confidentiality, integrity, or availability of information resources.
  • Identify the level of security necessary for the protection of the resources.

 

8.2       CONTROL ACTIVITIES

Control activities are the policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out. Control activities are essentially the actions taken to minimize risk. When the assessment identifies a significant risk to the achievement of an objective, a corresponding control activity or activities are determined and implemented.

 

Control activities occur throughout the College at all levels and in all functions. They apply to a range of activities including but not limited to:

  • Authorization - provide reasonable assurance that all activities are within the limits set by policy or that exceptions to policy have been granted by the appropriate officials.
  • Verification - designed to provide reasonable assurance that activities have been reviewed for accuracy and completeness by appropriate personnel.
  • Physical security over assets - designed to provide reasonable assurance that assets are safeguarded and protected from loss or damage due to accident, natural disaster, negligence or intentional acts of fraud, theft or abuse.
  • Segregation of duties - reduce the risk of error and fraud by requiring that more than one person is involved in completing a particular process.
  • Education and training - reduce the risk of error and inefficiency in operations by ensuring that personnel have the proper education and training to perform their duties effectively. Education and training programs should be periodically reviewed and updated to conform to any changes in the agency environment or fiscal processing procedures.

 

Control activities usually involve two elements: a policy establishing what should be done, and procedures to effect the policy. All policies must be implemented thoughtfully, conscientiously, and consistently.

 

8.2.1    INTERNAL CONTROLS

Internal controls are designed to provide reasonable assurance that the goals and objectives for the College and administrative areas are met. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

Internal controls, procedures, and practices also ensure that:

  • Risks are reduced to an acceptable level.
  • All assets are safeguarded against waste, fraud, loss, unauthorized use or disclosure, and misappropriation.
  • Programs are efficiently and effectively carried out in accordance with applicable laws and College policy.

 

Controls are selected based on the cost of implementation relative to the reduction of risk and potential for loss, if and when a security breach occurs. Non-monetary factors such as loss of reputation are also taken into account.

 

The administrative processes within Northwestern Michigan College rely on internal controls to remain in compliance with internal and external requirements. Without adequate internal controls, functions within the College may become non-compliant, inefficient, and too costly to operate, which in turn will ultimately fail. Adequate controls to mitigate risks need to exist in everyday business procedures and can be preventive, detective, or corrective in nature.

 

8.2.2    PREVENTIVE CONTROLS

Preventive controls are designed to discourage or preempt errors or irregularities from occurring and are therefore more cost effective than detective controls. Examples of preventive controls include but are not limited to: credit checks, job descriptions, required authorization signatures, data entry checks, and physical control over assets to prevent their improper use.

8.2.3    DETECTIVE CONTROLS

Detective controls are designed to search for and identify errors after they have occurred. They are more expensive than preventive controls, but still essential since they measure the effectiveness of preventive controls and are the only way to effectively control certain types of errors. Examples of detective controls include but are not limited to: account reviews and reconciliations, observations of payroll distribution, periodic physical inventory counts, passwords, transaction edits, and internal auditors.

8.2.4    CORRECTIVE CONTROLS

Corrective controls are designed to prevent the reoccurrence of errors. These controls are triggered by the detection of improper outcomes and will keep a spotlight on the problem until the defect is solved and corrected by management. Examples of corrective controls include but are not limited to: quality teams and budget variance reports. 

8.3       CONTROL ENVIRONMENT

The control environment, as established by the College’s administration, sets the tone of the College and influences the control-consciousness of its people. Leaders of each department, area, or activity establish a local control environment. This is the foundation for all other components of internal control and provides discipline and structure.

 

Managers and employees are to have personal and professional integrity and are to maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.

 

This requires managers and their staff to maintain and demonstrate the following at all times:

  • Personal and professional integrity and ethical values
  • The skill necessary to help ensure effective performance
  • An understanding of information security and internal controls sufficient to effectively discharge their responsibilities

Managers and supervisors are also responsible for ensuring their employees are aware of the relevance and importance of their activities and how they contribute to the achievement of the control environment.

 

8.3.1    NORTHWESTERN MICHIGAN COLLEGE’S SECURITY POLICY

The information technology resources at Northwestern Michigan College support the educational, instructional, research, and administrative activities of the College and the use of these resources is a privilege that is extended to members of the College community. Any individual using College information technology resources for any reason must adhere to strict guidelines regarding its use. Employees are being entrusted with the safety and security of College information resources. A sound security policy that promotes information security across all IT resources must include the participation of every employee, at all times. 

 

Any person or organization within the College community who uses or provides information technology resources has a responsibility to maintain and safeguard these assets. Each individual student, staff, and faculty member in the Northwestern Michigan College community is expected to use these shared resources with consideration for other individuals’ use of finite resources at the same time.

 

Individuals are also expected to be informed and be responsible for protecting their own information resources in any shared or stand-alone environment. It is unacceptable for anyone to use information resources to violate any law or College policy or perform unethical acts.

 

Northwestern Michigan College’s D-506.06 Computer and Network Acceptable Use policy contains the governing philosophy for effective and efficient use of the College's computing, communications, and information resources by all members of the College community.

 

While chairs, directors and supervisors are ultimately responsible for ensuring compliance with information security practices, Systems and LAN Management - in cooperation with various departments - will develop annual security awareness and compliance training to achieve technical proficiency and appropriate use for all employees who have access to information technology resources.

 

 

8.4       ORGANIZATION OF INFORMATION SECURITY

The College assumes a coordinated approach to the protection of information technology resources and the depositories of protected information that are under its custody. This is achieved by establishing appropriate and reasonable administrative, technical, and physical safeguards that include all departments, individuals, or others that administer, install, maintain, or make use of Northwestern Michigan College’s information technology resources.  Below is a non-exhaustive list of personnel and positions that are required to maintain security of information technology resources.

 

Chief Technology Officer (CTO) The Vice President for Student Services and Technologies is responsible for the College’s IT planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program. 

Security and Information Compliance The Director for Systems and LAN Management is responsible for the College’s security programs, including risk management. They play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the information technology resources that support the College’s mission and compliance needs.

Data OwnersResponsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of information technology resources and the data they own.  Examples of Data Owners could be Database Administrator (ITS), Senior Programmer/Analyst and Solution Architect (ITS), Network Systems and Data Communication Analyst (SLM).

IT security practitioners(e.g., network, system, application, and database administrators, computer specialists, and security analysts) are responsible for proper implementation of security requirements within the information technology resources when change occurs.  Examples of IT security practitioners could be Database Administrator (ITS), Senior Programmer/Analyst and Solution Architect (ITS), Network Systems and Data Communication Analyst (SLM).

Data Custodiansare responsible for ensuring that they grant access to data to only those who require that data to perform their job responsibilities.  Examples of Data Custodians would be personnel from Administrative Services (ITS) and Systems & LAN Management (SLM).

Data Useris a person who has been granted explicit authorization to access the data by the owner. The user must utilize the data only for purposes specified by the owner, comply with security measures specified by the owner or custodian (i.e., securing login-ID and password), and not disclose information or control over the data unless specifically authorized in writing by the owner of the data.

Information Security Roles & Responsibilities describes the overall organization at Northwestern Michigan College. All Information Technology personnel and users with access to sensitive data are required to sign and date the Confidentiality Agreement at the time of hire as well as annually thereafter.  Please see Information Security Roles & Responsibility for further reference.

 

8.5       ACCOUNTABILITY FOR ASSETS

Systems & LAN Management, working in cooperation with other campus departments, will develop and maintain a Data Owner Matrix defining those persons responsible for each covered data field in relevant software systems (financial, student administration, development, etc.). SLM will conduct ongoing audits, and will report any significant questionable activities which may compromise the security of protected information.

 

Proper internal control is to be maintained over all information technology resources, at all times. Proper IT asset management – from requisition to disposal – ensures a much greater likelihood that the College will continue to meet customer requirements well into the future by planning in an orderly fashion and mandating consistency throughout the College.

 

8.6       INFORMATION CLASSIFICATION

Information classification is required to determine the relative sensitivity and critical nature of information technology resources which provide the basis for protection efforts and access control. The Data Classification and Protection Standard establishes a baseline derived from federal laws, state laws, regulations, and College policies that govern the privacy and confidentiality of data.

 

The Data Classification and Protection Standard applies to all data (e.g., student, research, financial, employee data collected in electronic or hard copy form that is generated, maintained, and entrusted to Northwestern Michigan College) except where a different standard is required by grant, contract, or law.

 

All institutional data must be classified into one of three sensitivity tiers that Northwestern Michigan College has identified, referred to as: Confidential, Internal/Private, and Public. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive than others and therefore require tighter controls.

 

All College data is to be reviewed on a periodic basis and classified according to its use, sensitivity and importance to the College, and for its compliance with federal and/or state laws.  SLM has pre-defined several types of sensitive data. The level of security required depends in part on the effect that unauthorized access or disclosure of those data values would have on College operations, functions, image or reputation, assets, or the privacy of individual members of the College community.

 

8.6.1    TIER I: CONFIDENTIAL

Confidential information is information whose unauthorized disclosure, compromise, or destruction would result in severe damage to the College, its students, or employees. Examples of this data include but are not limited to: social security numbers, dates of birth, medical records, credit card, or bank account information. Tier I data is intended solely for use within Northwestern Michigan College and is limited to those with a “business need-to-know.”

 

8.6.2    TIER II: INTERNAL/ PRIVATE

Internal use information must be guarded due to proprietary, ethical, or privacy considerations. Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of information at this level could cause financial loss, damage to Northwestern Michigan College’s reputation, or violate an individual’s privacy rights.  Examples of this data include but are not limited to: educational student records, employment history, and alumni biographical information. Tier II information is intended for use by College employees, contractors, and vendors covered by a non-disclosure agreement.

 

8.6.3 TIER III: PUBLIC

Public information is information that is not publicly disseminated, but accessible to the general public. These data values can either be explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on and off campus (e.g., an employee’s work email addresses or student directory information), or not be specifically classified elsewhere in the protected data classification standard.  Knowledge of Tier III information does not expose Northwestern Michigan College to financial or reputational loss, or jeopardize the security of College data. However, publicly available data may be subject to appropriate review or disclosure procedures to mitigate potential risks of inappropriate disclosure data in order to organize it according to its risk of loss or harm from disclosure.

 

8.7       INFORMATION HANDLING

College employees create records as part of the normal course of conducting the business of the College. Records containing highly sensitive information should exist only in areas where there is a legitimate and justifiable business need and maintained under strict controls as outlined in this document

 

Mishandling of sensitive information is a significant risk to the College, and may cause considerable financial or reputational harm. It is the responsibility of all Northwestern Michigan College employees, regardless of position, to protect sensitive information by being aware of any sensitive information they may store, process, or transmit.

 

The Data Classification and Protection Standard outlines the minimum standards for the protection of highly sensitive College information. Additional controls required under applicable laws, regulations, or standards governing specific forms of data (e.g., health or financial information, credit card data), may also apply.  Please see Data Classification and Protection Standards for further reference.

 

8.8       IDENTITY & ACCESS MANAGEMENT

Identity and access management ensures accurate identification of authorized College community members and provides secure authenticated access and use of network-based services. Identity and access management is based on a set of principles and control objectives that:

  • Ensure unique identification of members of the College community and assignment of access privileges.
  • Allow access to information resources only by authorized individuals.
  • Ensure periodic review of membership in the community and review of their authorized access rights.
  • Maintain effective access mechanisms through evolving technologies.

 

Access Control refers to the process of controlling access to systems, networks, and information based on business and security requirements. The objective is to prevent unauthorized disclosure of Northwestern Michigan College’s information assets. College access control measures include secure and accountable means of identification, authentication, and authorization. Please see Identity and Access Management for further reference.

 

8.8.1    IDENTIFICATION

Identification is the process of uniquely naming or assigning an identifier to every individual or system to enable decisions about the levels of access that should be given. The key feature of an identity process is that each user of the College community, and any other entity about which access decisions need to be made, is uniquely identifiable from all other users.

 

8.8.2    AUTHENTICATION

Authentication validates the identity of a person by determining whether someone or something is, in fact, who or what they are declared to be.  Authentication factors can be something you know (password or passphrase), something you have (token), or something you are (biometric). Two-factor authentication requires two of the three factors (e.g., password and token) in these distinct categories. For the purpose of access control, authentication verifies one’s identity through IT.

 

Passwords and passphrases are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password or passphrase may result in the compromise of Northwestern Michigan College’s entire network. Adhering to secure password procedures will help reduce the compromise of user accounts on the College’s systems. As such, all community users including but not limited to students, faculty, staff, guests, contractors, and vendors are responsible for selecting and securing their passwords. Please see Password Standards for further reference on passwords and passphrases.

 

8.8.3    AUTHORIZATION

Authorization is the process used to grant permissions to authenticated users. Authorization grants the user, through technology or process, the right to use the information assets and determines what type of access is allowed (read-only, create, delete, and/or modify).

 

The access rights to the information must then be entered into the security system via an access list, directory entry, or view tables, for example, so the authorization rules can be enforced. The level of control will depend on the classification of the data and the level of risk associated with loss or compromise of the information.

 

In addition:

  • Criteria must be established by the Data Owner for account eligibility, creation, maintenance, and expiration.
  • Highly sensitive data must be individually authorized by the Data Owner and an annual confidentiality agreement must be acknowledged or signed by all authorized users.
  • Depending on the relative sensitivity of the data, staff may be subject to a background check before they are hired, transferred, or promoted. Any employee who was not subjected to such a clearance check when first hired should not be placed in a sensitive position until security clearance has been obtained.
  • Data Owners must periodically review user privileges and modify, remove, or deactivate accounts when access is no longer required.
  • Procedures must be documented for the timely revocation of access privileges and return of institutionally owned materials (e.g., keys) for terminated employees and contractors.
  • Inactivity time-outs must be implemented, where technically feasible, for terminals and workstations that access highly sensitive data. The period of inactivity shall be no longer than 10 minutes in publicly accessible areas.
  • Audit trails exist for detective and reactive response to system penetration, infection of systems and data due to malicious code, catastrophic system loss, or a compromise of data integrity.

 

8.8.4    REMOTE ACCESS

Remote access to information technology resources (switches, routers, computers, etc.) and to sensitive or confidential information (social security numbers, credit card numbers, bank account numbers, etc.) are only permitted through secure, authenticated, and centrally-managed access methods. Systems that contain sensitive student, personnel, or financial data will be available for off-site remote access through a centrally managed VPN that provides encryption and secure authentication.

 

It should also be understood that when accessing sensitive data remotely, it is prohibited to store cardholder or other sensitive data onto local hard drives, floppy disks, or other external media (including laptops and smartphones).

 

External computers that are used to administer College resources or access sensitive information must be secured. This includes for the purposes of patching operating systems and applications, distributing updated anti-virus software, operating a firewall, and being configured in accordance with all relevant College policies and procedures.

 

8.8.5    PRIVILEGED ACCESS

System administrators routinely require access to information resources to perform essential system administration functions critical to the continued operation of the College. Such privileged access is often termed as “superuser,” “root,” or “administrator” access. Privileged accounts enable vital system administration functions to be performed and are only to be used for authorized purposes.

 

The number of privileged accounts is to be kept to a minimum and only provided to those personnel whose job duties require it. Administrators or users who require privileged accounts will also have non-privileged accounts to use when performing daily routine tasks and will not use their privileged accounts for non-authorized purposes. Activities performed using a privileged account are logged and reviewed on a regular basis by an independent and knowledgeable person.

 

Personnel who manage, operate, and support College information systems, including individuals who manage their own systems, are expected to use appropriate professional practices in providing for the security of the systems they manage. Responsibility for systems and application security must be assigned to an individual who is knowledgeable about the information technology used in the system and about providing security for such technology.

 

8.8.6    SEGREGATION OF DUTIES

Tasks involved in critical business processes must be performed by separate individuals. Responsibilities of programmers, system administrators, and database administrators must not overlap, unless authorized by the Data Owner. Duties and responsibilities shall be assigned systematically to a number of individuals to ensure that effective checks and balances exist. Such controls keep a single individual from subverting a critical process.  Key duties include authorizing, approving, and recording transactions, issuing and receiving assets, and reviewing or auditing transactions.

 

Segregation of duties should be maintained between the following functions:

  • Data entry / computer operation
  • Network management / system administration
  • Security administration
  • Security audit

 

Qualified and continuous supervision is to be provided to ensure that internal control objectives are achieved. This standard requires supervisors to continuously review and approve the assigned work of their staff as well as provide the necessary guidance and training to ensure that errors, waste, and wrongful acts are minimized, and that specific management directives are followed.

 

8.9       COMMUNICATION AND OPERATIONS MANAGEMENT

System communications protection refers to the key elements used to assure data and systems are available and are exhibiting the confidentiality and integrity expected by owners and users to conduct their business. The appropriate level of security applied to the information and the system is based on the classification and critical nature of the information and the business processes that use it. The system's integrity controls must protect data against improper alteration or destruction during storage, processing, or transmission over electronic communication networks.

 

The key elements of system and communications protection are backup protection, denial of service protection, boundary protection, use of validated cryptography (encryption), public access protection, and protection from malicious code.

 

Operations management refers to: implementing appropriate controls and protections on hardware, software, and resources, maintaining appropriate auditing and monitoring, and evaluating system threats and vulnerabilities.

 

Proper operations management safeguards all of the College’s computing resources from loss or compromise, including main storage, storage media (e.g., disk, and optical devices), communications software and hardware, processing equipment, standalone computers, and printers.

 

8.9.1    NETWORK SECURITY

Network attacks launched from the Internet or from College networks can cause significant damage and harm to information resources including the unauthorized disclosure of confidential information. In order to provide defensive measures against these attacks, firewall and network filtering technology must be used in a structured and consistent manner.

Northwestern Michigan College maintains appropriate configuration standards and network security controls to safeguard information resources from internal and external network-mediated threats. Firewalls and Intrusion Detection Systems (IDS) are deployed at the campus border and Intrusion Prevention Systems (IPS) are deployed on core services to augment normal system security measures to prevent denial of service attacks, malicious code, or other traffic that threatens systems within the network or that violates College information security policies. Firewalls and IDS/IPS are also deployed as appropriate to limit access to systems that host restricted or essential information.

 

8.9.2    SECURITY MONITORING

Security Monitoring provides a means by which to confirm that effective information resource security controls are in place and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or discovery of new security vulnerabilities. Early detection and monitoring can prevent possible attacks or minimize an attack’s impact on computer systems.

Any equipment attached to Northwestern Michigan College’s network is subject to security vulnerability scans. The goal of the scan is to reduce the vulnerability of College computers and the network to hacking, denial of service, infection, and other security risks from both inside and outside the College. SLM scans College servers using a mixture of commercial and open-source software to monitor and assess the security of the College’s network. Critical servers that store legally protected or other important non-public data are given priority, but others may be scanned as well.

SLM also coordinates the external vulnerability scans for departments that are required to use this service to meet the Payment Card Industry Data Security Standards (PCI DSS) for credit card processing. The external scans use a PCI-approved external scan vendor.

 

8.9.3    ENCRYPTION

Northwestern Michigan College has developed standards for encryption to ensure that sensitive data is protected from disclosure. Suitably strong encryption measures are employed and implemented, whenever deemed appropriate, for information during transmission and in storage.

 

Transmission

In order to protect the confidentiality and integrity of the College’s sensitive data (any data classified as Tier I data and having a required need for confidentiality and/or integrity), shall be transmitted via encrypted communication to ensure that is does not traverse the network in clear text. It is further recommended that data classified as Tier II be transmitted via encrypted communications when possible.

 

Storage

Encryption of information in storage presents risks to the availability of that information, due to the possibility of encryption key loss. In order to protect the confidentiality and integrity of the College’s sensitive data (any data classified as Tier I data and having a required need for confidentiality and/or integrity), shall be stored encrypted in systems and/or databases and/or portable media. Tier II or Tier III data classifications do not require such encrypted storage, however, it is recommended. See Data Classification and Protection for further clarification on data classification and handling.

 

8.9.4    VIRUS AND MALWARE PROTECTION

Viruses and malware are a threat to the College as infected computers may transmit confidential information to unauthorized third parties, provide a platform for unauthorized access or use of the internal network, contaminate or infect other network connected devices, or interfere with College information technology resources. Anti-virus and anti-malware software is provided to the College community to protect against the damage caused by these attacks. Network administrators are responsible for creating procedures to ensure that this software has the latest updates and signatures installed and to verify that computers are protected.

 

The College reserves the right to review any device attached to the network (public or non-public) for adequate virus and malware protection. The College reserves the right to deny access to the network to any device found to be inadequately protected. Additionally, the College reserves the right to disable network access to any device that is insufficiently protected, or currently infected with a virus or malware. Network access may be restored when the device has been cleaned and current anti-virus and/or anti-malware software and respective operating system and application patches have been installed.

 

8.9.5    BACKUP AND RECOVERY

All electronic information is to be copied onto secure storage media on a regular basis (i.e., backed up), for the purpose of disaster recovery and business resumption. The Backup and Recovery Standard outlines the minimum requirements for the creation and retention of backups. Special backup needs which exceed these minimum requirements may be accommodated on an individual basis.

 

All backups must conform to the following best practice procedures:

  • All data and utility files must be adequately and systematically backed up.
  • Records of what is backed up and where it is backed up must be maintained.
  • Records of software licensing should be backed up.
  • Copies of the back-up data will reside on backup storage area network in a remote location, at a sufficient distance away to escape any damage from a disaster at the main site.
  • Regular tests of restoring data/software from the backup copies should be undertaken to ensure that they can be relied upon for use in an emergency. Note: for highly critical and time-sensitive data, a mirror system, or at least a mirror disk, may be needed for a quick recovery.

 

8.10     PHYSICAL SECURITY MEASURES

Physical security controls and secure areas are used to minimize unauthorized access, damage, and interference to information and information systems. Physical security means providing environmental safeguards for controlling physical access to equipment and data on the College network in order to protect information technology resources from unauthorized use, in terms of both physical hardware and data perspectives.

 

8.10.1  PHYSICAL ENTRY CONTROLS

Access to areas containing sensitive information, such as the data center, must be physically restricted. Access to all entry points into and within the data center is protected by electronic access control mechanisms to validate access and ensure only authorized individuals enter the facility. An audit trail of all access is securely maintained for auditing purposes.  Personnel who have access to the data center must be immediately removed from all systems that they have previously been allowed access to when no longer employed by the College. This includes all electronic access control mechanisms along with the removal of all systems, databases, web portals, or any other type of sign-in mechanism that requires authentication and authorization activities.

 

8.10.2  VISITORS

Visitors must be properly identified and have a legitimate business need for access to the facility.  Non-NMC personnel needing access to the facility will need to be cleared with Systems & LAN Management and/or NMC Facilities (such as in the event of an HVAC or maintenance issue).

 

8.10.3  ALARMS & SURVEILLANCE

All exterior doors and sensitive areas within the facility are hard wired with alarms and have a mixture of security cameras in place throughout all critical areas of the data center.

 

8.10.4  EQUIPMENT CONTROL

The assigned user of information technology resources is considered the custodian for the resource. If the item has been damaged, lost, stolen, borrowed, or is otherwise unavailable for normal business activities, the custodian must promptly inform the involved department manager. Sensitive information technology resources located in unsecured areas should be individually secured to prevent physical tampering, damage, theft, or unauthorized physical access.

An inventory of all computer equipment and media is maintained to account for restricted and confidential information. When feasible, IT equipment is to be marked with some form of identification that clearly indicates it is the property of Northwestern Michigan College.

 

8.10.5  COMPUTER DATA AND MEDIA DISPOSAL POLICY

Proper data disposal is essential to controlling sensitive data including student records, personnel records, financial data, and protected health and credit card information. If the information on those systems is not properly removed before the equipment is disposed of or transferred within the College, that information could be accessed and viewed by unauthorized individuals.

Media or devices containing sensitive information that are transferred between departments or removed from service must be properly sanitized before their transfer or disposal as outlined within the Data Sanitization Standard. Northwestern Michigan College is committed to compliance with federal statutes associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.  Please see Data Sanitization Standard for further reference.

 

8.11     BUSINESS CONTINUITY

Northwestern Michigan College provides a safe and secure IT environment. This environment exists to serve its customers’ requirements, ensures stability and continuity of the business, and promotes confidence in its ability to continuously provide goods and services, and to recover quickly from disaster while minimizing disruption.

 

8.11.1  BUSINESS IMPACT ANALYSIS

A Business Impact Analysis correlates specific system components with the critical services that they provide. The consequences of a disruption to these system components are characterized based on that information.  It is the responsibility of both the Data Owner and Data Custodian to perform appropriate business impact analysis tasks as outlined below.

 

  • Identify Critical IT Resources

Data owners and custodians are to evaluate their system to determine the critical functions performed and to identify the specific system resources required to perform them. The following two activities are needed to complete this step:

  1. Identify and coordinate with internal and external users associated with the system to characterize the ways that they depend on or support the system. When identifying contacts, it is important to include departments that provide or receive data from the system as well as contacts supporting any interconnected systems. This coordination should enable the data owner and custodian to characterize the full range of support provided by the system, including security, managerial, technical, and operational requirements.
  2. Evaluate the system to link these critical services to system resources. This analysis will usually identify infrastructure requirements such as electric power, telecommunications connections, and environmental controls. Specific IT equipment, such as application servers and authentication servers are usually considered to be critical. However, the analysis may determine that certain IT components, such as a printer or print server, are not needed to support critical services.

 

  • Identify Outage Impacts and Allowable Outage Times

Data owners and custodians should analyze the critical resources identified in the previous step and determine the impact(s) on IT operations if a given resource were disrupted or damaged. The analysis should evaluate the impact of the outage in the following three ways:

  1. The effects of the outage may be tracked over time. This will enable the College to identify the maximum allowable time that a resource may be unavailable before it prevents or inhibits the performance of an essential function.
  2. The effects of the outage may be tracked across related resources and dependent systems, identifying any cascading effects that may occur as a disrupted system affects other processes that rely on it.
  3. The effects of the outage may be tracked using revenue streams and cost expenditures, identifying any areas of monetary need or concern that could cause a delay in the recovery effort.

 

Data owners and custodians will determine the optimum point to recover the IT system by balancing the cost of system interoperability against the cost of resources required for restoring the system.  NMC maintains this information in the Service Levels for Services and Applications matrix.

 

  • Develop Recovery Priorities

Data owners and custodians should develop recovery priorities for the system resources. A scale of high, medium, or low should be used to prioritize the resources. High priorities are based on the need to restore critical resources within their allowable outage times, while medium and low priorities reflect the requirement to restore full operational capabilities over a longer recovery period.

 

The outage impacts and allowable outage times characterized in the previous step enable the College to develop and prioritize recovery strategies that personnel will implement during contingency plan activation. For example, if the outage impact step determines that the system must be recovered within 4 hours, Northwestern Michigan College needs to adopt measures to meet that requirement. Similarly, if most system components could tolerate a 24-hour outage but a critical component could be unavailable for only 8 hours, the necessary resources for the critical component would be prioritized. By prioritizing these recovery strategies, the College may make informed decisions tailored to contingency resource allocations and expenditures, saving both time and effort.

 

  • Business Impact Analysis Documentation Requirements

Data owners and custodians are responsible for maintaining Business Impact Analysis documentation. A periodic review of the Business Impact Analysis should be performed by the data owner to ensure accuracy and completeness.

 

8.11.2  DISASTER RECOVERY

A disaster recovery plan can be defined as the ongoing process of planning, developing and implementing disaster recovery management procedures and processes to ensure the efficient and effective resumption of critical functions in the event of an unscheduled interruption.

The Supporting Information and Plan Appendices provide essential information to ensure a comprehensive plan. The Notification/Activation, Recovery, and Reconstitution Phases address specific actions that the College should take following a system disruption or emergency. IT contingency plans should be clear, concise, and easy to implement in an emergency. Where possible, checklists and step-by-step procedures should be used.

 

The Disaster Recovery Plan must contain detailed information on how to continue business operations and perform all tasks required to do so while the computer hardware, network, and data are being recovered. Technical capabilities need to be documented and designed to support operations and should be tailored to the College requirements. The order in which systems are to be recovered and at what level of functionality based upon the Business Impact Analysus need to be fully documented. Not all systems may need to be recovered simultaneously or to 100% for the system to begin functioning.

 

Northwestern Michigan College is in the process of developing a comprehensive contingency planning program. Each campus department will develop IT contingency plans that contain detailed roles, responsibilities, teams, and procedures associated with restoring an IT system following a disruption.

 

8.12     INFORMATION SECURITY INCIDENT RESPONSE

An IT security incident is defined as an event that impacts or has the potential to impact the confidentiality, availability, or integrity of College information technology resources. Having an effective incident response is essential in mitigating damage and loss due to an information security incident. Proper handling of such incidents protects the College’s information technology resources from future unauthorized access, use, or damage.

 

If you suspect an IT security incident, immediate action should be taken to isolate the problem from the campus network. Be ready to provide specifics such as date/time of loss, type of device(s), contact information, and any specific information that you believe indicates that a device was breached, a computer security incident occurred, or a device was lost or stolen. Please see the Incident Response Procedure for further reference.

 

9           REGULATIONS

The College must be proactively aware of and prepared to comply with a wide variety of federal and state laws, regulations, and College policies with respect to information protection and privacy. These currently include but are not limited to the following listed subsections 9.1 - 9.5.

 

9.1       FAMILY EDUCATION RIGHTS AND PRIVACY ACT

FERPA is a Federal law that defines disclosure and access to educational information and records. In context, this is defined to mean (with a few exceptions) records containing information directly related to a student that are maintained by the College. “Educational records” are broadly defined and include electronic records.  FERPA prohibits schools from disclosing education records or personally identifiable information in those records other than certain basic “directory information” without the student’s prior written consent, unless an exception applies.

 

9.2       HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 

HIPAA and its regulations, such as the Privacy and Security Rules, protect the privacy of an individual’s health information as well as govern the way Northwestern Michigan College collects, maintains, uses, and discloses protected health information (PHI).

 

9.3       GRAMM-LEACH-BLILEY ACT FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION

GLBA mandates that the College safeguards non-public personally identifiable financial information (PIFI) by limiting disclosures of such data and notifying customers of their information sharing practices and privacy policies. The act requires that the College must develop, implement, and maintain a written comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of the relevant customer data. The plan must be “reasonably designed” to achieve the security and confidentiality of customer data, to protect against anticipated threats or hazards, and to protect against unauthorized access or use that could result in substantial harm.

 

9.4       RED FLAG RULES 

The RFR requires that the College implement a written Identity Theft Prevention Program designed to detect the warning signs, or "red flags", of identity theft in their day-to-day operations. By identifying red flags in advance, businesses will be better equipped to spot suspicious patterns that may arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

 

9.5       PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS 

PCI DSS provides a single approach to safeguarding confidential credit card account data and establishes security best practice standards that the College must follow when storing, processing, or transmitting credit card data. While not a law, the College complies with PCI DSS in order to be approved and continue to accept payment cards.

 

10       COMPLIANCE

Upon implementation of this plan, Systems & LAN Management ensures that the plan is being effectively carried out in accordance with regulatory and College requirements and meets or exceeds industry standards for information security.

 

The VP for Student Services and Technologies, in conjunction with the appropriate faculty and staff, is responsible for the development and publication of any procedures or guidelines that may be necessary to administer this policy effectively. Relevant procedures, guidelines, and forms mentioned in this policy are maintained by the office of the VP for Student Services and Technologies.

If any provision(s) of this policy or set of bylaws conflicts with laws applicable to Northwestern Michigan College, including the Community College Act of 1966, the Freedom of Information Act, or the Open Meetings Act, as each may be amended from time to time, such laws shall control and supersede such provision(s).

Adopted January 15, 2021