Data Security Procedures, Computer System Security Requirements

Procedure Section: 
Information Technology Services
Effective: 
Monday, October 26, 2015
Procedure: 

The College maintains a computer security system that provides at a minimum to the extent technically feasible:

  • Secure user authentication protocols including:

a)  control of user IDs and other identifiers;

b)  a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

c)  control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

d) restricting access to active Users and active User accounts only; and

e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.

  • Secure access control measures that:

a) restrict access to records and files containing Confidential information to those who need such information to perform their job duties; and

b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.

  • Encryption of all transmitted records and files containing personally identifiable information

a) Encryption of all data containing personally identifiable information (PII) to be transmitted wirelessly.

b) Reasonable monitoring of systems, for unauthorized use of or access to PII.

c) Encryption of all PII stored on laptops or other portable devices.

d) For files containing PII on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of PII.

  • Reasonably current versions of system security agent software which

a) must include malware protection and reasonably current patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions

b) must be set to receive the most current security updates on a regular basis.

  • Education and training of employees

Training on the proper use of the computer security system and the importance of data security, including annual SANS "Securing the Human" online training.

 

Definitions: 
Information Resource. An Information Resource is a discrete body of information created, collected and stored in connection with the operation and management of the College and used by members of the College having authorized access as a primary source. Information Resources include electronic databases as well as physical files. Information derived from an Information Resource by authorized users is not an Information Resource, although such information shall be subject to this policy.
Personally Identifiable Information   Personally identifiable information (PII), or Sensitive Personal Information (SPI)  is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
 Sponsors Sponsors are those members of the College community that have primary responsibility for maintaining any particular Information Resource. Vice Presidents and Deans may designate sponsors in connection with their administrative responsibilities (as in the case of the College Registrar with respect to student academic records), or by the actual sponsorship, collection, development, or storage of information (as in the case of individual faculty members with respect to their own research data, or student grades).
 Data Security Officers Data Security Officers are those members of the College community, designated by their College Vice President or Dean, who provide administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific Information Resources in consultation with the relevant Sponsors.
Users Users include virtually all members of the SPSCC community to the extent they have authorized access to College Information Resources, and may include students, faculty, staff, contractors, consultants and temporary employees and volunteers.
Data Security Committee The Data Security Committee shall be chaired by the Chief Information Officer and shall include all of the Vice Presidents and Chiefs, or their representatives
 Computer System Security Requirements Computer System Security Requirements shall mean a written set of technical standards and related procedures and protocols designed to protect against risks to the security and integrity of data that is processed, stored, transmitted, or disposed of through the use of College information systems, and shall include computer system security requirements that meet or exceed the requirements of regulations ????? GET RCW’s, etc. The Computer System Security Requirements establish minimum standards and may not reflect all the technical standards and protocols in effect at the College at any given time.
 Data Security Directives Data Security Directives shall be issued from time to time by the Data Security Committee to provide clarification of this policy, or to supplement this policy through more detailed procedures or specifications, or through action plans or timetables to aid in the implementation of specific security measures. All Data Security Directives issued by the Committee shall be deemed incorporated herein.
 Specific Security Procedures Specific Security Procedures are procedures promulgated by a College Vice President or Dean to address particular security needs of specific Information Resources sponsored within their area of responsibility, not otherwise addressed by this policy, or any Data Security Directives.
 Security Breach A Security Breach is any event that causes or is likely to cause Confidential Information to be accessed or used by an unauthorized person and shall include any incident in which the College is required to make a notification under applicable law, including ????? GET RCW’s, etc.
Procedure Code: 
PRITSV4702