E-610.3 Information Security

Information security affects all facets of the College. The College’s Information Security Program (ISP) is intended to protect the confidentiality, integrity, and availability of the data employed within the organization while providing value to how we conduct business. Protection of privacy, integrity, and availability are fundamental principles of information security and can be defined as:

Confidentiality: Ensuring that information is accessible only to those entities that are authorized to have access, many times enforced by the classic “need-to-know” principle.

Integrity: Protecting the accuracy and completeness of information and the methods used to process and manage it.

Availability: Ensuring that information assets (information, systems, facilities, networks, and computers) are accessible and usable when needed by an authorized entity.

The College recognizes that information is a critical asset, and our ability to manage, control, and protect it will directly and significantly impact our future success.

The President/District Director designates the Director of Information Technology Services (ITS) as the College’s Information Security Officer and hereby delegates authority to this position to ensure compliance with applicable information security requirements.

This document establishes the framework for the ISP, which will ensure that the College can efficiently and effectively manage, control, and protect its business and Student information assets and those entrusted to it by its stakeholders, partners, customers, and other third parties.

The ISP shall describe the actions and behaviors required to ensure due care is taken to avoid inappropriate risks to the College, Students, business partners, and stakeholders. It must provide oversight of service providers by taking reasonable steps to select and retain service providers that can maintain appropriate safeguards for the customer information at issue, and it must require the College’s service providers to be contractually bound to implement and maintain such safeguards.

The ISP shall ensure the identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the risk assessment must include consideration of risks in each relevant area of the College’s operations, including:

• Employee training and management.

• Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.

• Detecting, preventing, and responding to attacks, intrusions, or other systems failures.

The ISP safeguards must be designed and implemented to control the risks the College identifies through risk assessment and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.

The Information Security Officer shall routinely evaluate and update the College’s ISP, considering the results of the required testing and monitoring, any material changes to the College’s operations or business arrangements, or any other circumstances that the College knows or has reason to know may have a material impact on the College’s information security program.

APPLICABILITY

The ISP shall apply equally to any individual, entity, or process interacting with any College Information Resource.

RESPONSIBILITIES

• Executive Management

  • Ensure that an appropriate risk-based ISP is implemented to protect the confidentiality, integrity, and availability of all Information Resources collected or maintained by or on behalf of the College.

  • Ensure that information security processes are integrated with strategic and operational planning to secure the organization’s mission.

  • Ensure adequate information security financial and personnel resources are included in the budgeting and financial planning process.

  • Ensure that the Security Team is given the necessary authority to secure the Information Resources under their control.

  • Ensure that the Information Security Officer, in coordination with the Security Team, reports annually to Executive Management on the effectiveness of the College’s ISP.

  • Lead the Security Team and provide updates on the status of the ISP to Executive Management.

  • Manage compliance with all relevant statutory, regulatory, and contractual requirements.

  • Participate in information security-related forums, associations, and special interest groups.

  • Assess risks to the confidentiality, integrity, and availability of all information resources collected or maintained by or on behalf of the College.

  • Facilitate the development and adoption of supporting policies, procedures, standards, and guidelines for providing adequate information security and continuity of operations.

  • Ensure the College has trained all personnel to support compliance with information security policies, processes, standards, and guidelines. Train and oversee personnel with significant responsibilities for information security concerning such responsibilities.

  • Ensure that appropriate information security awareness training is provided to company personnel, including contractors.

  • Develop and maintain a process for planning, implementing, evaluating, and documenting remedial action to address deficiencies in the College's information security policies, procedures, and practices.

  • Develop and implement procedures for testing and evaluating the effectiveness of the College’s ISP per stated objectives.

  • Develop and implement a process for evaluating risks related to vendors and managing vendor relationships.

  • Report annually, in coordination with the Security Team, to Executive Management on the effectiveness of the College’s ISP, including the progress of remedial actions.

• Information Security Team

  • Ensure compliance with applicable information security requirements.

  • Formulate, review, and recommend information security policies.

  • Approve supporting procedures, standards, and guidelines related to information security.

  • Provide clear direction and visible management support for information security initiatives.

  • Assess the adequacy and effectiveness of the information security policies and coordinate the implementation of information security controls.

  • Ensure that ongoing security activities are executed in compliance with policy.

  • Review and manage the information security policy waiver request process.

  • Review information security incident information and recommend follow-up actions.

  • Promote information security education, training, and awareness throughout the College and initiate plans and programs to maintain information security awareness.

• All Employees, Contractors, and Other Third-Party Personnel

  • Understand their responsibilities for complying with the College’s Information Security Program.

  • Use College information resources in compliance with all Information Security policies.

  • Seek guidance from the Information Security Officer for questions or issues related to information security.

COMMUNICATION

The College shall maintain and communicate the Information Security Program consisting of topic-specific policies, standards, procedures, and guidelines that:

• Serve to protect the confidentiality, integrity, and availability of the information Resources maintained within the organization using administrative, physical, and technical controls.

• Provide value to the way we conduct business and support institutional objectives.

• Comply with all regulatory and legal requirements, including:

  • FERPA.

  • State breach notification laws.

  • PCI Data Security Standard.

  • Information Security best practices, including NIST CSF.

  • Contractual agreements.

  • All other applicable federal and state laws or regulations.

  • The information security program is reviewed no less than annually or upon significant changes to the information security environment.

DEFINITIONS

Cloud Computing Application: Cloud computing uses a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. Examples of cloud computing applications are Dropbox, Facebook, Google Drive, Salesforce, and Box.com.

Confidential Information: Confidential information is protected by statutes and regulations or is identified as confidential in college policies or contractual language and not otherwise subject to Wisconsin Public Records disclosure. Confidential information is sensitive, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only. Disclosure to parties outside the College must be authorized by executive management, approved by the Director of Information Technology and College General Counsel, or covered by a binding confidentiality agreement.

Examples of confidential information include:

• College data shared and collected during a consulting engagement.

• Financial information, including credit card and account numbers.

• Social Security Numbers.

• Personnel and payroll records.

• Any information identified by government regulation is to be treated as confidential or sealed by order of a court of competent jurisdiction.

• Any information belonging to the College that may contain personally identifiable information.

• Patent information.

Incident – An incident can have one or more of the following definitions:

• Violation of an explicit or implied College security policy.

• Attempts to gain unauthorized access to a college information resource.

• Denial of service to a college information resource.

Unauthorized use of college information resources.

• Unauthorized modification of college information.

• Loss of confidential or protected information.

Information Resource: An asset that, like other important business assets, is essential to an organization’s business and needs to be suitably protected. Information can be stored in many forms, including hardware assets (e.g., workstation, server, laptop), digital form (e.g., data files stored on electronic or optical media), material form (e.g., on paper), as well as unrepresented information in the form of knowledge of the Employees. Information may be transmitted via courier, electronic, or verbal communication. Whatever form information takes or how the information is transmitted, it always needs appropriate protection.

Internal Information: Internal Information must be guarded due to proprietary, ethical, or privacy considerations and protected from unauthorized access, modification, transmission, storage, or other use. This classification applies even though no civil statute may require this protection. Internal information is restricted to personnel designated by Executive Leadership as having a legitimate business purpose for accessing such Information.

Examples of Internal Information include:

• Employment Information.

• Business partner information where a restrictive confidentiality agreement exists.

• Planning documents.

Mobile Device: Computing devices intended to be easily moved and carried for the user's convenience and to enable computing tasks without respect to location. Mobile devices include, but are not necessarily limited to, mobile phones, smartphones, tablets, and laptops.

Penetration Test: A highly manual process simulating a real-world attack to identify how far an attacker can penetrate an environment.

Personally Owned: Systems and devices that were not purchased or owned by the College.

Public Information: Public information may or must be open to the public. It is defined as information with no existing local, state, national, or international legal restrictions on access or usage. While subject to disclosure rules, public information is available to all Employees and all individuals or entities external to the College.

Examples of public information include:

• Publicly posted press releases.

• Publicly available marketing materials.

• Publicly posted job announcements.

Removable Media: Portable devices that can copy, save, store, and move information from one system to another. Removable media comes in various forms, including, but not limited to, USB drives, flash drives, read/write CDs and DVDs, memory cards, external hard drives, and mobile phone storage.

Vulnerability Scan: A vulnerability scan is an automated tool against external and internal network devices and servers. It is designed to expose potential vulnerabilities that malicious individuals could find and exploit.