Information Security Program Standard

1.0 Reference
This standard supports Portland Community College’s Privacy Policies regarding (ORS 341.290 [17]) Student records B407, Confidentiality, Solomon Act, Family Educational Rights and Privacy Act of 1974 (Statute: 20 U.S.C. 1232g; Regulations: 34 CFR Part 99) also known as the Buckley Amendment, Oregon Identity Theft Protection Act – Oregon Revised Statute 646A.600, Portland Community College Information Classification Standard, HIPAA Privacy Notice, Fair and Accurate Credit Transaction Act of 2003 (FACTA), and the Payment Card Industry-Data Security (PCI-DSS) Standard.
2.0 Overview
Confidentiality and privacy, integrity, and availability of information are components of a comprehensive information security program. This standard identifies the program objectives, roles, and governance of the PCC Information Security Program. The Information Security Program strives for a balance between PCC’s desire to promote and enhance the free exchange of ideas and its need for security of critical information, privacy and systems.
Portland Community College is committed to high standards of excellence for protection of privacy, information assets and information technology resources that support the College enterprise. PCC processes, stores, and transmits an immense quantity of electronic and paper-based information to conduct its academic and business functions. Without the implementation of appropriate controls and security measures, the mission and members of PCC are at risk due to a breach of confidentiality or privacy, and the daily operations are subject to interruption.
3.0 Purpose
The purpose of this standards document is to identify and disseminate PCC’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing critical information.
4.0 Scope
These standards apply to all information assets of Portland Community College. Each faculty and staff member, trainee, student, vendor, volunteer, contractor, or other affiliate of PCC with access to institutional information is subject to and has responsibilities under these standards.
5.0 Information Security Program
PCC shall establish an Information Security Program (Program) in conformance with this standard. In order to achieve a safe academic and professional information environment, the program shall employ a comprehensive set of strategies that include a range of related technical and non-technical measures. The Program should guide the strategic deployment of a consistent and multilayered information security environment at each campus.
The Program shall include:
5.1
Risk assessment strategies to identify vulnerabilities and threats to departmental information resources as well as major enterprise systems,
5.2
A security program that includes recommendations for administrative, technical, and physical security measures to address identified risks relative to their sensitivity or criticality,
5.3
Incident response planning and notification procedures,
5.4
Appropriate review of third-party agreements for compliance with federal and state law and PCC policy and standards.
5.5
To implement security at the appropriate level, establish guidelines for legal/regulatory compliance, and reduce or eliminate conflicting standards and controls over data, data will be classified into one of the following categories:
6.0 Roles
Responsibility for Portland Community College’s comprehensive enterprise information security program is delegated to the following groups and individuals.
Information Security Manager
  • The official responsible for directing implementation of the enterprise information security program. The Information Security Officer will:
  • Coordinate the development and maintenance of information security policies and standards.
  • Develop Information Security solutions based on PCC’s mission and strategic plan with balance between access to information, security, and budgetary restraint.
  • Coordinate investigation and resolution of security incidents, in conjunction with Information Incident Response Team.
  • Assist Information Trustees in assessing their data for risk classification and advise them of available controls.
  • Implement a Security Awareness Training Education (SATE) program.
  • Serve on the Information Security and Privacy Committee, Internal Audit, and PCC Legal Services.
  • Provide consulting services for information security throughout PCC.
Information Security Analyst (ISA) - VACANT
This is a position not funded currently. If resources permit, the ISA is the individual within who acts as a liaison for timely and relevant information flow between network Services, Server Administration, and Campus Teams and information security personnel. The Security Analyst will:
  • Manage security specific hardware and software. Examples include:
    • Intrusion Detection/Prevention System
    • Management of Security Information Management Console
    • Vulnerability Management System devices
    • Security Virtual Test environment
  • Receive all security vulnerability reports for departmental/unit computer systems and disseminate such information to appropriate technical staff for resolution.
  • Work with Network, Server, and Desktop Services technicians when building granular security controls.
  • Work with the ISM to analyze security logs when needed.
  • Receive network alerts, outage notifications, or other networking issues affecting the department/unit and disseminate such information to appropriate staff.
  • Alternate Information Incident Commander when the ISM is not available for security incidents.
Internal Audit Function
The responsibility of an Internal Audit function is to perform compliance checks periodically to ensure that all parties are performing their assigned duties, and to ensure that information security requirements are being consistently observed. Internal Audit informs senior management, ensuring that internal controls, including those related to information security, are consistent with both the Board of Directors expectations and PCC goals.
Information Security and Privacy (ISAP) Committee
The Information Security and Privacy (ISAP) Committee prioritizes Portland Community College’s information security and privacy-related standards, procedures and standards development initiatives. The Committee recommends strategic direction on campus information security and privacy-related work.
The Committee is charged with oversight of PCC’s information security and privacy programs to ensure constituent bodies remain informed of significant initiatives that may affect their stakeholders. The ISAP also functions as an advisory group for the OTAC on matters of information security and privacy technology projects.
  • Develop, clarify, and review college-wide information security and privacy standards and procedures as a foundation of the Information Security and Privacy Program. This includes submitting standards to PCC legal counsel for review and approval.
  • Provide a forum for open and honest dialog for ISAP members to discuss how issues of security and privacy affect the College.
  • Members work with their stakeholders to assure that front-line staff members are aware of privacy and security standards and the procedures to implement them. (For example, make sure that employees receive training on privacy issues and PCC’s responsibilities.)
  • Provide suggestions and issues for awareness messages, training and education including key themes, messages, and medium for delivery.
  • Perform an annual performance assessment of information security and privacy programs including written assessment report with recommendations for improvements.
Security Sub-Committee
The Security Sub-Committee is the technical security component of the ISAP Committee. The sub committee’s mission is to develop information security and privacy-related standards, procedures that are department specific with a focus on information technology.
The subcommittee develops standards, procedures, checklists for primarily back-end technology issues that do not directly impact the operations PCC. It also functions to recommend information security and privacy technology projects to the ISAP and Intake Committees. Specific duties of the Security Sub-Committee include:
  • Develop, implement, and review technology-centric information security and privacy standards and procedures.
  • Provide advisory support to the ISAP.
  • Recommends technological solutions to security issues faced in the College.
  • Identify gaps and recommendations in the technical controls of the Information Security Program.
Data Trustee
The Data Trustee is a senior college official (or their designees) who have planning and high-level responsibility for data within their functional areas assets. Data Trustees are ultimately responsible for the accuracy and protection of data in their areas. Responsibilities include:
  • Approve business use of information.
  • Identify a Data Steward for each segment of information under his/her control.
  • Ensure implementation of standards and procedures for guaranteeing confidentiality, integrity, and availability and information, including:
    • Risk assessment
    • Data backup plan
    • Disaster recovery and business continuity planning
    • Emergency mode operation
  • Determine security classification of each segment of information as described in the Information Classification Standard.
  • Define departmental access roles and assign access for individuals based on their need to know.
  • Ensure that all department/team personnel with access to information assets are trained in relevant security and confidentiality policies and procedures.
  • Ensure the protection of information assets under his/her control, including:
  • Identify all CONFIDENTIAL information assets containing individually personally identifiable information in any medium and document it.
  • Ensure compliance with federal and state laws and PCC policy regarding the use of personally identifiable information in directed communication/solicitation.
Data Steward
As designated by the Data Trustee, the official (and his/her staff) that has operational-level responsibility for the capture, maintenance, and dissemination of a specific segment of information. This may include oversight of the installation, maintenance, and operation of hardware and software platforms. The Data Steward will:
  • Define and implement processes for assigning User access codes (using access profiles prepared for that use), revoking User access privileges, and setting file protection parameters.
  • Implement data protection and access controls established by the institutional policy.
  • Act as liaison for the department to the Computer Incident Response Team.
  • Define and implement procedures for backup and recovery of information.
  • Ensure processes are in place for the detection of security violations.
  • Monitor compliance with information security standards.
  • Limit physical access to information assets, including:
    • Equipment control (into and out of office).
    • Authorization procedures prior to physical access.
    • Maintenance records.
    • Physical access control for visitors and escort, if appropriate.
  • Maintain records of those granted physical access to information assets if appropriate.
  • Provide special handling and protection for critical information assets, including:
    • Ensure that operating and maintenance personnel are given access necessary to perform system maintenance responsibilities without compromising CONFIDENTIAL information.
    • Ensure that authorized, knowledgeable persons supervise personnel performing maintenance activities related to CONFIDENTIAL information assets.
Support Technician
Any individual, including faculty, staff and students, who has administrator rights to a network, hardware, or software system connected to the PCC network. This individual works under the direction of the Information Steward(s) in the department they support. The Support Technician will:
  • Receive all security vulnerability reports for the systems they administrate and disseminate such information to appropriate technical staff for resolution.
  • Receive network alerts, outage notifications, or other networking issues affecting their systems and disseminate such information to appropriate staff.
  • Coordinate response to computer security incidents.
  • Report any known or potential security violations to either their manager or to the Information Security Manager.
Data Originator
Any individual with the authority to create records, databases, or sensitive INTERNAL information. Originators have Original Classification Authority (OCA) to set the initial classification level of a piece of information they create in whole or in part. Only Data Trustees have the authority to revise a classification level. Note: Data Originators do not have the authority to downgrade CONFIDENTIAL Information since the protections required are usually the result of legal or contractual requirements. Data originators will:
  • Use the Information Security Classification Standard to categorize new information sources.
  • Identify and mark documents that contain critical information in order to prevent unauthorized disclosure.
  • Disseminate data to others only when authorized.
  • Becoming familiar with security standards pertaining to assigned duties.
  • Notify Data Steward of the creation or discovery of previously unknown critical information.
Authorized Information User
Individuals who have been granted access to and/or the ability to update/create specific information assets in the performance of their assigned duties are considered Authorized Information Users (Users). Users include, but are not limited to faculty and staff members, trainees, students, vendors, volunteers, contractors, or other affiliates of Portland Community College. Users will:
  • Seek access to data only through the authorization and access control process.
  • Access only that data which s/he has a need to know to carry out job responsibilities and be accountable for their actions relating to security.
  • Disseminate data to others only when authorized.
  • Report access privileges inappropriate to job duties to the Data Steward or Trustee for correction.
  • Attest in writing to knowledge of and compliance with security and confidentiality policies and procedures prior to accessing protected information.
  • Report any known or potential security risks or violations to either their manager or to the Help Desk.
  • Not bypass or disable security controls.
7.0 Enforcement
Any employee found to have violated this standard may be subject to disciplinary action, up to and including termination of employment. Any non-PCC employee using PCC’s network services found to have violated this standard may have their access terminated. Depending on circumstances, students may be subject to disciplinary action.
Any user who violates this standard may be held liable for damages to PCC assets, which may include and not be limited to the loss of information, computer software and hardware, lost revenue due to down time, fines and judgments imposed as a direct result of the failure of the user to adhere to this standard.
8.0 Definitions
Authentication –
Process of verifying one’s digital identity. For example, when someone logs into myPCC, the password verifies that the person logging in is the owner of the account. The verification process is called authentication.
Authorization –
granting access to resources only to those authorized to use them.
Availability –
Ensures timely and reliable access to and use of information.
Confidentiality –
Preserves authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Integrity –
Guards against improper modification or destruction of information, and ensures non-repudiation and authenticity.
Sensitivity –
Indicates the required level of protection from unauthorized disclosure, modification, fraud, waste, or abuse due to potential adverse impact on an individual, group, institution, or affiliate. Adverse impact could be financial, legal, or on one’s reputation or competitive position. The more sensitive the data, the greater the need to protect it.
Criticality –
Indicates the data’s level of importance to the continuation of normal operation of the institution, or for compliance with law. The more critical the data is, the greater the need to protect it.
Data User -
Data users are individuals who need and use PCC data as part of their assigned duties or in fulfillment of assigned roles or functions within the PCC community. Individuals who are given access to sensitive data have a special position of trust and are responsible for protecting the security and integrity of those data and should exercise due care in using the institution's accessing information systems and to protect files from unauthorized use, disclosure, alteration, or destruction. Each person is responsible for security, privacy, and control of his/her own data.
Data Originator-
Originators have Original Classification Authority (OCA) to set the initial classification level of a piece of information they create in whole or in part. Only Data Trustees have the authority to revise a classification level. Note: Data Originators do not have the authority to downgrade CONFIDENTIAL Information since the protections required are usually the result of legal or contractual requirements.
Data Steward-
Data Stewards are PCC officials having direct operational-level responsibility for information management – usually department managers, and designated system analysts. Data Stewards are responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees, and implementing and administering controls over the information.
Data Trustee-
Data Trustees are senior PCC officials (or their designees) who have planning and high-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Data Trustees are ultimately responsible for the accuracy and protection of data in their areas. Responsibilities include assigning data stewards, participating in establishing standards, practices, and accountability.
Owner -
The department, division, or other administrative unit that is directly responsible for the management and maintenance of the computer and/or computer storage device or media.
Policy -
An overall general statement of principle that provides scope and direction that is technology agnostic. Policies that impact Information Security and Privacy are implemented by the PCC Board of Directors.
Standard -
Refers to mandatory activities, actions, rules, or regulations and are usually technology agnostic. A “baseline” defines the minimum standard that must be met. Standards are created by cross department committees consisting of subject matter experts and individual departments.
Guidelines -
Recommended actions and operational guides to users, technical staff, operations staff, and others when a specific standard does not apply. Guidelines are not necessarily technology agnostic. They can vary in size and complexity. Although not specifically mandatory by themselves, a standard may call for the mandatory compliance with specific guidelines. Guidelines are created by cross organizational working groups, departments, functional teams, and project teams consisting of subject matter experts.
Procedures -
Detailed specific tasks that should be performed to achieve a certain goal or process and are often dependent on the technology being implemented. Procedures are often created by local or departmental groups and are shared when needed.
Best Practices -
These consist of ideal practices to users, IT staff, operations staff, and others based on benchmarking, research, testing, and previous experience by a credible source. Best practices represent the activities performed under ideal circumstances and may not always be practical for an operational environment. Best Practices are considered to be the lowest level in the governance hierarchy tree.
PCC Data –
Any data related to Portland Community College (“PCC”) functions (that is stored) on PCC information technology systems, b) maintained by PCC faculty staff, or students, or c) related to institutional processes on or off campus.