BP 8104 Paper and Electronic Media

Statement of Purpose

PCC’s Information Security Policies support the following goals:
1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
2. Ensure that PCC complies with all applicable laws and regulations.
3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
4. Ensure that users are protected from data breach and cybercrime.
5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
6. Prevent unauthorized disclosure of controlled sensitive data.
7. Prevent disruption of the learning experience.
8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
9. Ensure that IT systems are used for their intended purposes.
10. Establish processes for addressing policy violations and sanctions for violators.

It is the role of information security to protect controlled sensitive data, whether it be stored digitally on electronic media or physically on paper. How such data is eventually disposed of is as critical as protecting it when actively being used.

For example: last month’s payroll report containing social security numbers may no longer be useful from a business point of view, but it must still be disposed of securely – as the data it contains remains valuable to criminals.

In addition, it is not sufficient only protect data “in situ,” but to also protect access to the media on which it is stored. For example, open access to a data center would create huge risk to an organization.

Scope Statement

All Portland Community College (PCC) employees, students, and affiliates or other third parties that create, use, maintain, or handle PCC IT resources are subject to this policy. This policy applies to all media containing controlled sensitive data stored using PCC IT Resources, whether digital or hardcopy.

Policy Summary

Both electronic media and hardcopy materials containing controlled sensitive data shall be protected by appropriate access controls and disposed of in a secure manner.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

PHYSICAL & DATA CENTER SECURITY
Electronic media containing controlled sensitive data shall be protected by appropriate physical access controls:
1. Video cameras shall be used to monitor access areas.
2. Appropriate facility controls shall be used to limit and monitor physical access to systems that store controlled sensitive data.
3. Visitor logs of access to these systems shall be kept.
4. Records shall be retained for at least three months, unless otherwise restricted by law.

ELECTRONIC MEDIA
Electronic media containing confidential and/or private information (e.g., USB drives, CDs, DVDs, floppy disks, hard disks, tapes, etc.) are subject to the following storage procedures:
1. Electronic media containing controlled sensitive data shall not be removed from any PCC data center or computer room without prior authorization from the CISO.
2. Portable electronic media containing controlled sensitive data shall be physically controlled and secured by the user at all times.
3. Portable electronic media containing controlled sensitive data shall be clearly labeled as such.
4. Portable electronic media containing controlled sensitive data shall be stored securely.
5. Electronic media is minimally required to be FIPS-2 encrypted to hold controlled sensitive data.

HARDCOPY MEDIA
Hardcopy materials containing controlled sensitive data (e.g., paper receipts, paper reports, faxes, etc.) are subject to the following storage procedures:
1. All controlled sensitive data, if removed from any PCC-secured office environment, shall remain in the possession of the PCC employee at all times.
2. Printed reports containing controlled sensitive data shall be physically retained, stored, or archived only within secure PCC office environments and only for the minimum time deemed necessary for their use.
3. Confidential and/or private hardcopy material shall never be stored in unlocked or unsecured containers or open workspaces.
4. All hardcopy material containing controlled sensitive data shall be clearly labeled as such.
5. In instances where a third party is used to deliver any media containing confidential or private data it shall be a secured courier or use delivery methods that can be accurately tracked and that has been approved by the CISO.

STORAGE & DISPOSAL
1. All electronic and hardcopy media within the Data Center containing controlled sensitive data shall be archived in secure storage locations and inventoried quarterly by the CISO, server managers, and department managers.
2. Electronic media shall be destroyed as prescribed in the Data Retention and Disposal policy.
3. All hardcopy shred bins shall remain locked at all times (until shredding). Employees shall cross-cut shred any printed materials containing confidential and/or private information.

Exemptions

None

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO) / Chief Information Security Officer (CISO)

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

Access Control
The selective restriction of access to a place or computing resource for security purposes.

The act of accessing may mean consuming, entering, or using. For example, the lock on your front door is an access control mechanism to limit who can enter your house. Similarly, entering a user ID and password restricts access to your computer account.

Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.

At PCC, the CIO is responsible for all technology, with the exception of:
– Online Learning (Academic Affairs)
– Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
– Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)

Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

DVD
A type of compact disk able to store large amounts of data, especially high-resolution audiovisual material.

Electronic Media
Technology that stores and accesses data in electronic form.

In contrast to static media (e.g. print media). Digital Content is stored on Electronic Media.

Federal Information Processing Standard (FIPS)
U.S. government standard for information technology and computer security.

The FIPS program is run by the National Institute of Standards and Technology (NIST). NIST FIPS 140 is the cryptography standard program required by the U.S. federal government for protection of sensitive data.

Floppy Disk
(aka floppy, diskette, or just disk). An older type of disk storage (not used today).

Composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic enclosure lined with fabric that removes dust particles.

Hard Disk
A data storage device that uses magnetic storage to store and retrieve digital information using one or more rigid, rapidly rotating disks (platters) coated with magnetic material.

Hardcopy
A printed version on paper of data held in a computer.

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Information Security Manager (ISM)
(aka Associate CISO) Manager of the PCC Information Security team, reporting to the CIO and/or CISO.

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

Third Party
(In Information Technology [IT]) A vendor. Can be applied to any vendor (“third party provider”), but mostly used regarding “vendor software” to distinguish it from software developed “in house.”

USB “Thumb” Drive
A portable data storage device that includes flash memory. Has a USB connector that plugs into the USB socket on a computer.

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO)

Responsible Office

IT Information Security

Last Revision Date

09-27-2018