IT-01000 Information Security Policy

Responsible Official: 
Chief Information Officer
Responsible Office: 
Information Technology
Effective Date:
January 1, 2017
Last Revision Date:
 December 28, 2016

Associated Policies

Policy Statement

All Portland Community College (PCC) employees, contractors, vendors, students and third-parties that create, use, maintain or handle PCC IT resources shall follow PCC’s Information Security Policy and related sub-policies. Policy shall be subject to and superseded by applicable regulations and laws.

Policy Exception

Policy exemptions to Information Security Policy IT-01000 through IT-01170 will be permitted only when approved in advance and in writing by the Information Security Manager (ISM) or Chief Information Officer (CIO).

Purpose

The Information Security Policy (ISP) consists of related policies IT-01000 through IT-01170. It applies to all users of PCC’s IT resources and supports the following goals:

  1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
  2. Ensure that PCC complies with all applicable laws and regulations.
  3. Ensure the integrity, reliability, availability and superior performance of IT resources.
  4. Ensure that users are protected from data breach and cybercrime.
  5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
  6. Prevent unauthorized disclosure of critical information.
  7. Prevent disruption of the learning experience.
  8. Ensure the college is protected from financial, legal, regulatory and reputational harm.
  9. Ensure that IT systems are used for their intended purposes.
  10. Establish processes for addressing policy violations and sanctions for violators.

General Use and Responsibilities

(See IT-02010 through IT-02110 for supporting policies)

  1. Maintain current knowledge of, and comply with, the contents of the ISP.
  2. Distribute confidential and sensitive information on a limited basis to those with a business need to know the information.
  3. Protect all PHI, PII, PCI and other regulated or proprietary data from unauthorized access.
  4. Notify the Information Security Department and/or the IT Helpdesk of any suspected breaches.

Policy Violation

  1. Violation of the ISP may result in disciplinary action, up to and including expulsion from student activities, and/or termination of employment
  2. PCC reserves the right to report violations of federal, state and local laws and regulations governing computer and network use, as well as interactions that occur on the Internet, to authorities as deemed appropriate.
  3. Users who violate the AUP may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to down time, fines and judgments imposed as a direct result of the violation.
  4. PCC reserves the right to deactivate a user’s access rights, whether or not the user is suspected of any violation of this policy, when necessary to preserve the integrity of IT Resources.

Complaint Procedure

Information Security and general AUP violations shall be reported to the Information Security Manager or Chief Information Officer.

Non-security related violations (such as receipt of inappropriate content, other Human Resources policy violations, general college policy violations or regulatory compliance violations) shall be reported to a supervisor, HR or EthicsPoint.

Related Governing Standards, Policies and Guidelines

  1. United States Department of Education Guidance Letter
  2. Family Educational Rights and Privacy Act (FERPA)
  3. Federal Information Security Management Act (FISMA)
  4. Gramm-Leach-Bliley Act (GLBA)
  5. FTC Red Flag Rule
  6. Health Insurance Portability and Accountability Act (HIPAA)
  7. International Organization for Standardization (ISO):
  8. National Institute Standards and Technology (NIST)
  9. Payment Card Industry Data Security Standard (PCI DSS)
  10. Sarbanes-Oxley (Sox) for Colleges and Universities

Definitions

Cybercrime
Criminal activity or a crime that involves the Internet, a computer system, or computer technology.
Data breach
An incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. A data breach may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
ISP –
Information Security Policy defines how PCC’s IT resources shall be protected.
IT Resource –  
Information Technology resources are the property of PCC and include, but are not limited to all network related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video & web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP. IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.
PCI – Payment Card Industry –
Data Security Standard. Promotes Payment Card Industry standards for the safety of cardholder data across the globe.
PHI –
Personal Health Information
PII – Personally Identifiable Information
any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).