Portland Community College | Portland, Oregon Portland Community College

BP 8100 Change Control

Statement of purpose

PCC’s Information Security Policies support the following goals:

  1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
  2. Ensure that PCC complies with all applicable laws and regulations.
  3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
  4. Ensure that users are protected from data breach and cybercrime.
  5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
  6. Prevent unauthorized disclosure of controlled sensitive data.
  7. Prevent disruption of the learning experience.
  8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
  9. Ensure that IT systems are used for their intended purposes.
  10. Establish processes for addressing policy violations and sanctions for violators.

A Change Control Board (CCB) and Change Management Procedure (CMP) are necessary to ensure the integrity and availability of the production environment. All changes to production introduce risk and this policy ensures that software and system configuration changes are reviewed and verified prior to implementation.

Scope statement

This policy applies to the PCC production system operating environment. Accountable and responsible individuals are the CIO, CISO and IT operations management. For PCC systems supported and maintained by third parties, such parties are also subject to this policy.

Policy summary

PCC shall operate an Information Technology (IT) Change Control Board (CCB) and enact an Information Technology Change Management Procedure (CMP).

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

  1. The CCB shall review and approve proposed changes to system components in the production environment (outside the scope of typical operational maintenance).
  2. The CMP shall include steps for reviewing the impact of changes and identifying risks.
  3. The CMP shall include descriptions of back-out procedures, and shall require approval from appropriate CCB managers.
  4. In addition to functional validation, security features shall be tested (as feasible) and documented with each change to ensure security features are properly functioning and are not impacted by the change.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Policy violation

  1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
  2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
  3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
  4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing standards, policies, and guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

  • Back-out
    (aka “roll back”) The procedure for undoing a production change in the event of failure or unanticipated issues. The back-out will restore the system to its original state.
  • Change Control Board (CCB)
    A committee within the Information Technology (IT) Department designed to minimize risk to the normal operations of the college’s technology.

    • The CCB makes decisions regarding whether proposed changes to the production operating environment should be implemented. This could include new program code, network or firewall configurations, new project “go live”, etc.
  • Chief Information Officer (CIO)
    Senior manager of the Information Technology (IT) Department and a member of Cabinet.

    • At PCC, the CIO is responsible for all technology, with the exception of:
      • Online Learning (Academic Affairs)
      • Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
      • Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)
  • Chief Information Security Officer (CISO)
    Senior manager responsible for information security compliance at PCC.
  • Production Environment (PROD)
    The technology environment where software and other products are actually put into operation for their intended uses by end users.

    • This is a highly controlled and monitored environment and separate from the development, test, or other environments where software is not intended for production use.
  • Software
    A set of instructions that tells a computer what to do.

    • Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.
  • System
    (In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

    • The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.
  • User
    Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible executive

Chief Information Officer

Responsible officer

Chief Information Security Officer (CISO)

Responsible office

IT Information Security

Last revision date

08-22-2018