Portland Community College | Portland, Oregon Portland Community College

BP 8114 Risk Management

Statement of purpose

PCC’s Information Security Policies support the following goals:

  1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
  2. Ensure that PCC complies with all applicable laws and regulations.
  3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
  4. Ensure that users are protected from data breach and cybercrime.
  5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
  6. Prevent unauthorized disclosure of controlled sensitive data.
  7. Prevent disruption of the learning experience.
  8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
  9. Ensure that IT systems are used for their intended purposes.
  10. Establish processes for addressing policy violations and sanctions for violators.

Information Security is about managing risk. The only truly secure asset is one that is completely inaccessible – therefore, the Chief Information Security Officer (CISO) and the information security team are constantly evaluating business need against security risk.

It is also necessary to clearly articulate risk so that senior management have all the information they need to make sound decisions regarding whether to accept the risk or invest in risk mitigation activities.

The Information Security Risk Management Program is part of the overall Portland Community College (PCC)/IT Risk Management Program and has as its purpose to prevent, detect, contain, and correct both deliberate and inadvertent IT security incidents.

This policy recognizes this and requires that PCC has a clearly identified approach to identifying, evaluating, and mitigating information security risk.

Scope statement

This policy applies to all known and potential information security risks at PCC.

Impacted personnel are all staff, faculty, and students, as well as vendors, affiliates, and any other external party that could pose data or operational risk to the College.

Policy summary

The CISO shall document and implement a risk management program to prevent, detect, contain, and correct both deliberate and inadvertent Information Technology (IT) security incidents and emergencies and comply with regulatory expectations.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

Goals
  1. Using risk assessment methodologies, the PCC Information Security Department shall implement a combination of policies, procedures, and physical measures to sufficiently reduce (mitigate) the vulnerabilities and risks to a reasonable level in compliance with PCC’s standards, as well as governmental requirements (GLBA, HIPAA, FERPA, NIST, ISO).
  2. Using various analytic efforts, the CISO shall identify and rank risks in order to estimate total overall risk and IT Risk Profile.
  3. All IT security protocols shall be evaluated in terms of risk vs. cost to further mitigate risk prior to determining a final decision on expenditure of funding.
Security risk assessment
  1. After potential Information Security risks are identified, analyses of the risks shall be conducted to prepare an accurate and thorough assessment of their impacts on the confidentiality, availability, and integrity of the College’s sensitive information.
  2. Risks shall be ranked in order of their likelihood to happen, likelihood of success if attempted, and the consequences of their occurrence.
  3. Risks shall be defined in a format compatible with that used and described within the IT Defense In Depth and Incident Response plans.
Vulnerability assessment
  1. IT leadership shall review quarterly security reports provided by the Information Security team.
  2. Vulnerabilities shall be presented and discussed.
Security risk mitigation

The PCC Information Security Office shall implement a combination of policies, procedures, and physical measures to sufficiently reduce (mitigate) the vulnerabilities and risks to a reasonable level in compliance with PCC standards, as well as governmental requirements.

Risk audit
  1. Self-audits and activity reviews shall be conducted within IT.
  2. The IT Information Security Office shall constantly monitor the identified PCC IT Risk Profile to measure and refine its effectiveness.
  3. The CISO shall respond to any risk-related requests from the PCC Internal Auditor.
Security incident response and reporting
  1. Event logs shall be collected in a centralized location on secure media that is difficult to alter and is protected from unauthorized access for protected services, such as HIPAA, FERPA and PCI data.
  2. Access to the event logs shall be on a need-only basis.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Security Officer (CISO).

Policy violation

  1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
  2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
  3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
  4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing standards, policies, and guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

  • Chief Information Security Officer (CISO)
    Senior manager responsible for information security compliance at PCC.
  • Controlled Sensitive Data (CSD)
    A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

    • CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.
  • Cybercrime
    Criminal activity or a crime that involves the Internet, a computer system, or computer technology.
  • Data Breach
    Generally, an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.

    • Note: Although “breach” is a commonly used term in the information security community, legally, the term “breach” tends to only be used when a security event reaches the threshold of regulatory reporting. PCC legal council recommends using the terms “incident” or “compromise” until it can be determined whether an event satisfies the legal definition of a breach.
  • Family Education Rights and Privacy Act (FERPA)
    A Federal law that protects the privacy of student education records.

    • FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
  • Gramm Leach Bliley Act (GLBA)
    A federal government regulation to which PCC is required to adhere and that imposes strict requirements regarding information security.

    • Also known as the Financial Services Modernization Act of 1999, (Pub.L. 106–102, 113 Stat. 1338, enacted November 12, 1999) is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. Has since been expanded to any institution that processes federal funds (e.g. student financial aid).
  • Hardware
    The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)
  • Health Insurance Portability and Accountability Act (HIPAA)
    A federal government regulation to which PCC is required to adhere and that imposes strict information security requirements regarding the protection of medical records.

    • Enacted by the United States Congress and signed by President Bill Clinton in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
  • IT Resource
    (At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

    • IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.
  • National Institute of Standards and Technology (NIST)
    A measurement standards laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
  • Risk Profile
    An evaluation of an individual or organization’s willingness to take risks, as well as the threats to which an organization is exposed.
  • Software
    A set of instructions that tells a computer what to do.

    • Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.
  • System
    (In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

    • The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.
  • User
    Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible executive

Chief Information Officer

Responsible officer

Chief Information Security Officer (CISO)

Responsible office

IT Information Security

Last revision date

10-14-2019