POL 5.461 Written Information Security Program
1.0 Policy Statement
The Kirtland Community College Written Information Security Program (“WISP”) is intended as a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data maintained at the College and to comply with applicable laws and regulations on the protection of personally identifiable information and Nonpublic Financial Information, as those terms are defined below, found in records and in systems owned by the College.
2.0 Overview & Purpose
The WISP was implemented to comply with regulations issued by the Federal Trade Commission [16 CFR Part 314], and with our obligations under the financial customer information security provisions of the federal Gramm-Leach-Bliley Act (“GLB”) [15 USC 6801(b) and 6805(b)(2)].
In accordance with these federal laws and regulations, Kirtland Community College is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the college to affected individuals and appropriate state and federal agencies.
Kirtland Community College is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the College. Kirtland Community College has implemented a number of policies to protect such information, and the WISP should be read in conjunction with these policies that are cross-referenced at the end of this document.
The purposes of this document are to:
- Establish a comprehensive information security program for Kirtland Community College with policies designed to safeguard sensitive data that is maintained by the College in compliance with federal and state laws and regulations;
- Establish employee responsibilities in safeguarding data according to its classification level and
- Establish administrative, technical, and physical safeguards to ensure the security of sensitive data.
3.0 Scope
This Program applies to all Kirtland Community College employees, whether full- or part-time, including faculty, administrative staff, staff, contract and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the Kirtland Community College community (hereafter referred to as the “Community”). This program also applies to certain contracted third-party vendors (see section 4.6 for further information). The data covered by this Program includes any information stored, accessed or collected at the College or for College operations. The WISP is not intended to supersede any existing Kirtland Community College policy that contains more specific requirements for safeguarding certain types of data, except in the case of Personal Information and Nonpublic Financial Information, as defined below. If such a policy exists and is in conflict with the requirements of the WISP, the other policy takes precedence.
3.1 Definitions
Data
For the purposes of this document, data refers to information stored, accessed, or collected at the College about members of the College community.
Data Custodian
A data custodian is responsible for maintaining the technology infrastructure that supports access to the data, safe custody, transport, and storage of the data, and provides technical support for its use. A data custodian is also responsible for the implementation of the business rules established by the data steward.
Data Steward
A data steward is responsible for the data content and development of associated business rules, including authorizing access to the data.
Personal Identifiable Information
Personal Identifiable Information (“PII”), as defined by U.S. Code of Federal Regulations 2 CFR 200.79, is the first name and last name or first initial and last name of a person in combination with any one or more of the following:
- Social Security number;
- Driver’s license number or state-issued identification card number; or
- Financial account number (e.g., bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.
- Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
For the purposes of this Program, PII also includes a passport number, alien registration number, or other government-issued identification number.
Nonpublic Financial Information
The GLB Act (FTC 16 CFR Part 313) requires the protection of “customer information” that applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with the College, whether in paper, electronic or other form that is handled or maintained by or on behalf of the College. For these purposes, NFI shall include any information:
- A student or other third party provides in order to obtain a financial product or service from the College;
- About a student or other third party resulting from any transaction with the College involving a financial product or service or
- Otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.
Examples of NFI include:
- Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
- Account balance information, payment history, overdraft history, and credit or debit card purchase information;
- The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
- Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
- Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account;
- Any information you collect through an Internet “cookie” (an information collecting device from a web server); and
- Information from a consumer report.
3.2 Data Classification
All data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.
Confidential
Confidential data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a significant level of risk to Kirtland Community College or the Community. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration or disclosure.
Confidential data includes data that is protected by the following federal or state laws or regulations: 16 CFR 313 (Privacy of Consumer Financial Information), the Federal Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), General Data Protection Regulation (GDPR) (EU) 2016/679, and the FTC’s Red Flag Rules. Information protected by these laws includes, but is not limited to PII, NFI and Protected Health Information (PHI).
Restricted
Restricted data refers to all other personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations or reputation of Kirtland Community College. Any non-public data that is not explicitly designated as Confidential should be treated as Restricted data.
Restricted data includes data protected by the Family Educational Rights and Privacy Act (FERPA), referred to as student education records. This data also includes but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), College financial and investment records, employee salary information, or information related to legal or disciplinary matters.
Restricted data should be limited to access by individuals who are employed by or matriculate at Kirtland Community College and who have legitimate reasons for accessing such data, as governed by FERPA or other applicable law or College policy. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.
Public (or Unrestricted)
Public data includes any information for which there is no restriction to its distribution such as Directory Information, and where the loss or public use of such data would not present any harm to Kirtland Community College or members of the Kirtland Community College community. Any data that is not classified as Confidential or Restricted should be considered Public data.
4.0 Policy
4.1 Responsibilities
All data at the College is assigned a data steward according to the constituency it represents. Data stewards are responsible for approval of all requests for access to such data. The data steward for each constituency group are designated as follows:
Type of Data | Data Steward* |
---|---|
Faculty | VP of Instructional Services |
Staff | VP of Business Services |
Student | Shared between the VP of Student Services/Registrar and Director of Financial Aid |
*The data steward may appoint a designee to serve in their place.
Information Technology Services (ITS) staff serve as the data custodians for all data stored centrally on the College’s servers and administrative systems and are responsible for the security of such data. For distributed data stored on departmentally run services, the department head or their designee serves as the data custodian, and ITS and the department share joint responsibility for securing the data.
Human Resources will inform ITS staff about an employee’s change of status or termination as soon as is practical but before an employee’s departure date from the College. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s access to College data.
Department heads will alert ITS at the conclusion of a contract for individuals that are not considered Kirtland Community College employees in order to terminate access to their Kirtland Community College accounts.
The ITS staff is in charge of maintaining, updating, and implementing this Program. The College’s Director of Information Technology has overall responsibility for this Program.
All members of the Community are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing sensitive data in compliance with this Program.
4.2 Identification and Assessment of Risks to College Information
Kirtland Community College recognizes that it has both internal and external risks to the privacy and integrity of College information. These risks include, but are not limited to:
- Unauthorized access of Confidential data by someone other than the owner of such data
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of Confidential data by employees
- Unauthorized requests for Confidential data
- Unauthorized access through hard copy files or reports
- Unauthorized transfer of Confidential data through third parties
Kirtland Community College recognizes that this may not be a complete list of the risks associated with the protection of Confidential data. Since technology growth is not static, new risks are created regularly. Accordingly, ITS will actively participate and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group, and SANS for the identification of new risks.
Kirtland Community College believes the College’s current safeguards are reasonable and, in light of current risk assessments made by ITS, are sufficient to provide security and confidentiality to Confidential data maintained by the College. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.
4.3 Policies for Safeguarding Confidential Data
To protect College data classified as Confidential, the following policies and procedures have been developed that relate to access, storage, transportation, and destruction of records. For an overview of storage guidelines, see the Data Storage Guide.
Access & Storage
- Only those employees or authorized third parties requiring access to Confidential data in the regular course of their duties are granted access to this data, including both physical and electronic records.
- To the extent possible, all electronic records containing Confidential data should only be stored on the College’s on-campus secure network storage and not on local machines or unsecured servers.
- PHI may be stored or accessed through the Google Apps core suite (including Mail, Drive, Groups, Sites, Chat) as these apps are certified HIPAA compliant, provided that access to the PHI is appropriately restricted. This does not apply to Google consumer apps such as Google+, Hangouts, etc.
- Confidential data must not be stored on cloud-based storage solutions that are unsupported by the College (including DropBox, Microsoft OneDrive, Apple iCloud, etc.).
- Members of the Community are strongly discouraged from storing Confidential data on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives). However, if it is necessary to transport Confidential data electronically, the mobile device containing the data must be encrypted.
- Paper records containing Confidential data must be kept in locked files or other secured areas when not in use.
- Upon termination of employment or relationship with Kirtland Community College, electronic and physical access to documents, systems or other network resources containing Confidential data is immediately terminated.
- Multi-factor authentication (MFA) or, where MFA is not feasible, compensating controls approved by the Director of Information Technology including separate accounts, network segmentation, and/or device location.
Transporting Confidential Data
- Members of the Community are strongly discouraged from removing records containing Confidential data off-campus. In rare cases where it is necessary to do so, the user must take all reasonable precautions to safeguard the data. Under no circumstances are documents, electronic devices, or digital media containing Confidential data to be left unattended in any unsecured location.
- When there is a legitimate need to provide records containing Confidential data to a third party outside Kirtland Community College, electronic records shall be password-protected and/or encrypted, and paper records shall be marked confidential and securely sealed.
Destruction of Confidential Data
- Records containing Confidential data must be destroyed once they are no longer needed for business purposes, unless state or federal regulations require maintaining these records for a prescribed period of time.
- Paper and electronic records containing Confidential data must be destroyed in a manner that prevents recovery of the data.
4.4 Policies for Safeguarding Restricted Data
- Access to Restricted Data should be limited to members of the Community who have a legitimate business need for the data.
- Restricted Data can be stored on Google Apps, Canvas, College network servers, and supported third-party and contracted services.
- Restricted data may be stored on cloud-based storage solutions that are unsupported by the College as long as they are in compliance with the requirements of any laws governing the protection of such data (e.g., FERPA).
- Documents containing Restricted Data should not be posted publicly.
4.5 Password Requirements
In order to protect College data, all members of the Community must select unique passwords following these guidelines:
- Has at least 12 characters
- Contains a combination of at least two of the four character types: uppercase and lowercase letters, numbers, and special characters (e.g., @ $ # !)
- Does not contain repeated characters or a sequence of keyboard letters (e.g., qwerty, 12345, or yyy99)
- Does not contain any part of the user’s name, username, birthday, or social security or those of friends and family (e.g., Jill1030)
- Is not used on multiple services, sites, or applications
- Is not used for College and personal accounts.
Members of the Community must protect the privacy of their passwords. Passwords must not be shared with others. If an account or password is suspected to have been compromised, all passwords should be changed immediately and the incident reported to the Kirtland Community College ITS department.
4.6 Third-Party Vendor Agreements Concerning Protection of Personal Information
Kirtland Community College exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PII provided by the College to them. The primary budget holder for each department is responsible for identifying those third parties providing services to the College that have access to PII. All relevant contracts with these third parties are reviewed by the Kirtland Community ITS Department to ensure the contracts contain the necessary language regarding safeguarding PII. It is the responsibility of the primary budget holders to confirm that the third parties are required to maintain appropriate security measures to protect PII consistent with this Program.
4.7 Computer system safeguards
Kirtland Community College Information Technology Services staff monitor and assess safeguards on an ongoing basis to determine when enhancements are required. The College has implemented the following to combat external risk and secure the College network and systems containing Confidential Data:
- Secure user authentication protocols:
- Unique passwords are required for all user accounts; each employee receives an individual user account.
- All system and user accounts are locked after multiple unsuccessful password attempts.
- Where possible, multi-factor authentication will be applied to all College web accessible services.
- Computer access passwords are disabled upon an employee’s termination.
- User passwords are stored in an encrypted format; root passwords are only accessible by system administrators.
- Secure access control measures:
- Access to specific files or databases containing Confidential Data is limited to those employees who require such access in the normal course of their duties.
- Kirtland Community College Information Technology Services staff perform regular internal network security audits to all server and computer system logs to discover to the extent reasonably feasible possible electronic security breaches, and to monitor the system for possible unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of College data.
- Operating system patches and security updates are installed on all servers on a regular basis.
- Antivirus and anti-malware software is installed and kept updated on all workstations.
4.8 Employee Training
All administrative employees are required to complete security training on an annual basis. Any faculty, staff, student, or contract employee that has access to PII is also required to complete this yearly training. The training is strongly recommended for all employees.
4.9 Reporting Attempted or Actual Breaches of Security
Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of PII, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the Director of Information Technology.
For more information about incident response, including specific procedures for responding to a breach, see the Kirtland Community College Data Incident Response Plan.
5.0 Enforcement
Any employee or student who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises Confidential or Restricted data without authorization, or who fails to comply with this Program in any other respect, may be subject to disciplinary action, which may include termination in the case of employees and expulsion in the case of students.
6.0 Policies cross-referenced
The following Kirtland Community College policies provide advice and guidance that relates to this Program:
- Acceptable Use of Technology
- POL 5.175 Employee Confidentiality
- POL 6.090 Student Records – Rights and Privacy
- POL 2.260 HIPPA Policy
7.0 Effective date
The College will review this Program at least annually and reserves the right to change, modify, or otherwise alter this Program at its sole discretion and at any time as it deems circumstances warrant.
Adopted May 25, 2023
Revised October 19, 2023