The purpose of this document is to formally establish an Information Security Program within Metropolitan Community College (MCC). Federal laws, state statutes, and contractual obligations protect some MCC information from unauthorized use or disclosure. The exposure of sensitive information could subject MCC to fines or government sanctions. The unavailability of information assets impairs MCC’s ability to do business and/or exposes MCC to asset losses.
All users of MCC systems are responsible for the protecting resources and the information processed, stored or transmitted as set forth in this Information Security Program.
A formal information security program guided by the Information Security Steering Committee, consisting of the Director of Information Technology (IT) Network Services and the Director of Management Information Systems (MIS), has been established within MCC. Individuals within the information security organizational structure and identified project teams of the program are empowered to research, develop, implement, and disseminate procedure memorandums, standards, guidelines, operational procedures, standard and other processes to support effective information security practices.
The goal of the Information Security Program is to ensure security, confidentiality, integrity, and availability of information stored and transmitted at MCC is protected appropriately and to ensure that MCC:
- Establishes a college-wide approach to information security, including appropriate security awareness training and education, and principles generally accepted as ‘due diligence’ within the higher education community.
- Complies with federal laws, state statutes, and contractual obligations regarding the collection, maintenance, use, and security of information assets.
- Identifies roles, responsibilities, and duties for management, the network security engineer, and employees with respect to the handling and protection of information assets.
- Develops efficient and effective processes and procedures for the confidentiality, availability and integrity of information assets.
- Defines a risk management framework, risk assessment and analysis methodologies, and risk management processes.
- Performs threat and vulnerability analysis, keeping current with new threats, establishes a risk register to manage risks, and mitigates risks.
- Designs security architecture.
- Implements a change management program, procedures, and processes.
- Develops an audit plan to evaluate the effectiveness of the information security program and to ensure the confidentiality, integrity, and availability of information assets.
- Develops security metrics and reporting mechanisms to identify the areas of concern, and track the progress of the information security program.
- Creates effective mechanisms for responding to incidents involving breaches, disaster recovery or IT security related incidents.
- Reviews and improves Information Security Program.
- It is the intent of Metropolitan Community College that the College information assets must be available to the College community, protected commensurate with their value, and must be administered in conformance with applicable laws, contractual agreements, and College policies. Reasonable measures shall be taken to protect these assets against accidental or unauthorized access, disclosure, modification, or destruction, as well as to reasonably assure the confidentiality, integrity, availability, and authenticity of information assets. Reasonable measures shall also be taken to reasonably assure availability, integrity, and utility of information systems and the supporting infrastructure. Students, authorized contractors, and employees who willfully disregard the Metropolitan Community College information security statement above, do so at their own risk. Examples of applicable laws, contractual agreements, and College policies include:
- Federal Education Rights Privacy Act (FERPA)
- Payment Card Industry Data Security Standards (PCI-DSS)
- Red Flag Rule - Identity Theft Prevention Program Procedures Memorandum (PM) X-30
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley ACT (GLB)
- Nebraska Data-Security Law
- MCC specifically prohibits unauthorized access to, tampering with, deliberately introducing inaccuracies to, or causing loss of MCC information assets. It also prohibits using information assets to violate any law, commit an internal breach of confidentiality or privacy, compromise the performance of systems, damage software, physical devices or networks, or otherwise sabotage MCC information assets.
- MCC protects its information assets from threats and exploits, whether internal or external, deliberate of accidental. The degree of protection is based on the nature of the resource and its intended use. MCC recognizes that no single procedure memorandum, standard, or procedure provides absolute security, therefore, all MCC facility, staff, consultants, contractors, and other stakeholders share responsibility to minimize risks and to secure the information assets within their control.
- Compliance with information security procedure memorandums, standards, and operating procedures are mandatory for all staff.
- Security Steering Committee Responsibilities
- Develops and publishes new or updated PMs which are approved by the president’s cabinet.
- Develops, approves and publishes new or updated standards, guidelines, and operating procedures.
- Develops procedures that support the objectives for confidentiality, integrity and availability by working with the appropriate information custodians and ensures that those procedures are followed.
- Acts as a liaison with academic and business groups to ensure the fulfillment of the Information Security Program.
- Provides guidance and support for information security controls and processes;
- Reports the security posture to the Vice President of Technology and Administrative Services.
- Reviews and assigns resources for internal and external audits to assess the effectiveness of the information security controls.
- Ensures that each staff member understands their information security related responsibilities and acknowledges that they understand and intend to comply with those requirements.
- Provides support for data classifications, risk analysis, audits, and disaster recovery plan.
- Supports information security training and awareness programs and provides advice and guidance to personnel requiring clarification on IT PMs, standards, and operating procedures.
- Network Security Engineer Responsibilities
- Coordinates the development of information security policies, standards, and procedures, and updates due to changes in security and privacy legislation, regulations, and new risks.
- Coordinates the development and delivery of security awareness and privacy training.
- Serves as the college compliance officer. Prepares and submits reports to external agencies.
- Contact point for information security and privacy infringement incidents.
- Develop and implement and ongoing risk assessment program.
- Responsible for periodic vulnerability and penetration testing.
- Contact point for external auditors and agencies.
- Responsible for updating the security steering committee and ITS & MIS Staff on new legislation, regulations, advisories, alerts, and vulnerabilities.
- Maintains the college information technology disaster recovery plan.
- Monitors and maintains applications for network security.
- Works with internal and external audit to assess the effectiveness of the information security controls.
- User Responsibilities
- Each individual who has access to information owned by or entrusted to MCC is expected to know and understand its security requirements and to take measures to protect the information in a manner that is consistent with the requirements defined in the Data Classification Standard and Information Classification and Handling Standard. If an authorized user is not aware of the security requirements for information, it must be considered confidential until its requirements can be determined.
- Individuals must be diligent in protecting physical keys, ID access cards against theft or computer and network accounts against unauthorized use. Passwords should never be shared or stored in a location that is easily accessible by others. Any stolen keys, ID cards, or compromised accounts should be reported to the area Director or Dean immediately.
- Individuals who receive investigative subpoenas, court orders and other compulsory requests from law enforcement agencies that require the disclosure of MCC held information should contact the Director of Labor Relations-General Counsel.
- Individuals who come across any evidence of information be compromised or detects any suspicious activity which could potentially expose, corrupt, or destroy information must report such information to The Incident response team. No one should take it upon themselves to investigate the matter further without the authorization of a member of the Incident response team.
- Information about a current or former student should be directed to academic affairs.
All information security exceptions introduce additional business risk to the College. Exceptions must be approved by the IT security steering committee, documented, and added to risk register. Information Security controls are used to mitigate information security risk; prevent loss or compromise of information, protect availability, and promote information security awareness across the company.
- Failure to Comply
- A user-community employee or student member who persistently, negligently or deliberately abuses information technology resources is subject to disciplinary action. (Reference Procedures Memorandums V-4, Student Conduct and Discipline and VI-24, Discipline and General Work Expectations for College Staff.) Every member of the College user-community has an obligation to report suspected or known violations. Such reports should be made to the appropriate supervisor, educational or administrative area.
- The College may restrict, prohibit or deny the use of all or any part of its information resources in response to violations of property rights or interests, College policies, or state or federal laws. If deemed warranted, the College may also institute and impose any other disciplinary action considered appropriate by the College. (Reference Procedures Memorandums V-3, Grievance Procedures for Alleged Discrimination – Students and VI-4, Grievance Procedures for College Staff.)
The means of protecting information and information systems/networks from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction.
Includes a formal, brief, and high-level statement or plan that embraces MCC’s general beliefs, goals, and objectives, and acceptable procedures for the specified subject area.
A mandatory action or rule designed to support and conform to a procedure memorandum, which includes a set of specific requirements which must be met. Ensures that handling of information assets are aligned with the Information Security Program.
General recommendations to provide a framework for implementation and defines MCC preferred technologies. Following guidelines is not mandatory but defines MCC’s best practices.
A series of steps to accomplish an end goal. Supports the PM and eliminates the problem of single point of failure (employee suddenly leaves or is unavailable).
Focuses on MCC’s position on new technologies before MCC may adopt or officially support them or in some cases not support them.
Information Security Steering Committee
||Information Security Steering Committee
Back to Information Technology Procedures