Written Information Security Program

created: Jan-2014
steward: Chief Information Technology Officer
last revised: Oct-2020
next review date: Oct-2021

Procedure Statement
The Richland Community College Written Information Security Program (“WISP”) is intended to compliment the College’s Confidential and Sensitive Information procedures to safeguard all confidential and restricted data maintained at the College, and to comply with applicable laws and regulations on the protection of personal information and non-public financial information, as those terms are defined below, found in records and in systems owned by the College.

Overview & Purpose
The WISP was implemented to comply with applicable information security regulations issued by the United States Department of Education, the State of Illinois, the Federal Trade Commission, and any other governmental bodies who have the authority to issue such regulations onto the College. In accordance with these federal and state laws and regulations, Richland Community College is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the college to affected individuals and appropriate state agencies.

Richland Community College is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the College. Richland Community College has implemented a number of policies to protect such information, and the WISP should be read in conjunction with these policies, which are available in the College’s Board Policy Manual. The purposes of this document are to:

  • Establish an information security program for Richland Community College with policies designed to safeguard sensitive data that is maintained by the College, in compliance with federal and state laws and regulations;
  • Establish employee responsibilities in safeguarding data according to its classification level; and
  • Establish administrative, technical and physical safeguards to ensure the security of sensitive data.


Scope
This Program applies to all Richland Community College employees, whether full- or part-time, including faculty, administrative staff, contract and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the Richland Community College community (hereafter referred to as the “Community”). This program also applies to certain contracted third-party vendors (see section 4.6 for additional information). The data covered by this Program includes any information stored, accessed or collected at the College or for College operations. The WISP is not intended to supersede any existing Richland Community College policy that contains more specific requirements for safeguarding certain types of data, except in the case of Personal Information and Nonpublic Financial Information, as defined below. If such policy exists and is in conflict with the requirements of the WISP, the other policy takes precedence.

Definitions

  • Data: For the purposes of this document, data refers to information stored, accessed or collected at the College about members of the College community.
  • Data Custodian: A data custodian is responsible for maintaining the technology infrastructure that supports access to the data, safe custody, transport and storage of the data and provide technical support for its use. A data custodian is also responsible for implementation of the business rules established by the data steward.
  • Data Steward: A data steward is responsible for the data content and development of associated business rules, including authorizing access to the data.
  • Personal Information: Personal Information (“PI”), as defined by Illinois law (815 ILCS 530/5), is the first name and last name or first initial and last name of a person in combination with any one or more of the following:
    • Social Security number;
    • Driver’s license number or state-issued identification card number;
    • Account number or credit or debit card;
    • Medical information;
    • Health insurance information;
    • Unique biometric data;
    • passport number, alien registration number, or other government-issued identification number;
    • username or email address, in combination with a password or security question and answer that would permit access to an online account.


Nonpublic Financial Information

The Gramm–Leach–Bliley Act (“GLB” Act) requires the protection of “customer information”, that applies to any record containing nonpublic financial information (“NFI”) about a student or other third party who has a relationship with the College, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the College. For these purposes, NFI shall include any information:

  • A student or other third party provides in order to obtain a financial product or service from the College;
  • About a student or other third party resulting from any transaction with the College involving a financial product or service; or
  • Otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.

Data Classification
All data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.

  • Confidential: Confidential data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a significant level of risk to Richland Community College or the Community. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration or disclosure.

    Confidential data includes data that is protected by the following federal or state laws or regulations: Illinois Personal Information Protection Act (815 ILCS 530/5), the Federal Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the FTC’s Red Flag Rules. Information protected by these laws includes, but is not limited to, PI, NFI and Protected Health Information (PHI).

  • Restricted: Restricted data refers to all other personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations or reputation of Richland Community College. Any non-public data that is not explicitly designated as confidential should be treated as restricted data.

    Restricted data includes data protected by the Family Educational Rights and Privacy Act (FERPA), referred to as student education records. This data also includes, but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), College financial and investment records, employee salary information, or information related to legal or disciplinary matters.

    Restricted data should be limited to access by individuals who are employed by or matriculate at Richland Community College and who have legitimate reasons for accessing such data, as governed by FERPA, or other applicable law or College policy. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.

  • Public (or Unrestricted): Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to Richland Community College or members of the Richland Community College community. Any data that is not classified as Confidential or Restricted should be considered Public data.


Program Responsibilities
All data at the College is assigned a data steward according to the constituency it represents. Data stewards are responsible for approval of all requests for access to such data. The data steward for each constituency group are designated as follows:

Type of Data Data Steward
Faculty Shared between the Vice-President of Enrollment Services & Vice President for Finance and Administration
Staff Vice President for Finance and Administration
Student Shared between the Registrar & the Director of Financial Aid
Alumni Executive Director of the Foundation

A data steward may appoint a designee to serve in their place.

The Information Technology (IT) staff serve as the data custodians for all data stored centrally on the College’s servers and administrative systems, and are responsible for the security of such data.

Human Resources will inform IT staff about an employee’s change of status or termination as soon as is practicable but before an employee’s departure date from the College. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s access to College data.

Department heads will alert IT at the conclusion of a contract for student workers & individuals that are not considered Richland Community College employees in order to terminate relevant access privileges.

The IT staff are in charge of maintaining, updating, and implementing this Program. The College’s Chief Information Technology Officer (CIO) has overall responsibility for this Program.

All members of the Community are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing sensitive data in compliance with this Program.

Identification and Assessment of Risks to College Information
Richland Community College recognizes that it has both internal and external risks to the privacy and integrity of College information. These risks include, but are not limited to:

  • Unauthorized access of confidential data by someone other than the owner of such data
  • Compromised system security as a result of system access by an unauthorized person
  • Interception of data during transmission
  • Loss of data integrity
  • Physical loss of data in a disaster
  • Errors introduced into the system
  • Corruption of data or systems
  • Unauthorized access of Confidential data by employees
  • Unauthorized requests for Confidential data
  • Unauthorized access through hard copy files or reports
  • Unauthorized transfer of Confidential data through third parties

Richland Community College recognizes that this may not be a complete list of the risks associated with the protection of confidential data. Since technology growth is not static, new risks are created regularly. Accordingly, IT staff will actively participate and monitor advisory groups such as the National Vulnerability Database, the National Center for Systems Security and Information Assurance (CSSIA), and SANS for identification of new risks.

Richland Community College believes the College’s current safeguards are reasonable and, in light of current risk assessments made by IT staff, are sufficient to provide security and confidentiality to confidential data maintained by the College. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

Procedures for Safeguarding Confidential Data
To protect College data classified as confidential, the following procedures have been developed that relate to access, storage, transportation and destruction of records.

Access & Storage

  • Only those employees or authorized third parties requiring access to confidential data in the regular course of their duties are granted access to this data, including both physical and electronic records.
  • All electronic records containing confidential data should only be stored on a secure server. These servers include 1):
    • alpha.richland.internal (contains the student information & financial information databases);
    • beta.richland.internal (the electronic document management system);
    • gamma.richland.internal (secure departmental file storage).

      All other servers & local machines are considered unsecure, and may not be used to store confidential information.
  • PHI may be stored on feith.richland.internal, provided that access to the PHI is appropriately restricted.
  • Confidential that must be transmitted to external parties can only be transmitted via encrypted email attachments, or via an approved cloud storage provider. Currently Microsoft OneDrive is the only allowed cloud provider for secure data transmission.
  • Members of the Community are strongly discouraged from storing confidential data on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives). However, if it is necessary to transport confidential data electronically, the mobile device containing the data must be encrypted. Individuals should work with IT staff to ensure that responsible & reasonable encryption processes are used.
  • Paper records containing confidential data must be kept in locked files or other secured areas when not in use.
  • Upon termination of employment or relationship with Richland Community College, electronic and physical access to documents, systems or other network resources containing confidential data is immediately terminated.


Transporting Confidential Data

  • Members of the Community are strongly discouraged from removing records containing confidential data off campus. In rare cases where it is necessary to do so, the user must take all reasonable precautions to safeguard the data. Under no circumstances are documents, electronic devices, or digital media containing confidential data to be left unattended in any unsecure location.
  • When there is a legitimate need to provide records containing confidential data to a third party outside Richland Community College, electronic records shall be password-protected and/or encrypted, and paper records shall be marked confidential and securely sealed.


Destruction of Confidential Data

  • Destruction of confidential data is governed by College Board Policy 5.10 (Retention and Disposal of College Records)


Safeguarding Restricted Data

  • Access to restricted data should be limited to members of the Community who have a legitimate business need for the data.
  • Restricted data can be stored on any system that is authorized to hold confidential data, as well as richland.instructure.com (the College’s third-party learning management system).
  • Restricted data may be stored on cloud-based storage solutions that are unsupported by the College as long as they are in compliance with the requirements of any laws governing the protection of such data (e.g., FERPA).
  • Documents containing restricted data should not be posted publicly.


Password Requirements

In order to protect College data, all members of the Community must select unique passwords following these guidelines:

  • Has at least 6 characters
  • Contains a combination of at least three of the four character types: uppercase and lowercase letters, numbers, and special characters (e.g., @ $ # !)
  • Does not contain repeated characters or a sequence of keyboard letters (e.g., qwerty, 12345, or yyy99)
  • Does not contain any part of the user’s name, username, birthday, or social security or those of friends and family (e.g., Jill1030)

Members of the community must protect the privacy of their passwords. Passwords must not be shared with others. If an account or password is suspected to have been compromised, all passwords should be changed immediately and the incident reported to the Richland Community College IT staff.

Third-Party Vendor Agreements Concerning Protection of Personal Information
Richland Community College exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PI provided by the College to them. The primary budget holder for each department is responsible for identifying those third parties providing services to the College that have access to PI. All relevant contracts with these third parties are reviewed and approved by the Vice President of Finance and Administration to ensure the contracts contain the necessary language regarding safeguarding PI. It is the responsibility of the primary budget holders to confirm that the third parties are required to maintain appropriate security measures to protect PI consistent with this Program and applicable laws & regulations.

Computer System Safeguards
IT staff monitor and assess safeguards on an ongoing basis to determine when enhancements are required. The College has implemented the following to combat external risk and secure the College network and systems containing Confidential Data:

  • Secure user authentication protocols:
  • Unique passwords are required for all user accounts; each employee receives an individual user account.
  • Server accounts are locked after multiple unsuccessful password attempts.
  • Computer access passwords are disabled upon an employee’s termination.
  • User passwords are stored in an encrypted format; root passwords are only accessible by system administrators.
  • Secure access control measures:
  • Access to specific files or databases containing confidential data is limited to those employees who require such access in the normal course of their duties.
  • IT staff perform regular internal network security audits to all server and computer system logs to discover to the extent reasonably feasible possible electronic security breaches, and to monitor the system for possible unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of College data.
  • Operating system patches and security updates are installed to all servers on a regular basis.
  • Antivirus and anti-malware software is installed and kept updated on all workstations.


Employee Training
All College employees are required to complete the online Confidential and Sensitive Information training. This training is also required for all student workers. Further information can be found in the College’s Confidential and Sensitive Information procedure document.

Reporting Attempted or Actual Breaches of Security
Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of PI, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the College’s Information Security Officer. Further information can be found in the College’s Confidential and Sensitive Information procedure document.

Enforcement
Any employee or student who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises confidential or restricted data without authorization, or who fails to comply with this Program in any other respect, will be referred to their supervisor or Human Resources and may be subject to disciplinary action up to & including termination.

Review
The College will review this Program at least annually and reserves the right to change, modify, or otherwise alter this Program at its sole discretion and at any time.

1)
names obfuscated