Information Security Program 7.106

Abstract

To exercise due care in the protection of confidential and sensitive information within Elgin Community College, the Information Technology Department has composed this Information Security Program.

The protection of confidential and sensitive information is a responsibility shared by all representatives of Elgin Community College. This administrative procedure defines key roles within Elgin Community College and the responsibilities shared by all Elgin Community College representatives in protecting confidential and sensitive information from unauthorized disclosure and identity theft. This administrative procedure presents best practices for the safe handling of information and a plan for any loss, unauthorized disclosure or other Information Security Incident. It also discusses methods that should be used to verify the identity and authorization of any account holder on an Elgin Community College owned data system. This includes, but is not limited to, accounts related to Financial Aid, Student Services, Registration, Information Technology, Human Resources, Business and Finance, or any other area within the College.

As a supplement to this document, Administrative Procedure 3.407 titled "Red Flag Identity Theft Prevention Program" should also be reviewed. This document discusses suspicious behaviors that may raise "red flags" as they relate to identity theft. Identifying and responding to these "red flags" allows Elgin Community College representatives to identify potentially malicious behavior and ultimately to protect the identity of an individual or other Elgin Community College data.

Table of Contents

1. Purpose

2. Scope

3. Effective Date

4. Definitions

5. Roles and Responsibilities

6. Information Handling Guidelines

7. Plan for Loss or Information Security Incident

8. Identity and Account Verification

9. Training

10. Service Provider Oversight

11. Enforcement



Purpose

The protection of confidential and sensitive information assets and the resources that support them is critical to the operation of Elgin Community College. As information assets are handled, they are placed at risk for potential threats, such as employee errors, malicious or criminal actions, theft, fraud, and unauthorized disclosure. Such events could cause Elgin Community College to incur damage to its reputation, disclosure of confidential or private information, and possibly suffer financial damages, fines, and penalties.

The purpose of this administrative procedure is to reduce the risk of loss, Information Security Incident or disclosure of confidential and sensitive information through security controls designed to detect, prevent, and mitigate loss due to errors or malicious behavior. Elgin Community College recognizes that absolute security against all threats is an unrealistic expectation, but these security controls will help to reduce the risk to an acceptable level.

These guidelines were derived through a risk assessment of Elgin Community College’s existing methods of handling confidential and sensitive information as well as incorporating current industry best practices. The determination of appropriate security measures must be a part of all operations and will undergo periodic evaluation.

Scope

Administrative Procedure 7.106 applies to Elgin Community College employees, including faculty, support staff, administrative staff, student workers, vendors, freelancers, and other agents that may come into contact with confidential and sensitive information. This also applies to all parties such as contractors, consultants, temporaries, and personnel of third party affiliates.

Effective Date

Administrative Procedure 7.106 is effective.


Definitions

Account
An account is a body of information or a record of an individual, group, or entity that is kept for the purpose of transacting on an on-going basis with another individual, group, or entity. The terms accounts and records are used interchangeably because they share similar functions and characteristics. Both contain identifiable information on an individual, group, or entity, and each allow for access to products or services and hold a history of transaction activity.

 


Data Classification
All data owned by Elgin Community College can be classified according to importance and level of controls needed to protect it. The appropriate levels of protection are required whether the data resides on a hard copy or in electronic formats.

  1. Public – This type of data requires the lowest level of protection (actually none) and is freely distributable. Examples include items that are on the public side of the college website, new releases (after they have been released), course catalogs, etc.
  2. Internal – This type of data requires some protection, but should be considered freely distributable to all within Elgin Community College. Examples include any information that may be protected behind the employee or student portals. Although we would want to distinguish between employee internal and student internal , so data that is considered employee internal data would be freely distributable to all employees, but not to students or the world.
  3. Confidential and Sensitive Information (CSI)
    Confidential and sensitive information requires the greatest amount of protection. This type of data is freely distributable only to authorized individuals, departments, or other restricted groups. CSI data includes, but is not limited to, the following examples:

 

CSI data examples
Personal InformaionFinancial InformationMedical InformationBusiness Information

Social Security Number;
Date of Birth;
Mother's Maiden Name;
Driver's License Information;
Paycheck Information;
and
Passport Information

Credit Card Numbers;
Credit Card Expiration Dates;
Credit Card CCV Numbers;
Bank/Credit Union Account Numbers;
Credit Reports;
Billing Information;
and
Payment History
Medical Records;
Doctor Names and Claims;
Health, Life, Disability Insurance Policy Information;
and
Prescription Information

Federal ID Numbers;
Proprietary Information;
Trade Secrets;
College Systems;
Security Systems;
Employee Identifiers;
Access Numbers / Passwords;
Customer Identifiers;
Vendor Numbers;
and
Account Numbers

Covered Account
Please refer to Administrative Procedure 3.407 titled "Red Flag Identity Theft Prevention Program."

Electronic and Soft Copy Format
Electronic or soft copy format refers to any confidential and sensitive information that exists electronically on CDs, DVDs, backup tapes, cell phones, voicemail systems, local computer drives, network drives, and portable devices, including but not limited to thumb drives, flash drives, and mp3 players.

Hard Copy Format

Hard copy format refers to any confidential and sensitive information that exists physically on paper.

Physical Access Zone
A physical access zone is a clearly defined physical or implied boundary established by Elgin Community College to control and limit access to areas containing confidential and sensitive information.

President’s Cabinet
The collective body of directors or officers charged with managing the operations of Elgin Community College.

Red Flags
Red flags are patterns, practices, and specific activities involving covered accounts that indicate the possible risk of identity theft.

Service Provider
A service provider is any individual, group, or entity that either directly provides a service to Elgin Community College or on behalf of Elgin Community College for its customers and clients.

Spoken Word
Spoken word refers to the transfer of confidential and sensitive information, either verbally or audibly through electronic media.

Cloud Storage
Cloud storage refers to any unauthorized off-site, hosted, service used to store data. This service might provide automatic data synchronization. Examples of such services are Dropbox, Google Drive, MicroSoft OneDrive.

5. Roles and Responsibilities

President’s Cabinet
The President’s Cabinet is responsible for the design, implementation, and oversight of the Information Security Program. Since it is not feasible for the Cabinet to be directly involved with these responsibilities, The Information Security Officer (ISO) under the direction of the Executive Director of Network Operations and Information Security will assume this responsibility. The designated Information Security Officer must report at least annually to the President’s Cabinet on the state of the Information Security Program.

Information Security Officer (ISO)
The Information Security Officer is responsible for conducting periodic risk assessments of confidential and sensitive information handling methods; designing more specific or new administrative procedures and guidelines as needed; coordinating training for all employees on a periodic and on-going basis; evaluating administrative procedures and processes; working with supervisors to take disciplinary action with employees; and creating a plan to respond to information security incidents. In ISO will report to the Executive Director of Network Operations and Information Security. The Information Security Officer, will assume the lead for any Information Security Incidents (including Red Flag). He/she will be responsible for reviewing any reports regarding the detection of Information Security Incidents, the steps for mitigating the event, and the steps required to prevent future incidents, and to review and improve the overall Information Security Program.

Employees
All personnel are responsible for adhering to these guidelines and for reporting any information security incidents immediately to the Information Security Officer (see section 2 titled, “Scope”).

Service Providers
For security reasons, the level of responsibility given to service providers depends on the scope of their service offering. Each will be responsible according to their direct or indirect access to information. In either case, service providers will be held accountable for their conduct, and agreements must delineate where Elgin Community College's liability ends and where the service provider's liability begins.

  • Direct Access to Information: A service provider is considered to have direct access to information when performing an activity with confidential and sensitive information (CSI) on behalf of Elgin Community College. If information is shared, the service provider must have an Information Security Policy that complies with or exceeds our own.
  • Indirect Access to Information: A service provider is treated differently when they have indirect access to information. These are service providers that are working in the proximity of confidential and sensitive information in the institution, but their function does not involve sharing information. In this type of relationship, the service provider must comply with this Information Security Procedure.

6. Information Handling Guidelines

The following information handling guidelines cover issues related to the collection, retention, transfer, and destruction of confidential and sensitive information of Elgin Community College owned data.

A. Physical Access Zones

Elgin Community College will establish, maintain, and enforce physical access zones in all of its facilities to control and limit access to areas containing confidential and sensitive information. There are four types of color coded zones, each with different access requirements as follows:

  • Green Zones: Green zones are low priority public areas to which everyone has access. `Only data with a classification of public should be available within this zone.
  • Yellow Zones: Yellow zones are moderate priority operational or information processing areas. All employees are authorized in these zones. Service providers, customers, and visitors must be accompanied by an employee. This zone can include data information that is classified as internal or public.
  • Red Zones: Red zones are high priority areas containing proprietary information, record storage, or databases. Access is limited to authorized employees who possess an immediate need to this information. All others must be identified, verified, and be accompanied at all times. This zone can contain data from any type of classification.
  • Gray Zones: Gray zones are transition zones where risk fluctuates as confidential and sensitive information enters and leaves. The transition zone takes on the characteristics of other zone requirements when confidential and sensitive information is introduced. Examples include conference rooms and vehicles.

B. Information Security Audits

With the approval of the Executive Director of Network Operations and Information Security t and/or the CIO the Information Security Officer is authorized to conduct and/or coordinate security audits of any area containing any classification of data. These audits may occur at any time in coordination with the department head to ensure the safety and security of Elgin Community College information.

C. Information Storage

Storing confidential and sensitive information is a normal function of conducting operations at Elgin Community College. College representatives shall only store this information for legitimate College needs and when it is related to their individual job responsibilities. If the information is better suited to be stored in another department, the individual should check to ensure that duplicate data is not being stored.

Hard Copy On-site Storage
On-site storage refers directly to confidential and sensitive information stored within any Elgin Community College facility.

Employees’ Personal Belongings: It is recommended that Elgin Community College personnel secure their personal belongings. Employees are responsible for keeping personal items secure during work hours.

Workspace Storage: Confidential and sensitive information stored in an office, cubicle, reception area, cash register, or other workspace must be kept in locked desks, cabinets, closets, or lockers when not in use.

File Rooms and Storage Rooms: File and storage room doors must be closed and locked when unattended by authorized personnel.

Records Storage: Records will only be stored when there is a legitimate business need. Any records in storage beyond the legal statute of limitations will be appropriately disposed of by designated employees. See Administrative Procedure 3.102 titled, “Records Retention and Disposal.

 

Off-site Storage
Off-site storage refers to any place confidential and sensitive information is stored outside of designated Elgin Community College facilities.

Approved Storage Facilities: Confidential and sensitive information may only be stored in facilities authorized by the Information Security Officer.

Storage Service Providers: All storage service providers must comply with the service provider oversight policies in this Administrative Procedure.

Soft Copy Storage
College representatives shall only store confidential and sensitive information on Elgin Community College authorized computers, telecommunications, or other electronic devices. A list of approved equipment will be maintained by the College's Information Security Officer.

Data Backup: Information Technology currently backs up data that is located on servers, network file shares, and within individual users’ “My Documents” folders. Data stored on local drives (c:, d:, or other removable media) as well as on the users’ desktop are not currently backed-up. Files in these locations are not recoverable if there is an incident.

Encryption: All confidential and sensitive information stored on portable electronic devices, or electronically transmitted, must be encrypted.

Portable Electronic Devices: Portable electronic devices approved by the Information Security Officer must be authorized by the individual’s supervisor and secured when not in use. The physical security of these devices is the responsibility of the authorized user. As per the Personal Mobile Device Request Form & Employee Declaration, Elgin Community College reserves the right to remotely wipe the device if it is lost or stolen.

Cloud Storage: Confidential and Sensitive Information is prohibited from being saved in cloud storage services unless the system has been approved by the IT Department.

D. Information Destruction

All confidential and sensitive information no longer requiring storage will be destroyed. See Administrative Procedure 3.102 titled, “Records Retention and Disposal.

Hard Copy Destruction
In-house Destruction: Hard copy material to be destroyed will be maintained in locked and secured boxes labeled “Confidential Shred Material.”

Destruction Service Providers: All destruction service providers must comply with the service provider oversight policies in this Administrative Procedure. All destruction service providers must be National Association of Information Destruction, Inc. (NAID, Inc.) certified and must provide Elgin Community College with a certificate of destruction every time material is released to them to be destroyed.


Soft Copy Destruction
All computers, telecommunications, or electronic devices no longer of use to the College, and that contain or had contained confidential and sensitive information, must be cleaned of data prior to sale, donation, or disposal. Only members of the Information Technology department are designated for this function.

E. Confidential and Sensitive Information Transferability

Verbal Transfer: College representatives must identify and verify callers as authorized agents before releasing any confidential and sensitive information over the phone. College representatives may not release any confidential and sensitive information to a third party, unless the third party was previously authorized in writing by the information owner. College representatives may only discuss confidential and sensitive information with Elgin Community College authorized individuals, who have a need to know, for a legitimate purpose. Under no circumstances is a College representative permitted to leave confidential and sensitive information on an answering machine or voicemail system.

Hard Copy Transfer: College representatives shall keep desks and workspaces clear of confidential and sensitive information when not in use. College representatives must not print, post, or make known any confidential and sensitive information on any dry erase boards, chalk boards, or bulletin boards in public or operations areas. Dry erase and chalk boards must be wiped clean after every use. When an off-site transfer is necessary, confidential and sensitive information shall be transported from one external location to another in a secure manner (i.e. in the locked trunk of a vehicle). When off-site transfer of confidential and sensitive information is necessary, the Information Security Officer should be informed and an inventory kept of the confidential and sensitive information being transferred.

Facsimiles (FAX): FAX machines may not be physically located in a public area. Every outgoing fax must contain a coversheet containing the sender and receiver’s names. Each coversheet will contain Elgin Community College’s Confidential and Sensitive Information Disclaimer. College representatives sending a FAX containing confidential and sensitive information shall notify the recipient that the FAX is being sent. Any unnecessary confidential and sensitive information must be masked or deleted before faxing.

Soft Copy Transfer: It is possible that College information considered confidential or sensitive may reside in soft copy (electronic) format on personal devices such as thumb drives. Any personal device that is lost or stolen must be reported immediately to the Information Security Officer.

E-mail Transfer: Any outgoing email containing confidential and sensitive information must be encrypted. College representatives shall not respond to e-mails requesting confidential and sensitive information, unless they first contact the sender and verify that the sender is authorized to have the information being requested.

Portable Electronic Device Transfer: Portable electronic devices must be secured when transported from one location to another. The physical security of these devices is the responsibility of the authorized user and, if lost, must be reported immediately to the Information Security Officer.

F. Information Accessibility

Hard Copy Accessibility
Entrances and Exits: All facility entrances and exits that are determined not for public use will remain locked at all times, according to fire code.

Mail Accessibility: Mail must be kept in a secure area until requested by the postal carrier or received internally by the intended recipient.

Surveillance Equipment: Elgin Community College reserves the right to use cameras and other surveillance equipment to monitor all public, operations, and restricted areas.

Employee Authorization: Every College representative will go through a background check and a screening process conducted by Human Resources before being authorized to handle confidential and sensitive information. College representatives shall only handle confidential and sensitive information for legitimate College operations when knowledge is required and is a direct function of their job description. Please contact Human Resources for details regarding this process.

Service Provider Accessibility: Service providers shall only handle confidential and sensitive information for a legitimate business purpose when it is a direct function of their job responsibilities as stated in their service provider agreements. If, during the course of an engagement, confidential and sensitive information is accidentally encountered, the service provider must contact the College's Information Security Officer, and the incident must be logged.

Soft Copy Accessibility
Technology System Audits: Elgin Community College will conduct periodic technology system audits to test the integrity and security of information technology systems as needed but at least on an annual basis.

Logging on and off: Only authorized individuals may log onto Elgin Community College networks and equipment. All individuals are required to log off or lock their device when not in use.

Passwords: Employees shall use strong passwords containing a combination of numbers, letters, and characters. Passwords should be changed no less than once every one hundred and eighty (180) days. Please refer to Administrative Procedure 7.102 titled, “Password Policy” for details.

Remote Access: Remote access to Elgin Community College networks must be approved in writing by management and done with authorized resources. Please refer to Administrative Procedure 7.105 titled, “Remote Access” for details.

7. Plan for Loss or Information Security Incident

A. Discovery of an Information Security IncidentRed Flag Incident within the College
If an Information Security IncidentRed Flag Incident involving confidential and sensitive information is discovered, leave the area as found and immediately notify your supervisor or the Information Security Officer. The incident must be documented using a Suspicious Activity Report (SAR) and retained by the Information Security Officer.

Information that should be gathered includes any visitor logs, employee time sheets, and the names of all individuals having access before, during, and after the incident. It is in the Information Security Officer's discretion to determine whether or not there was a loss of data; and, if so, to identify the potential impact of the incident. At this point, the Legal, Public Relations, and Police Departments will be contacted in addition to any potential victims according to legal statutes.

B. Discovery of an Information Security Incident through Accusation
If an Information Security Incident of confidential and sensitive information is discovered through accusation, be sympathetic to the potential victim while documenting the potential incident using a Suspicious Activity Report (SAR). Do not confirm or deny their allegations and be sure to document the accuser’s contact information. Inform them that the Information Security Officer or department head will contact them after reviewing the documented information.

At this point, the Information Security Officer may interview any witnesses, review the Suspicious Activity Report (SAR), and/or contact the potential victim to verify their story and assure them that it will be investigated. If an Information Security Incident can be confirmed, the extent of the impact will be determined. At this point, the Legal, Public Relations, and Police Departments will be contacted in addition to any potential victims according to legal statutes.

8. Identity and Account Verification

A. Financial Transaction Identification and Verification
Elgin Community College requires College representatives to verify adequate means of identification from a person before they can transact business with a check, credit card, or debit card on behalf of themselves, a group, or an entity.

Personal or Company Check Transactions: College representatives must not accept a check for payment without adequately verifying the following current and non-expired forms of identification.

  1. A picture ID such as a State Driver’s License, State Picture ID, U.S. Passport, U.S. Military ID, or a U.S. Federal ID;
  2. A physical address that matches the address on the check, or if recently relocated, a utility bill in the individual’s name and an updated mailing address; and
  3. A signature that matches the one on the picture ID.

Credit or Debit Card Transactions: College representatives must not accept credit card or debit card payments without adequately verifying the following current and non-expired forms of identification.

  1. A signature that matches the one on the credit or debit card; or
  2. A picture ID such as a State Driver’s License, State Picture ID, U.S. Passport, U.S. Military ID, or a U.S. Federal ID.

B. New and Existing Account Identification and Verification
College representatives shall make a reasonable effort to identify and verify each customer’s identity when opening new accounts and accessing existing accounts.

    • Primary Identification: A picture ID such as a State Driver’s License, State Picture ID, U.S. Passport, U.S. Military ID, or U.S. Federal ID; Alien Registration Card; or the correct answer to personal knowledge question.
    • Secondary Identification: Social Security Card; Voter Registration Card in State of Residence; Birth Certificate; Credit card or Bank card; Insurance Cards; Police Identification; or Notarization and Signature of Account Applicant
    • Account Identification and Verification in Person: When opening new accounts or accessing existing accounts in person, College representatives must request two sources of identification, one primary and one secondary. When accessing existing accounts in person, College representatives must request one primary source of identification.
    • Account Identification and Verification On-line: When opening new accounts on-line, the system must authorize two sources of identification, one primary and one secondary. When accessing existing accounts, only the primary identification is required. Changing a forgotten password requires a username and the correct answer to the personal knowledge question.
    • Account Identification and Verification By Phone: When opening new accounts by phone, two sources of identification, one primary and one secondary should be used for identity verification. When accessing existing accounts, only the primary identification is required.
    • Account Identification and Verification By Mail: When opening new accounts by mail, two sources of identification, one primary and one secondary, should be used for identity verification. When accessing existing accounts, only the primary identification is required.


9. Training

Training in relation to this Information Security Administrative Procedure shall be conducted for all employees, temporary employees, independent representatives, and contractors, both part-time and full-time, on a periodic basis no less than once annually. College representatives will receive additional training triggered by changes in policy, changes in their mode of operations, information security incidents, and updated information.


10. Service Provider Oversight

In the event the College engages a service provider to perform an activity in connection with one or more covered accounts, the College will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of unauthorized data disclosure.

      1. Elgin Community College will periodically review all service provider agreements and activities on an annual basis.
      2. A service provider with direct access to confidential and sensitive information must provide proof of and maintain their own Information Security Program that is consistent with or exceeds Elgin Community College’s own program.
      3. Require by contract that service providers with either direct or indirect access to confidential and sensitive information review and agree to this Administrative Procedure 3.407 and report any red flags to the Information Security Officer or the College employee with primary oversight of the service provider relationship.


11. Enforcement

Violation of this Administrative Procedure is subject to appropriate disciplinary action, including termination of employment.