J14: Information Security Policy

Responsible for Maintenance: Information Technology Services

I. Purpose

The purpose of this Information Security Policy is to clearly establish Onondaga Community College's ("OCC") role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives enables Onondaga Community College to implement a comprehensive system-wide Information Security Program.

II. Scope

The scope of this policy includes all information assets governed by the College. All employees and vendors who have access to or utilize assets of the College, including data at rest, in transit or in process shall be subject to these requirements. This policy applies to: 

  • All ITS resources or systems operated by the College; 

  • All ITS resources provided by the College through contracts, subject to the provisions and restrictions of the contracts; and 

  • All authenticated users of OCC ITS resources. 

III. Policy Statement

This policy will assist the College in its efforts to fulfill its responsibilities relating to the protection of information assets and comply with regulatory and contractual requirements involving information security and privacy.  The policy is based on a nationally recognized framework, NIST 800-53r4, provided by the National Institute of Standards and Technology (NIST), and consists of eighteen (18) separate policy areas, with supporting Standards documents. Most other security laws, mandates and contractual requirements are mapped back to NIST 800-53.

OCC needs to protect the availability, integrity and confidentiality of data while providing information resources to fulfill the College's mission. The Information Security Program must be risk-based, and implementation decisions must be made based on addressing the highest risk first.

The OCC administration recognizes that fully implementing all controls within the NIST Standards is not possible due to College limitations and resource constraints. Administration must implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practicable. 

IV. Roles and Responsibilities

OCC has assigned the following roles and responsibilities:

1)  AVP of ITS: The AVP of ITS is accountable for the implementation of the Information Security Program including:

a)  Security policies, standards, plans and procedures

b) Security compliance including managerial, administrative, and technical controls

c)  Provide communication to senior leadership, as well as presentation of an annual, GLBA-mandated presentation to the Board of Trustees to highlight status of and any material risks in the Information Security Program.

The AVP of ITS is to be informed of information security implementations and ongoing development of the Information Security Program design.

2)  Information Security Team:  This group is responsible to review and provide consultation on the design, implementation, operations, and compliance functions of the Information Security Program for all OCC constituent units.  The committee will not be formally appointed but will be based on the needs of our risk management process.

3)  Virtual CISO:  This position is a contract role, responsible to advise and consult with the AVP of ITS on the structure and design of the College's Information Security Program to meet legal and mandatory controls and advise on best practices for non-mandated areas.

V. Information and System Classification

OCC must establish and maintain security categories for both information and information systems. For more information, reference policy B20: Institutional Data (see related documents, below).

VI. Provisions for Information Security Standards

The OCC Security Program is framed on National Institute of Standards and Technology (NIST) and controls implemented based on SANS Critical Security Controls priorities. OCC must develop appropriate control standards and procedures required to support the College's Information Security Policy. This policy is further defined by control standards, procedures, control metrics and control tests to assure functional verification.

The OCC Security Program is based on NIST Special Publication 800-53. This publication is structured into 18 control groupings, herein referred to as Information Security Standards. These Standards must meet all statutory and contractual requirements.

The following 18 paragraphs express management intent with respect to the basic topics of Information Security.  These paragraphs are further detailed in the Information Security Standards.  See: Related Documents, below.

  1. Access Control (AC)

OCC must limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

2. Awareness and Training (AT)

OCC must: (i) ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of College information systems; and (ii) ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

3. Audit and Accountability (AU)

OCC must: (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum; and (ii) ensure that the actions of individual information system users can be uniquely traced for all restricted systems.

4. Assessment and Authorization (CA)

OCC must: (i) periodically assess the security controls in College information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in College information systems; (iii) authorize the operation of the College's information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

5. Configuration Management (CM)

OCC must: (i) establish and maintain baseline configurations and inventories of College information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in College information systems.

6. Contingency Planning (CP)

OCC must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for the College's information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

7. Identification and Authorization (IA)

OCC must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to OCC information systems.

8. Incident Response (IR)

OCC must: (i) establish an operational incident handling capability for College information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate College officials and/or authorities.

9. Maintenance (MA)

OCC must: (i) perform periodic and timely maintenance on College information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

10. Media Protection (MP)

OCC must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) encryption, where applicable, (iv) sanitize or destroy information system media before disposal or release for reuse.

11. Physical and Environmental Protection (PE)

OCC must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.

12. Planning (PL)

OCC must develop, document, periodically update and implement security plans for College information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.

13. Personnel Security (PS)

OCC must: (i) ensure that individuals occupying positions of responsibility within departments are trustworthy and meet established security criteria for those positions; (ii) ensure that College information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with OCC security policies and procedures.

14. Risk Assessment (RA)

OCC must periodically assess the risk to College operations (including mission, functions, image, or reputation), College assets, and individuals, resulting from the operation of College information systems and the associated processing, storage or, transmission of College information.

15. System and Services Acquisition (SA)

OCC must: (i) allocate sufficient resources to adequately protect College information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third- party providers employ adequate security measures, through federal and state law and contract, to protect information, applications and/or services outsourced from the College.

16. System and Communications Protection (SC)

OCC must: (i) monitor, control and protect College communications (i.e., information transmitted or received by College information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and (ii) employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within College information systems.

17. System and Information Integrity (SI)

OCC must: (i) identify, report and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within College information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.

18. Program Management (PM)

OCC must implement security program management controls to provide a foundation for the College Information Security Program.

VII. Privacy

OCC must make every reasonable effort to respect a user's privacy. However, personnel do not acquire a right of privacy for communications transmitted or stored on College resources.

Additionally, in response to a judicial order or any other action required by law or permitted by official College policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the College, the AVP of ITS, or an authorized agent, may access, review, monitor and/or disclose computer files associated with an individual's account.

VIII. Enforcement

OCC may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of College and computer resources.

Individuals who violate any part of this policy will be subject to the College's Progressive Discipline Policy.

IX. Related Documents

X. Contacts

Subject

Office Name

Telephone Number

Email/URL

Institutional and Operational Reporting

Office of Institutional Planning, Assessment and Research

 

(315) 498-2500

 

awuaha@sunyocc.edu

 

Information Technology Services

(315) 498-2686

wileyst@sunyocc.edu

Ensuring Compliance

Compliance

(315) 498-2172 

delanda@sunyocc.edu

 


Approved by OCC Board of Trustees September 24, 2024