Written Information Security Program

Responsible for Maintenance: Information Technology Services

I. Introduction

Objective

The objective of this Written Information Security Program (WISP) is to describe, at a high-level, the Information Security Program that is in place at Onondaga Community College ("OCC").  Included in this WISP are descriptions of some of the administrative, technical, and physical safeguards that OCC has selected to protect the information it collects, creates, uses and maintains. This WISP has been developed in accordance with the following security best practices and regulations: 

• NIST – The NIST 800-53r4 standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System within the context of the College's overall business risks. It specifies requirements for the implementation of security controls, customized to the needs of individual College, or parts thereof.
• Payment Card Industry Data Security Standards (PCI DSS) v4.0 - Contractual obligations addressing the administrative, technical, and physical standards required by payment brands (Visa, AMEX, MasterCard, Discover) for Colleges processing payment card transactions.

II. Vision, Mission, and Goals

1. Vision

The information security program shall reduce the impact of cyber security events through a risk-based approach.  OCC does this through a robust, NIST-based security program supported by policies, standards and procedures that address the eighteen (18) NIST control families.

   2. Mission

Strengthen the security of OCC environment by implementing a structured security program and ensuring that the relationship between information security and the business objectives of OCC exists, and that such relationship is effective.  Where risk shows weaknesses in the program, the College continues efforts through continuous improvements to the program.

   3. Goals

Deploy security controls to reduce risk for information assets, as defined by specific goals. Achieving these goals requires that OCC:

• Align information security initiatives with OCC strategy;
• Assign ownership and accountability for information security initiatives;
• Monitor the status and efficacy of information security initiatives; and
• Institute a process of continuous assessment and improvement.

III. Core Tenets

OCC's WISP establishes five (5) core tenets, representing the values and assumptions that will be considered when implementing the information security program.

• Risks are identified and managed in a coordinated and comprehensive way across the OCC environment to enable effective allocation of information security resources. This involves promoting efficient and effective use of resources by taking a comprehensive and strategic approach to risk management.
• Understanding and accounting for dependencies within OCC environment when managing risks is critical to enhancing information security.
• Information sharing amongst OCC's environment is paramount to gaining knowledge of information security risks.
• Partnership in implementing OCC's information security program allows for unique perspectives in understanding information security gaps, challenges and solutions and selecting appropriate trade-offs when mitigating risk.
• Information security will be factored into all decisions regarding OCC resources, systems, and networks.

IV. Roles and Responsibilities

1. Information Security Leadership

To successfully manage risk across OCC, senior leaders and executives must be committed to making information security a fundamental mission. This top-level, executive commitment ensures that sufficient resources are available to develop and implement an effective, College-wide security program. Effectively managing information security risk across the College requires the following key elements:

• Ongoing recognition and understanding by senior leaders and executives of the information security risks to College information assets, operations and personnel;
• Establishment of the tolerance for risk and communicating the risk tolerance throughout the College, including guidance on how risk tolerance impacts ongoing decision-making activities; and 

• Providing accountability for senior leaders and executives for their risk management decisions

  2. Information Security Officer Functions

The  Information Security Officer functions have been assigned to an individual and/or team of individuals, and carries the mission, along with additional resources to coordinate, develop, implement, and maintain the College-wide information security program.  Responsibilities include:

• Development, maintenance, and distribution of policies and procedures for information security
• Ensuring responsibilities and assignment for monitoring alerts and incident response processes are understood and performed
• Development, maintenance, and implementation of a security incident response plan.
• Ensuring that the access control processes are defined and effectively implemented

• Overseeing the monitoring of access control processes

  3. Information Security Team (IST)

The IST, whose charge includes information security oversight functions, provides several “soft” benefits, including those gained by the active participation of institute leaders in information security decision-making. Members of this team will be assigned based on their role in risk management and remediation of the risks. The team often participates in the following:

• Discussing goals for the Information Security program;
• Reviewing and approving Information Security policies and standards;
• Recommending, reviewing and prioritizing information security initiatives;
• Communicating information security needs; and
• Reviewing the effectiveness of the Information Security program and resources

• Ensuring corrective action plans have been developed and implemented to address risks that are unacceptable to OCC.

  4. Resource Optimization

OCC dedicates resources to information security initiatives in an effort to reduce risk, and subsequently meet business objectives. It is understood that these resources are finite and specific, and of the following types:

• Budget – Funds for information security initiatives will be allocated on an annual basis. Allocated funds are determined by the College needs, which will be determined by College risk.
• Personnel – The information security team consists of both full-time employees and vendors. The number of personnel allocated to information security initiatives is determined by business need, which will be determined by College need, which will be determined by organizational risk. Staff are allocated and leveraged optimally based on capabilities and availability.
• Time – The information security team is granted time to complete security initiatives. Schedules for security initiatives are determined by business need, which will be determined by College risk.

v. Strategy

1. Overview

The key to ensuring that OCC's Security program is reasonable and useable is to develop a suite of policy documents that match the intended audience’s goals and culture. Policies must be brief, practical, and realistic. To achieve this, it is essential to involve and obtain support from senior management and other stakeholders, as well as from the people who will use the policy as part of their daily work.

The College:

• Develops and disseminates information security program standards and an information security plan that provides an overview of the requirements for the security program, a description of the security program management controls and common controls in place or planned for meeting those requirements.
• Establishes and maintains information security policies, standards, and procedures to address all relevant statutory and regulatory requirements, and ensure and support the confidentiality, integrity, and availability of its information assets.
• Makes relevant policies, standards, and procedures readily available to all affected workers.

• Conducts a periodic formal review of policies, standards, and procedures and updates them, at a minimum, annually.

  2. Policy Implementation

OCC has the following three Security Policies formalized or in development stages:

• Acceptable Use Policy – Advises all members of OCC on acceptable and unacceptable behavior involving the College's resources. 
• B20 Institutional Data – Describes the schema for data classification as well as the process for classification and handling of the College's data. 

• Information Security Policy – Creates provisional compliance requirements for the OCC Information Security Standards.  Requires that all OCC administrative and business functions meet the minimum acceptable requirements for security.

  3. Standards Implementation

OCC has developed appropriate control standards, herein referred to as Information Security Standards, to support the College's Information Security policies. These standards are based on NIST 800-53r4. The Information Security Standards define all OCC directives for safeguarding information and ensuring that each department complies with applicable laws, regulations, and commercial standards. Appropriate procedures have been documented that describe the tools, processes, and resources used to implement the Information Security Standards. The OCC Information Security Standards are structured into eighteen (18) control families.

Wherever appropriate, information security controls will comply with, reference, and implement the above standards. This position complies with the security policy.

    4. Regulatory and Security Best Practice Compliance

While not currently mapped to OCC Information Security Standards, OCC must also comply with the following:

• Electronic Communications Privacy Act (ECPA) - Federal law which specifies the standards by which law enforcement is permitted to access to electronic communications and associated data, affording important privacy protections to subscribers of emerging wireless and Internet technologies.
• The Family Educational Rights and Privacy Act (FERPA) (34 CFR Part 99)
• The Gramm - Leach Bliley Act (GLBA), specifically the FTC-regulated 16 CFR Part 314 elements of GLBA.
• PCI DSS 4.0

It is the goal and intent of the College to ensure compliance with all known regulations and mandates as they are understood, and to make them an appropriate priority. When necessary, OCC may add or change Information Security Standards to assist with expressing all the intent of applicable mandates.

VI. Risk Management

1. Set Goals and Objectives

Goals and objectives for OCC's information security program are established and remediation plans are formulated and prioritized commensurate with risk to the College.

2. Identify Infrastructure

OCC has identified all assets, systems, and networks critical to continued operations, as well as the dependencies between these essential resources. Effective risk management requires an understanding of how critical these resources are to the College.

3. Assess and Analyze Risks

Identifying risks is the single-most important step an organization can take to ensure the confidentiality, integrity, and availability of information assets. It is also an important component for achieving regulatory, commercial, and legal compliance. 

Risk treatment involves the prioritizing, evaluating, and implementing of appropriate risk-reducing controls recommended from the risk assessment process in consultation with the information security officer. The College will implement security measures that reduce the risks to its information systems containing confidential information to reasonable and appropriate levels. Selection and implementation of such security measures will be based on a formal, documented risk management process.  The selection process involves a trade-off between the business need for certain functions, and the risk associated with such activities. The goal is to reduce risk to an acceptable level, which does not mean that risk is reduced to zero.

4. Implement Risk Management Activities

The College manages risk on a continuous basis and implements necessary security measures to ensure the confidentiality, integrity, and availability of information systems containing confidential information. A risk assessment is performed, at a minimum, annually.  This involves identifying the risks to information assets and determining the probability of occurrence, the resulting impact, and additional safeguards to mitigate this impact. In addition, OCC performs risk assessment for projects or changes to infrastructure. Strategies for managing risk are commensurate with the risks to such systems. One or more of the following methods may be used to manage risk: 

• Risk acceptance
• Risk avoidance
• Risk mitigation
• Risk transference

The College manages the security state of the College's information systems and the environments in which those systems operate through the security authorization processes by:

• A security impact analysis is considered when deemed material for the change.
• Additional security assessments may provide a viewpoint on previously unknown risks.

• Observation and discussions conducted during other activities may identify additional risks, which are then documented for entry into the risk management process.

  5. Measure Effectiveness

This position on risk management is stated and reinforced in the security policy.

OCC will regularly evaluate progress of security program implementation and risk management by reviewing and updating remediation plans. Progress will be communicated to necessary stakeholders, up to and including the Board of Trustees.

For detailed information regarding risk management, reference OCC Risk Management procedure.

VII. Computer and Technology Operations

1. General

Computer systems and networks, communications systems and other equipment belonging to or otherwise in the possession of OCC are the property of OCC and are maintained solely by OCC. These systems are provided for use in conducting OCC business, although reasonable personal use by Employees and Students is permitted. The use of any OCC system for commercial purposes other than that of OCC is prohibited. There is no expectation of privacy when using any OCC computers, systems, networks or other equipment and OCC reserves the right to obtain access to all communications and data or information stored, processed, or transmitted by these systems at any time and without prior notice.

2. Network Security

The College's network is maintained in such a way that risk of loss or corruption of data or unauthorized access (internal or external) is minimized. Vulnerabilities that arise in OCC's network are addressed according to OCC's Vulnerability Management procedures. For more information on network security, reference OCC Acceptable Use policy and OCC configurations.

3. Endpoint and Removable Media Protection

Controls will be implemented on OCC laptops and removable media to protect the confidentiality and integrity of information contained therein. 

• OCC backups are encrypted.
• OCC computing devices are locked after the prescribed inactivity timeout.
• End users must protect all OCC owned computing devices and removable media.
• Virus detection and protection solutions are implemented on OCC owned computing devices.

• OCC employees will report any issues, including theft immediately to their direct supervisor and to ITS.

  4. User IDs and Passwords

For more information on endpoint and removable media protection, reference OCC Acceptable Use Policy and OCC configurations.

All faculty, staff and students are provided with a unique username and password to access any OCC-owned system or application. OCC passwords are required to meet minimum length, complexity, and reuse requirements to protect confidential or sensitive data. All Employees and Students will protect and not share or misuse user IDs and passwords. For more information on user IDs and passwords, reference the OCC Access Control procedure.

5. Access Rights

Only approved Employees and Students are granted access to OCC systems and information; access is provided at the minimum level necessary to complete job duties. Network controls are also applied to prevent unauthorized network access. Any devices logged onto OCC's network are configured to time out after a period of inactivity. 

Remote access to OCC's environment is granted only to those Employees and Students with a legitimate, documented business need.

Access to OCC information, regardless of the form of information will only be performed for legitimate business purpose. No user is permitted to access, read, edit, print, copy, transfer or delete information maintained by any other user unless given permission by the management to do so. Access to systems owned or operated by OCC's third-party vendors is not permitted without proper authorization. 

For more information on access rights, reference OCC Access Control procedure.

6. System Monitoring

At the discretion of the AVP of ITS, OCC reserves the right to monitor or review activity on any College-owned system without notice.  For more information on system monitoring, reference OCC Logging and Monitoring procedure.

7. Data Classification and Handling

OCC employees will classify all information and data. OCC employees will make all efforts to redact any information classified as confidential or sensitive when appropriate to do so. OCC data and information will be retained according to applicable local and federal guidelines. All OCC data and information will be destroyed when no longer needed. OCC employees will be responsible for appropriately processing, storing, and transmitting OCC information or data. For more information on data classification and handling, reference B20 Institutional Data and OCC Data and Information Destruction procedures. 

8. Acceptable Use

All Employees and Students will appropriately use OCC computer systems and networks, communications systems and other equipment belonging to OCC, and in such a way that does not violate any law or regulation. Examples include, but are not limited to:

• Voicemail
• Software
• Email

• Internet

  9. Personnel Security 

For more information on acceptable use, reference OCC's Acceptable Use policy.

All OCC employees will be provided with all relevant and necessary policies, standards, and procedures necessary to perform job duties upon hire. OCC employees will be provided with relevant training on these topics and will be expected to attest to having read and understood all materials provided. OCC will screen, transfer and terminate users appropriately. For more information on personnel security, reference OCC Personnel Security procedure.

10. Vendor Management

OCC enters into contractual relationships with third-party vendors for essential services. In such cases, OCC will conduct reasonable due diligence on the information security of vendors. OCC will ensure all reasonable and appropriate agreements are in place to protect any OCC data or information processed, stored, or transmitted by third-party vendors. For more information on vendor management, reference OCC Vendor Management procedure.

VIII. Information Security Road Map

The Information Security Roadmap describes the current and planned security priorities of the College. For more information regarding current and planned security priorities, reference the OCC Security Roadmap.

IX. Related Documents

• Information Security Policy
• OCC Information Security Standards
• J1: Acceptable and Responsible Use of OCC Technology and Information Systems
• J4 Email, Telephone, and Voice Mail Usage
• Policy L2 Copying Materials Protected By Copyright
• J2 Internet Privacy
• J3 Copyright Infringement Notice And Takedown Pursuant To The Digital Millennium Copyright Act
• B20 Institutional Data Policy
• N4 Display of Pornographic Materials

X. Contacts

Approved by the OCC Board of Trustees September 24, 2024