Staff Policy D-508.00
Institutional Effectiveness Criterion: Operations
Information Security Compliance Policy
Policy Statement
Northwestern Michigan College takes a College-wide approach to information security to help identify and prevent the compromise of information and the misuse of College information technology. This policy and its corresponding plans hereby establishes a framework of compliance to which all College faculty, staff, students and other associated entities must adhere when handling information.
Policy Requirements
Information security at Northwestern Michigan College is achieved by implementing a suitable set of controls. These include: processes, procedures, and software/hardware functions to protect information assets and preserve the privacy of Northwestern Michigan College employees, students, partners, vendors & suppliers, and other associated entities.
The College’s Systems & LAN Management department, Business and Finance department, and Student Financial Services will work together to develop, approve, and maintain an Information Security Plan to ensure compliance with regulations relating to Information Security including: the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act for Disclosure of Nonpublic Personal Information (GLBA), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS) Services, and Red Flag Rules (RFR).
All Information Technology personnel and users with access to sensitive data are required to sign and date the College Confidentiality Agreement at the time of hire, and annually thereafter.
Any College employee, student or non-college individual with access to College data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this plan and will be subject to appropriate disciplinary action, including but not limited to possible dismissal and/or legal action.
Reason for Policy
Northwestern Michigan College has an obligation to comply with Federal and State laws, regulations, policies, and standards associated with information security to preserve the confidentiality, integrity, and availability of information assets owned or entrusted by the College. Information security policies and procedures have been developed to allow the College to satisfy its legal and ethical responsibilities with regard to Information Technology (IT) resources.
Related Policy Information
Northwestern Michigan College's Acceptable Use of Information Technology Resources Policy contains the governing philosophy for effective and efficient use of the College's computing, communications, and information resources by all members of the College community.
Systems and LAN Management in cooperation with various departments will develop training and education programs to achieve technical proficiency and appropriate use of information assets.
Definitions
Availability of Information Assets — Timely and reliable access to and use of information.
Confidentiality of Information Assets — Authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Data Custodian — An employee of the College who has administrative and/or operational responsibility over information assets.
Data Owner — An individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department or administrative unit of the College.
Data User — A person including, but not limited to: administrators, faculty, staff, student employees, temporary employees, volunteers, or guests who has been granted explicit authorization to access the data by the owner.
Executive, Administrator, and Manager — Includes all persons whose assignments require primary (and major) responsibility for the management of the institution or a customarily recognized department or subdivision thereof. Assignments require the performance of work directly related to management policies or general business operations of the institution department or subdivision, etc. It is assumed that assignments in this category customarily and regularly require the individual to exercise discretion and independent judgment and to direct the work of others. Included in this category are all officers holding titles such as president, vice president, dean, director, or the equivalents, as well as officers subordinate to any of these administrators with such titles as associate dean, executive officer of academic departments (chair, heads, or the equivalent) if their principal activity is administrative.
Information Assets — Definable pieces of information in any form that have been recognized as "valuable" to the College and recorded or stored on any media.
Information Technology Resources — The data, applications, information assets, and related sources, such as personnel, equipment, networks, and computer systems of the College.
Information Security — Protection of the College's data, applications, networks, and computer systems from unauthorized access or alteration.
Integrity of Information Assets — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
IT Security Practitioners — Network, system, application, and database administrators, computer specialists, security analysts, and security consultants.
Responsibilities
Chief Information Officer (CIO) — The Vice President for Student Services and Technologies is responsible for the oversight of the College's IT planning, budgeting, and performance including its information security components. Communicates requirements of information security regulations to College management and employees, acts as a technical resource for College compliance, and ensures that the Information Security Plan is being effectively carried out in accordance with regulatory and College requirements which meets or exceeds industry standards for information security.
Data Custodians — Grant access to users limited to the resources absolutely essential for completion of assigned duties or functions and nothing more. Examples of Data Custodians would be personnel from Administrative Services (ITS) and Systems & LAN Management (SLM).
Data Owners — Ensure that proper controls are in place to address information asset integrity, confidentiality, and availability of the IT systems and data they own. Examples of Data Owners would be Database Administrator (ITS), Senior Programmer/Analyst and Solution Architect (ITS), Network Systems and Data Communication Analyst (SLM).
Data User — Uses the data only for purposes specified by the owner, complies with security measures specified by the owner or custodian (i.e. securing login-ID and password), and does not disclose information or assert control over the data unless specifically authorized in writing by the owner of the data.
Executive, Administrator, and Manager — Ensures compliance with information security practices, protecting College resources by adopting and implementing the security standards and procedures, and should ensure their department adopts standards that exceed the minimum requirements for the protection of College resources that are controlled exclusively within their department. Examples of this would be the Director of Administrative Systems, Director of Educational Media Technologies and the Director of Systems and LAN Management.
Vice President for Student Services and Technologies — Establishes the overall approach to governance and control by providing strategic direction, ensuring that objectives are achieved, ascertaining risks are managed appropriately, and verifies that the College's resources are used responsibly.
IT Security Practitioners — Implement security requirements in the IT systems as changes occur. Examples of IT Security Practitioners would be Database Administrator (ITS), Senior Programmer/Analyst and Solution Architect (ITS), Network Systems and Data Communication Analyst (SLM).
Persons or organizations which use or provide information resources— Maintains and safeguards information assets, uses these shared resources with consideration for others, and are in compliance as is required with all College policies, state and federal laws, regulations, and contractual obligations.
Additional Information
- Family Education Rights and Privacy Act (FERPA) www2.ed.gov/policy/gen/reg/ferpa/
- Gramm-Leach-Bliley Act for Disclosure of Nonpublic Personal Information (GLBA) www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
- Health Insurance Portability and Accountability Act (HIPAA) www.cms.gov/regulations-and-guidance/administrative-simplification/hipaa-aca
- Payment Card Industry Data Security Standards (PCI DSS) www.pcisecuritystandards.org/
- Red Flags Rule (RFR) www.ftc.gov/business-guidance/privacy-security/red-flags-rule
The VP for Student Services and Technologies, in conjunction with the appropriate faculty and staff, is responsible for the development and publication of any procedures or guidelines that may be necessary to administer this policy effectively. Relevant policies, guidelines, and forms include the Confidentiality Agreement, Acceptable Use of Information and Technology Resources, Information Security Roles and Responsibilities, Data Classification and Protection Standard, Identity and Access Management, Password Standards, Backup and Recovery Standard and others. More information about these guidelines and procedures is available from the office of the VP for Student Services and Technologies.
If any provision(s) of this policy or set of bylaws conflicts with laws applicable to Northwestern Michigan College, including the Community College Act of 1966, the Freedom of Information Act, or the Open Meetings Act, as each may be amended from time to time, such laws shall control and supersede such provision(s).