/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies-local.json

/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies.json

Written Information Security Program

Background

A Written Information Security Program (“WISP”), helps to define security objectives and obligations for an organization. A WISP helps demonstrate organizational commitment to maintain the security, confidentiality, integrity, and availability of sensitive information that Keuka College collects, creates, uses, and maintains. A WISP defines an information security program appropriate for the organization’s size, scope, and business and is a foundational element in the effort to protect sensitive and personally identifiable information. A WISP is a core component of data and information security governance, and successful implementation will:

• enable compliance with specific statutes and/or regulations that require a WISP; 
• help provide visibility into existing and needed security practices; 
• demonstrate proactive security practices and due diligence to third parties; and 
• facilitate risk management to discover, document, and reduce risk to acceptable levels.

The program also acts as a roadmap for the implementation and maintenance of administrative, technical, and physical safeguards to protect sensitive systems and data while observing applicable regulatory requirements.

Purpose 

The purpose of this WISP is to define, document, and support the implementation and maintenance of the administrative, technical, and physical safeguards Keuka College has selected to protect the personally identifiable information or other sensitive information it collects, creates, uses, and maintains.

This WISP has been developed in accordance with the following security best practices and regulations:

• NIST Special Publication 800-53 rev5 – The National Institute of Standards and Technology Special Publication 800-53 Revision 5 standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the Keuka College’s overall business risks. 
• Data Security Regulation 201 CMR 17.00 - Standards for the protection of personal information of residents of the Commonwealth.
• Gramm-Leach-Bliley Act (GLB Act or GLBA) - Federal law enacted in 1999 which requires organizations that loan money to take measures to protect the financial information of individuals. 
• Family Educational Rights and Privacy Act (FERPA) - Federal law enacted in 1974 requiring any school receiving federal funds to protect the privacy of educational records. 
• Health Insurance Portability and Accountability Act (HIPAA) – Enacted by the U.S. Congress in 1996 that mandates covered entities to implement reasonable and appropriate security measures to protect all electronic protected health information (ePHI) against reasonably anticipated threats or hazards. 
• U.S. State Information Security Breach and Notification Acts – All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information.

If this WISP conflicts with any legal obligation or other Keuka College policy or procedure, the provisions of this WISP shall govern, unless the designated Information Security Coordinator specifically reviews, approves, and documents an exception.

This WISP will enable Keuka College to:

• Ensure the security, confidentiality, integrity, and availability of personal and other sensitive information Keuka College collects, creates, uses, and maintains.
• Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information.
• Protect against unauthorized access to or use of Keuka College-maintained personal and other sensitive information that could result in substantial harm or inconvenience to any customer or employee.
• Define an information security program that is appropriate to Keuka College’s size, scope, and business, its available resources, and the amount of personal and other sensitive information that Keuka College owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.

Vision, Mission, and Goals

Keuka College will strive to implement a robust NIST-based security program supported by policies, standards, procedures, and guidelines that address the twenty NIST security control families/domains. These domains are further described in the Keuka College Information Security Policy.

The mission of the program is to strengthen the security of the Keuka College environment by implementing a structured security program and ensuring that the relationship between information security and Keuka College objectives exists and is effective.

The goals of the information security program are to deploy security controls to reduce institutional risk of Keuka College-owned and operated information assets. Achieving these goals require that Keuka College:

• align information security initiatives with the Keuka College’s strategy;
• assign ownership and accountability for information security initiatives;
• monitor the status and efficacy of information security initiatives; and
• institute a process of continuous assessment and improvement.

Core tenants

The following five (5) core tenants represent the values and assumptions that will be considered when implementing the information security program: 

• Risks are identified and managed in a coordinated and comprehensive way across the organization’s environment to enable effective allocation of information security resources. This involves promoting efficient and effective use of resources by taking a comprehensive and strategic approach to risk management. 
• Understanding and accounting for dependencies within the organization’s environment when managing risks is critical to enhancing information security. 
• Information sharing amongst the organization’s environment is paramount to gaining knowledge of information security risks. 
• Partnership in implementing the organization’s information security program allows for unique perspectives in understanding information security gaps, challenges and solutions. 
• Information security will be factored in to all decisions regarding the organization’s assets, systems and networks. 

Scope

This WISP applies to all Keuka College employees, contractors, officers, and directors. It applies to any records that contain personal or other sensitive information in any format and on any media, whether in electronic or paper form.

For purposes of this WISP, “personal information” means either a US resident’s first and last name or first initial and last name in combination with any one or more of the following data elements, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:

• social security number;
• driver’s license number, other government-issued identification number, including passport number, or tribal identification number;
• account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to the individual’s financial account. GLBA: or any personally identifiable financial information or consumer list, description, or other grouping derived from personally identifiable financial information, where personally identifiable financial information includes any information:
  • a consumer provides Keuka College to obtain a financial product or service;
  • about a consumer resulting from any transaction involving a financial product or service with Keuka College; or
  • information Keuka College otherwise obtains about a consumer in connection with providing a financial product or service.
• health information, including information regarding the individual’s medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional/created or received by Keuka College. HIPAA: which identifies or for which there is a reasonable basis to believe the information can be used to identify the individual and which relates to the past, present, or future physical or mental health or condition of the individual, the provision of health care to the individual, or payment for the provision of health care to the individual;
• health insurance identification number, subscriber identification number, or other unique identifier used by a health insurer;
• biometric data collected from the individual and used to authenticate the individual during a transaction, such as an image of a fingerprint, retina, or iris; or
• email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.
• FERPA protected student data.

Personal information does not include lawfully obtained information that is available to the general public, including publicly available information from federal, state, or local government records. Please see the section on Data Classification for more information.

Roles and Responsibilities

To successfully manage risk across Keuka College, senior leadership must be committed to making information security a fundamental mission of Keuka College. This top-level commitment ensures that sufficient resources are available to develop and implement an effective, institution-wide security program. Effectively managing information security risk requires the following key elements:

• assignment of risk management responsibilities to appropriate senior leadership;
• ongoing recognition and understanding by senior leadership of the information security risks to Keuka College information assets, operations and personnel;
• establishment of the tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance impacts ongoing decision-making activities; and
• providing accountability for senior leadership for their risk management decisions.

Keuka College delegates management of the Information Security Program to the designated IT staff member(s) overseeing the Information Security Program. 

Information Security Program Coordinator Responsibilities

Employee, contractor, and (as applicable) stakeholder training, including:

• providing periodic training regarding this WISP, Keuka College’s safeguards, and relevant information security policies and procedures for all employees, contractors, and (as applicable) stakeholders who have or may have access to personal or other sensitive information;
• ensuring that training attendees formally acknowledge their receipt and understanding of the training and related documentation, through written acknowledgement forms or an online acknowledgement process; and
• retaining training and acknowledgment records.

Other roles include:

• Reviewing this WISP and the security measures defined here at least annually, or whenever there is a material change in Keuka College’s business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information.
• Defining and managing an exceptions process to review, approve or deny, document, monitor, and periodically reassess any necessary and appropriate, business-driven requests for deviations from this WISP or Keuka College’s information security policies and procedures.
• Periodically reporting to Keuka College management regarding the status of the information security program and Keuka College’s safeguards to protect personal and other sensitive information.

Strategy 

The key to ensuring that Keuka College’s security program is reasonable and useable is to develop a suite of policy documents that match Keuka College’s goals and culture. In order to achieve this, it is essential to involve and obtain support from senior leadership and the faculty, as well as from the people who will use the policy as part of their daily work. 

Keuka College will: 

• Develop and disseminate information security program standards and an information security plan that provides an overview of the requirements for the security program, a description of the security program management controls and common controls in place or planned for meeting those requirements. This plan will allow for community feedback and clarification before initiatives are undertaken. 
• Establish and maintain organizational policies, standards, and procedures to address all relevant statutory and regulatory requirements, and ensure and support the confidentiality, integrity, and availability of its information assets. 
• Make relevant policies, standards, and procedures readily available to all Keuka College staff members, faculty, students, and personnel. 
• Conduct a periodic formal review of policies, standards, and procedures and update them, at a minimum, annually. 

Risk Management

A core tenant of the Risk Management process is to understand that Keuka College is subject and vulnerable to threats. Risks to critical information assets may be intentional, accidental, or negligent, they may come from seasoned criminals or careless employees, they may cause minor inconvenience or extended service disruption, and they may result in severe financial penalties, loss of public trust and damage to Keuka College’s reputation.

Identifying risks is the single-most important step Keuka College can take to ensure the confidentiality, integrity, and availability of information assets. It is also an important component for achieving regulatory, commercial, and legal compliance.

Keuka College works to prioritize the actions that will be taken to mitigate risks, based on the identified vulnerabilities, the motivation of existing threat-sources, the costs of remediation, the probability that existing vulnerabilities will be exploited, and other factors.

Risk Assessment

Keuka College will identify all information assets, systems, and networks critical for continued operation, as well as the dependencies between these essential resources. Once an asset register exists, Keuka College can proceed with performing a Risk Assessment to identify the probability of occurrence, the resulting impact and additional safeguards that mitigate the potential impact.

Keuka College will conduct a periodic, documented risk assessment, at least annually, or whenever there is a material change in Keuka College’s business practices that may implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information.

The risk assessment shall:

• identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing personal or other sensitive information;
• assess the likelihood and potential damage that could result from such risks, taking into consideration the sensitivity of the personal and other sensitive information; and
• evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to:
  • employee, contractor, and (as applicable) stakeholder training and management;
  • employee, contractor, and (as applicable) stakeholder compliance with this WISP and related policies and procedures;
  • information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal; and
  • Keuka College’s ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.

Risk Mitigation

As part of risk management, Keuka College will:

• manage risk on a continuous basis; 
• design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks. One or more of the following methods may be used to manage risk:
  • Risk Acceptance
  • Risk Avoidance
  • Risk Limitation
  • Risk Transference
• reasonably and appropriately address any identified gaps; and
• regularly monitor the effectiveness of Keuka College’s safeguards.

Information Security Policies and Procedures 

As part of this WISP, Keuka College will develop, maintain, and distribute information security policies and procedures in accordance with applicable laws and standards to relevant employees, contractors, and (as applicable) other stakeholders to:

• Establish policies regarding:
  • information classification;
  • information handling practices for personal and other sensitive information, including the storage, access, disposal, and external transfer or transportation of personal and other sensitive information;
  • user access management, including identification and authentication (using passwords or other appropriate means);
  • encryption;
  • computer and network security;
  • physical security;
  • incident reporting and response;
  • employee and contractor use of technology, including Acceptable Use and Bring Your Own Device to Work (BYOD); and
  • information systems acquisition, development, operations, and maintenance.
• Detail the implementation and maintenance of Keuka College’s administrative, technical, and physical safeguards.

Safeguards

Keuka College will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of personal or other sensitive information that Keuka College owns or maintains on behalf of others.

• Safeguards shall be appropriate to Keuka College’s size, scope, and business, its available resources, and the amount of personal and other sensitive information that Keuka College owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
• Keuka College shall document its administrative, technical, and physical safeguards in Keuka College’s information security policies and procedures.
• Keuka College’s administrative safeguards shall include, at a minimum:
  • designating one or more employees to coordinate the information security program;
  • identifying reasonably foreseeable internal and external risks, and assessing whether existing safeguards adequately control the identified risks;
  • training employees in security program practices and procedures, with management oversight;
  • selecting service providers that are capable of maintaining appropriate safeguards, and requiring service providers to maintain safeguards by contract; and
  • adjusting the information security program in light of business changes or new circumstances.

Keuka College’s technical safeguards shall include maintenance of a security system covering its network (including wireless capabilities) and computers that, at a minimum, and to the extent technically feasible, supports:

• secure user authentication protocols, including:
  • controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords (ensuring that passwords are kept in a location or format that does not compromise security) or by using other technologies, such as biometrics or token devices;
  • restricting access to active users and active user accounts only and preventing terminated employees or contractors from accessing systems or records; and
  • blocking a particular user identifier’s access after multiple unsuccessful attempts to gain access or placing limitations on access for the particular system.
• secure access control measures, including:
  • restricting access to records and files containing personal or other sensitive information to those with a need to know to perform their duties; and
  • assigning to each individual with computer or network access unique identifiers and passwords (or other authentication means, but not vendor-supplied default passwords) that are reasonably designed to maintain security.
• encryption of all personal or other sensitive information traveling wirelessly or across public networks;
• encryption of all personal or other sensitive information stored on laptops or other portable or mobile devices, and to the extent technically feasible, personal or other sensitive information stored on any other device or media (data-at-rest);
• reasonable system monitoring for preventing, detecting, and responding to unauthorized use of or access to personal or other sensitive information or other attacks or system failures;
• reasonably current firewall protection and software patches for systems that contain (or may provide access to systems that contain) personal or other sensitive information; and
• reasonably current system security software (or a version that can still be supported with reasonably current patches and malicious software (“malware”) definitions) that (1) includes malware protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis.

Keuka College’s physical safeguards shall, at a minimum, provide for:

• defining and implementing reasonable physical security measures to protect areas where personal or other sensitive information may be accessed, including reasonably restricting physical access and storing records containing personal or other sensitive information in locked facilities, areas, or containers;
• preventing, detecting, and responding to intrusions or unauthorized access to personal or other sensitive information, including during or after data collection, transportation, or disposal; and
• secure disposal or destruction of personal or other sensitive information, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards.

Service Provider Oversight

Keuka College will oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain personal or other sensitive information on its behalf by:

• Evaluating the service provider’s ability to implement and maintain appropriate security measures, consistent with this WISP and all applicable laws and Keuka College’s obligations.
• Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this WISP and all applicable laws and Keuka College’s obligations.
• Monitoring and auditing the service provider’s performance to verify compliance with this WISP and all applicable laws and Keuka College’s obligations.

Monitoring

Keuka College will regularly test and monitor the implementation and effectiveness of its information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal or other sensitive information. Keuka College shall reasonably and appropriately address any identified gaps.

Incident Response

Keuka College will establish and maintain policies and procedures regarding information security incident response. Such procedures shall include, but are not limited to:

• Documenting the response to any security incident or event that involves a breach of security.
• Performing a post-incident review of events and actions taken.
• Reasonably and appropriately addressing any identified gaps.

Information Security Program Review

Keuka College will review this WISP and the security measures defined herein at least annually, or whenever there is a material change in Keuka College’s business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information. Included in this annual review will be, but not limited to, the following information security topics:

• Governance of the Information Security Program
• Review of each of the core Information Security Policies and Procedures
• Risk Assessment and any other applicable Security Assessments
• Incident Response 
• Business Continuity 
• Security Awareness and Training

Results of the Information Security Program Review will be documented and used to improve upon the plan.

To effectively manage the Information Security Program, Keuka College:

• Shall retain documentation regarding any such program review, including any identified gaps and action plans.
• Reserves the right to change, modify, or otherwise alter this Program at its sole discretion and at any time as it deems circumstances warrant. 
  Information Security Road Map

The Information Security Program describes Keuka College’ current and planned security priorities. Action items listed within the plan may not always come to implementation but will lay a path forward for the Information Security Program. These action items will be reviewed by relevant Keuka College parties to determine the merit, scope, and risk involved with implementation.

Corrective Action Plans

Keuka College will regularly evaluate progress on the security program implementation and risk management by reviewing and updating the Corrective Action Plans that are generated by Keuka College’s Information Security Program.  These plans will document Keuka College’s efforts towards implementation of the NIST SP 800-53r5 controls.

Enforcement

Violations of this WISP will result in disciplinary action, in accordance with Keuka College’s information security policies and procedures and human resources policies. Please see the Sanction Policy for details regarding Keuka College’s disciplinary process.

Compliance

In support of the objectives of this WISP, Keuka College has created policies, procedures, standards, and guidelines. The primary supporting policies include but are not limited to:

• Written Information Security Program (WISP)
• Acceptable Use Policy
• Data Classification Policy 
• Incident Response Plan 

Keuka College must also comply with the following:

• Electronic Communications Privacy Act (ECPA) - Federal law which specifies the standards by which law enforcement is permitted to access to electronic communications and associated data, affording important privacy protections to subscribers of emerging wireless and Internet technologies. 
• U.S. Patriot Act - An antiterrorism law enacted by the U.S. Congress in October 2001, which gave certain additional new powers to the U.S. Department of Justice, the National Security Agency and other federal agencies for surveillance of electronic communications. 
• Technology Education and Copyright Harmonization Act (TEACH) - Amendments to sections 110(2) and 112(f) of the U.S. Copyright Act., which was enacted to balance the perspectives of both copyright owners and content users for academic organizations. 
• Executive Order 13224 - Federal Executive Order which provides a means to disrupt the financial support network for terrorists and terrorist organizations by authorizing the U.S. Government to designate and block the assets of foreign individuals. 
• Different US State Security Breach and Notification Act - Laws requiring notification to individuals and State agencies after a security incident has occurred involving the loss or unauthorized access to certain private non-public information. 
• Higher Education Opportunity Act (HEOA) - Federal law which, among other requirements, addresses colleges and universities responsibilities relating to copyrighted materials