/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies-local.json

/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies.json

Information Security Policy

Purpose

This Information Security Policy (“ISP”) is based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 rev5. This framework assists in the protection of the information assets possessed by Keuka College and is a supporting document for the Written Information Security Program.

The purpose of this ISP is to establish Keuka College’s role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives enables Keuka College to implement a comprehensive institution-wide Information Security Program. 

Scope

The scope of this ISP includes all information assets governed by Keuka College. All personnel and service providers who have access to or utilize assets of Keuka College, including data at rest, in transit or in process shall be subject to these requirements. 

This policy applies to:

• all information assets operated by Keuka College; 
• all information assets provided by Keuka College through contracts, subject to the provisions and restrictions of the contracts; and
•  all authenticated users of Keuka College information assets and resources. All third parties with access to Keuka College's non-public information must operate in accordance with a service provider contract containing security provisions consistent with the requirements promulgated under, but not limited the provisions governed by this ISP. 

Implementation

Keuka College needs to protect the availability, integrity and confidentiality of data while providing information resources to fulfill its mission. The Information Security Program will utilize a risk-based approach when pursuing Information Security efforts. Implementation decisions are generally made based on addressing the highest risk first. Keuka College recognizes that fully implementing all controls within the NIST Standards is not possible due to institutional limitations and resource constraints. Keuka College must implement the NIST standards whenever possible within commercially reasonable efforts, and document exceptions in situations where doing so is not feasible. 

Roles and Responsibilities

Keuka College delegates management of the Information Security Program to the Information Security Coordinator or designee.

Information and System Classification

Keuka College establishes and maintains security categories for both information and information systems. More information can be found in the Data Classification Policy.

Provisions for Information Security Standards

The Information Security Program is framed on National Institute of Standards and Technology (NIST). Keuka College must develop appropriate control standards and procedures required to support the Information Security Policy Framework. This framework is further defined by control standards, procedures, control metrics and control tests to assure functional verification.

The Information Security Program is based on NIST Special Publication (SP) 800-53r5; this publication is categorized into 20 control groupings, herein referred to as Information Security Standards. These Standards must meet all statutory and contractual requirements, including but not limited to the Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), and U.S. State Information Security Breach and Notification Acts.

Access Control (AC)

Keuka College must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. All Keuka College personnel will be provided with a unique username and password to access any College-owned system or application. Passwords will be required to meet the institution's Password Policy. Personnel are required to protect and not misuse their user ID’s and passwords. Access to Keuka College information, regardless of the form of information, will only be performed for legitimate business purposes. No user is permitted to access, read, edit, print, copy, transfer, or delete information maintained by any other user unless given permission by the data owner to do so. Access Controls are defined and supported under the Acceptable Use policy. 

Awareness and Training (AT)

Keuka College must: 

• ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of the College's information systems; and 
• ensure that Keuka College personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

Audit and Accountability (AU)

Keuka College must: 

• create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum; and 
• ensure that the actions of individual information system users can be uniquely traced for all restricted systems.

Assessment, Authorization, and Monitoring (CA)

Keuka College must: 

• periodically assess the security controls in the College's information systems to determine if the controls are effective in their application;
• develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in the College's information systems; 
• authorize the operation of the College’s information systems and any associated information system connections; and 
• monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Configuration Management (CM)

Keuka College must: 

• establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and 
• establish and enforce security configuration settings for information technology products employed in organizational information systems.

Contingency Planning (CP)

Keuka College must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for Keuka College's information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

Identification and Authentication (IA)

Keuka College must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to the College's information systems.

Incident Response (IR)

Keuka College must: 

• establish an operational incident handling capability for the College's information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and
• track, document, and report incidents to appropriate College officials and/or authorities.

Maintenance (MA)

Keuka College must:

• perform periodic and timely maintenance on the College's information systems; and 
• provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

Media Protection (MP)

Keuka College must: 

• protect information system media, both paper and digital;
• limit access to information on information system media to authorized users;
• encryption, where applicable; and 
• sanitize or destroy information system media before disposal or release for reuse.

Physical and Environmental Protection (PE)

Keuka College must: 

• limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; 
• protect the physical plan and support infrastructure for information systems; 
• provide supporting utilities for information systems; 
• protect information systems against environmental hazards; and 
• provide appropriate environmental controls in facilities containing information systems.

Planning (PL)

Keuka College must develop, document, periodically update, and implement security plans for the College’s information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.

Program Management (PM)

Keuka College must implement security controls to provide a foundation for the organizational information security program.

Personnel Security (PS)

Keuka College must: 

• ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions; 
• ensure that Keuka College information and information systems are protected during and after personnel actions such as terminations and transfers; and 
• employ formal sanctions for personnel failing to comply with information security policies and procedures.

Personally Identifiable Information Processing and Transparency (PT)

Keuka College must:

• define, document, and support the implementation and maintenance of the administrative, technical, and physical safeguards Keuka College has selected to protect the personally identifiable or other sensitive information it collects, creates, uses, and maintains;
• within commercially reasonable efforts meet all of its legal, regulatory, and security best practice obligations. 

Risk Assessment (RA)

Keuka College must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.

System and Services Acquisition (SA)

Keuka College must: 

• allocate sufficient resources to adequately protect the College's information systems;
• employ system development life cycle processes that incorporate information security considerations; 
• employ software usage and installation restrictions; and
• ensure that third- party providers employ adequate security measures, through federal and state laws and contract, to protect information, applications, and/or services outsourced from the organization.

System and Communications Protection (SC)

Keuka College must: 

• monitor, control, and protect communications (i.e., information transmitted or received by Keuka College information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and
• employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within Keuka College information systems.

System and Information Integrity (SI)

Keuka College must: 

• identify, report, and correct information and information system flaws in a timely manner; 
• provide protection from malicious code at appropriate locations within Keuka College's information systems; and 
• monitor information system security alerts and advisories and take appropriate actions in response.

Supply Chain Risk Management (SR)

Keuka College must:

• design, implement, and maintain reasonable and appropriate safeguards in relationship to its place in the supply chain and vendors to help minimize risks;
• oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain personal or other sensitive information; and
• perform vendor due diligence by evaluating the security posture of third-parties prior to providing them with access to create, collect, use, or maintain personal or other sensitive information. 

Enforcement

Keuka College may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security, or functionality of the institution and computer resources.

Violations of this Policy, or any supporting document, may result in disciplinary action in accordance with College policy. 

Privacy

Keuka College is committed to protecting the privacy of every user. Appropriate safeguards are used to ensure the security of personally identifiable information and Keuka College will make every reasonable effort to respect and protect a user's privacy. 

Exceptions

Exceptions to the policy may be granted by the Associate Vice President of Technical Solutions after a risk assessment.  All exceptions must be documented properly and reviewed no less than annually.

Disclaimer

Keuka College disclaims any responsibility for and does not warrant information and materials residing on non-institutional systems or available over publicly accessible networks. Such materials do not necessarily reflect the attitudes, opinions or values of Keuka College, its faculty, staff or students.