Information Security – User Responsibilities for Information Technology Resources

INFORMATION SECURITY


The Chief Information Officer (CIO) establishes procedures for Information Security.

Various Information Technology Department policies exist to ensure the security and integrity of Navarro College Information Technology Department resources (IT resources).   In addition, a set of Information Technology Department procedures is maintained in the Computer.

Use of IT resources may be monitored by the appropriate Navarro College authority to ensure proper and efficient usage, as well as to identify problems or to check for security violations.  Users must comply with all applicable state and federal laws and may be subject to criminal prosecution for violation thereof under state and federal laws.


USER ACCESS ACCOUNTS


Access to Navarro College IT resources (i.e., email, Colleague, file shares, etc.) will be granted after proper paperwork has been submitted and approved. Each user will be issued his/her own account to access network resources. User accounts shall not be shared.

PURPOSE
The computer and networking resources are the property of Navarro College. The purpose of this policy is to facilitate prompt network account creation, deletion, and modification while maintaining the integrity of the data and network.

SCOPE
Every faculty, staff, and administrator is allocated and an account to access network resources. This account is for the exclusive use of the user who is assigned the account and password. Lending of an account to another person is not permitted, and is considered to be a violation of College policy and may result in disciplinary action.

Persons eligible for Navarro College IT Resources accounts:

  • Full-time Faculty
  • Full-time Staff
  • Adjunct Faculty
  • Part-time Staff
  • Temporary Faculty
  • Temporary Staff
  • Students
  • Contract Employees

GENERAL GUIDELINES
In order to access the network, email, WebAdvisor, Blackboard, Colleague, and wireless network, all employees must have a network and email account. Usernames are generated by Colleague when an employee is entered into the system. It is the responsibility of the Human Resources Department to request that the network account is activated and an email account is created.

NEW EMPLOYEES
Requests for network and email accounts must be submitted on the Password Agreement Form and must be completed by an employee’s dean, supervisor, or their official designee. The form must bear the approval signature of the immediate supervisor or official designee. The form should then be returned to the Human Resources Department. The Human Resources Department will then forward the approved form to the Information Technology Department for account creation. Network and email accounts cannot be created until HR has all the necessary paperwork for the new employee and has completed the data entry for that person. At this time, most paperwork is not completed until the new employee has attended orientation.

ADJUNCT FACULTY ACCOUNTS
Requests for new accounts for Adjunct Faculty must use the Password Agreement form and follow the same procedure as New Employees. Any changes to the Adjunct Faculty’s employment status (i.e. becomes a Full Time Faculty, or is no longer employed by the College) requires that updated paperwork be submitted to the Human Resources Department, then forwarded to the Information Technology Department.

TEMPORARY EMPLOYEES
If an employee is hired on a temporary basis, the end date must be included on the request form. At the end of that day, the employee will no longer have access to the network or email. A new form must be completed if the contract is extended, if they leave prior to the end of the contract, or they become a permanent employee.

STUDENT ASSISTANTS/WORK STUDY STUDENTS
If a student assistant or work study student needs a network account, a Password Agreement form must be completed and submitted to the Human Resources Department (then forwarded to the Information Technology Department). When a student is no longer employed by Navarro College, a form must be completed by the supervisor or designee and submitted to Human Resources.

STUDENT ACCOUNTS
All currently enrolled students have Google email accounts created as part of an automated process. Prospective students may also have Google email accounts created automatically.

Student accounts to access WebAdvisor, Blackboard Learn, Blackboard Transact, Blackboard Connect, Horizon Library System, and the wireless network are also created by automated process. Student email, WebAdvisor and Blackboard accounts are never deleted. The student accounts for other Navarro College systems are deactivated at the end of each semester. Enrollment in the current term will cause the accounts to be reactivated.

OTHER REQUESTS FOR ACCOUNTS
Requests for access to IT resources from other parties may be granted with approval from the appropriate administrative levels. A completed and approved Password Agreement form must be provided before account creation.

CHANGING LOCATION, JOB, ETC.
If an employee is changing positions within the College, a change form must be completed by the new supervisor or designee, submitted to Human Resources, and forwarded to the Information Technology Department.

NAME CHANGES
Before you can request a name change for network/email, HR must complete the paperwork and have the new data entered into Colleague. Once the changes have been made, the user should complete the Password Agreement form as an Account Modification, get approval from Human Resources, and forward to the Information Technology Department.

TERMINATION/RESIGNATION/RETIREMENT
In order to make sure only authorized employees access the network, the Human Resources Department must notify the Information Technology Department when an employee resigns or is terminated. The Information Technology Department will be notified by Human Resources (HR) at the end of each month, with a list of users that have left the college in the past month. If the Information Technology Department has not received this list by the 1st of the month, a reminder email will be sent to HR requesting this information. In the event of termination or resignation of employees with access to sensitive data, such as Colleague, the Human Resources Department should strive to notify the Information Technology Department prior to the employee leaving the premises so that access to the sensitive IT resources can be revoked immediately.

ACCESS TO COLLEAGUE
Requests for accounts with Colleague access must be approved by the appropriate Dean or administrator. The specific access level for the employee must be included in the request. The Information Technology Department reserves the right to question any requests in which access levels are deemed to be unusual or unreasonable for the position requesting access.

ENFORCEMENT
To access the network and email, each person must log on with their account. Faculty and staff will have network and email accounts in the Navarro College domain. Generic accounts (Yahoo, AOL, Gmail, etc…) are not permitted. Users must not give anyone their password or logon to allow another user to access the network. Any member of staff or student found to have violated this policy may be subject to disciplinary action.


PASSWORDS


INTRODUCTION
This policy governs password creation, usage and protection within Navarro College.  User authentication is the means by which an Information Technology Department (IT) Resource authorizes a user by verifying that the user provided the correct identity.

The following factors can be used to authenticate a user. Any of these by themselves or in any combination can be used:

  • Something the employee knows – password, Personal Identification Number (PIN)
  • Something the employee has – Smartcard
  • Something the employee represents – fingerprint, voice scan etc.

Passwords are the most widely used user authentication factor. They are an important aspect of computer security by providing the front line of protection for user accounts. A weak password may result in the compromise of Navarro College’s entire network. As such, all authorized users of Navarro College IT Resources are required to take appropriate steps, as outlined below, to select and secure their passwords.

PURPOSE
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

SCOPE
This policy applies to:

  • All individual users (Navarro College students, faculty, staff, and others affiliated with Navarro College, including but not limited to those in program or contract relationship with Navarro College), who use the IT resources provided by Navarro College.
  • All IT resources owned or managed by Navarro College (Navarro College).

DEFINITIONS
The following terms are used in this policy. Knowledge of these definitions is important to an understanding of this policy:

  1. IT Resources: This includes, but is not limited to, computers, computing staff, hardware, software, networks, computing laboratories, databases, files, information, software licenses, computing-related contracts, network bandwidth, user IDs, passwords, documentation, disks, CD-ROMs, DVDs, magnetic tapes, and electronic communication.
  2. Password: A string of characters which serves as authentication of a individual’s identity, which may be used to grant or deny access to private or shared data.
  3. Password History File: An encrypted file that contains previous passwords used by the User ID.
  4. Password Lifetime: The length of time a password may be used before it must be changed.
  5. Strong Password: Strong passwords are constructed of a sequence of upper and lowercase letters, numbers, and special characters, depending on the capabilities of the operating system or application. Typically, the longer the password the stronger it is. Passwords must be unique across all IT resources and not easily tied back to the user such as: User ID, given name, social security number, telephone, employee number, phone or office numbers, address, nicknames, family or pet names, birth date, license plate number, etc.
  6. User Account: The user account is made up of the User ID and password.
  7. User: The individual requesting a user account in order to perform work in support of a Navarro College program or a project, by accessing the Navarro College computer network.
  8. User ID: Also referred to as a username or of login ID. A User ID identifies the user on the system and has an associated password.
  9. Password Criteria

When composing a password, it must adhere to the following standards:

  • Passwords must be a minimum of eight (8) characters.
  • Passwords must be complex and difficult to guess. (Strong passwords must be used)
  • Password must not be reused. (Verified against a password history file that is set to the maximum size that the system supports)
  • Password must be changed every ninety (90) days. (Maximum lifetime) When using a user account, the following standards must be enforced:
  • User accounts must be locked out for a period of time after a maximum of five (5) unsuccessful attempts to gain access to a user account.
  • If any part of the logon process (User ID, Password, etc.) is incorrect, the user must not be given specific feedback indicating the source of the problem. Instead, the user must simply be informed that the entire logon process was incorrect.
  • Passwords issued by a password administrator must be pre-expired, forcing the user to choose another password before the logon process is completed.

PASSWORD PROTECTION

All passwords shall be treated as sensitive, confidential Navarro College information and therefore must be protected as such:

  • All vendor-supplied default passwords for software, application and devices must be changed before any IT resource is used on the Navarro College network.
  • Passwords must not be reset by a password administrator without the user first providing definitive evidence substantiating his or her identity.
  • Passwords issued by a password administrator must be unique and must be sent via a communications channel other than the channel used to log-in to the system.
  • Passwords must never be shared or revealed to anyone other than the authorized person. Passwords must not be written down on any medium.
  • Passwords must immediately be changed if the user suspects their user ID or password has been disclosed to an unauthorized person or if a system has been compromised or is under the suspicion of having been compromised.

VIOLATION OF POLICY

Navarro College considers any violation of this policy to be a serious offense and reserves the right to copy and examine any files or information resident on Navarro College IT resources to ensure compliance. Violations of this policy should be reported to the appropriate Navarro College authority.

DISCIPLINARY ACTIONS
Violators of this policy may be subject to disciplinary action up to and including dismissal or expulsion pursuant to applicable Board policies.


PHYSICAL ACCESS CONTROL


PURPOSE
The purpose of this procedure is to define the process that protects Navarro College’s IT resources and computing facilities from access by unauthorized personnel. The Information Technology Department expects all staff members to be cognizant of the financial investment the College has made in computing equipment and facilities. The Information Technology Department considers the entire facility to be a controlled access environment. All staff must respect issues relating to Physical Security. After-hours access to secured areas must be limited and monitored.

POLICY
All Information Technology Department staff have key access to allow them to enter those areas where they have a legitimate business need, including open office and administration areas. Select employees, based on business need also have access to the Data Center. Information Technology Department personnel needing access privileges will need to request access from the CIO.  The Operations staff and Network Support staff have a legitimate and primary need for access to the Data Center. Most other business can be accomplished without physical entry into the room. Server room access is granted to only key individuals and management. Facilities are not to be left unstaffed.  During normal work hours, all other employees and visitors wishing to enter the Data Center must be sign in on the visitors’ log. The appropriate Information Technology Department staff will be notified of their arrival and will accompany them for the duration of their visit in the Data Center.  During non-work hours, access is restricted to authorized Information Technology Department staff and service personnel only. Information Technology Department Staff are to ensure that the facility is secure at all times. This includes ensuring that doors are properly closed and offices are locked.  Upon separation from the College, individuals with access to the Data Center will have their electronic access revoked and documented. If the individual possesses physical keys to areas of the Information Technology Department, those items will be collected by the CIO administrator and documented.


SECURITY FOR MOBILE COMPUTING AND STORAGE DEVICES


INTRODUCTION
This Security for Mobile Computing and Storage Device Policy within Navarro College is established to ensure the security of Protected Confidential Information (“PCI” or “PCI Data”) that may be stored on those devices. This is an interim policy that may be modified as additional operational and technical solutions are developed to address the issues.

SCOPE
This policy covers all Navarro College employees, whether full or part-time, and all consultants or contracted individuals retained by any Navarro College employees, who have access to PCI data.   This policy covers mobile computing devices and mobile storage.  This includes both Navarro College owned devices as well as non-Navarro College owned devices used by employees or others in the conduct of Navarro College business.

DEFINITIONS
The following terms are used in this Policy. Knowledge of these definitions is important to an understanding of this Policy:

  • Navarro College Authority – the District President or designee.
  • Mobile Computing Device – The term “mobile computing device” refers to a portable computing or telecommunications device that can execute programs. This definition includes, but is not limited to, notebooks, palmtops, PDAs, IPods, BlackBerry devices, and cell phones with internet synching/browsing capability.
  • Mobile Storage Device – The term “mobile storage device” includes but is not limited to, mobile computing devices, diskettes, magnetic tapes, external/removable hard drives, flash cards (e.g., SD, Compact Flash), thumb drives (USB keys), jump drives, compact disks, digital video disks, etc.
  • Non-Navarro College Owned Device – Any mobile computing or mobile storage device that Navarro College did not purchase and/or does not own.
  • Protected Confidential Information (PCI) – Data, which if exposed to any security risk or otherwise disclosed, would violate Federal or State law or Navarro College contract or policy. PCI data includes: • PCI Identity Data, as described in the next definition, • Non-Public Directory Information, • Academic Data, and • Other confidential data which may be further defined as part of a comprehensive Data Classification Policy.
  • PCI Identity Data – PCI Identity Data (also referred to as PII Data) is a sub-set of the broader PCI category, and includes the following data elements which, if improperly disclosed, could be used for identity theft or to cause financial harm to an individual or Navarro College if used in conjunction with other available information (e.g. name, address, telephone number, etc.). Examples of PCI Identity Data are: • Social Security Number • Date of Birth  • Mother’s Maiden Name • Student Loan Data • Bank Account Numbers • Credit Card Numbers
  • Data Classification Policy – A policy which defines high level categories of data for the purpose of managing data and information assets with regard to their level of confidentiality and criticality. PCI, as defined in this policy, is the first category to be defined as part of a comprehensive Navarro College data classification policy.
  • Secure Mobile Device – A mobile device that has a sufficient level, as defined by this policy and Navarro College standards, of access control and protection from malicious software and strong encryption capabilities to ensure the protection and privacy of Navarro College data that may be stored on the mobile device.
  • Security Requirements for PCI data
    The security requirements for all PCI Data are:
  • No PCI shall reside on any mobile device except as set forth in this policy.
  • PCI that resides on any mobile device used for Navarro College business shall be:
    • Limited to the minimum data necessary to perform the business function;
    • Stored only for the time needed to perform the business function;
    • Protected from unauthorized access and disclosure in accordance with this and other applicable Navarro College IT policies, using all reasonably available security precautions, including appropriate access control and protection from viruses and malware. Users shall not bypass or disable these security mechanisms under any circumstances; and
    • Subject to additional security standards that will be developed for protecting PCI data as outlined in Section 7. Future Security Requirements.
  • Additional Security Requirements for PCI Identity Data

 

Additional security requirements which apply only to PCI Identity Data are:

  • No PCI Identity Data shall reside on any mobile device used for Navarro College business until standards for secure mobile devices have been developed for and implemented in the Navarro College System. However, Navarro College business necessity requires that certain PCI Identity Data may reside on mobile devices until such standards are implemented, provided that all other current Navarro College IT policies are followed and all reasonably available security precautions are taken, and limited to the following circumstances:
  • Secure backup storage of College or System data required to ensure data retention or continuity of operations in the event of data loss;
  • Transmission of data via mobile storage device necessary to comply with Federal or State laws or regulations; and
  • Other circumstances as approved by the Navarro College Authority, in accordance with the requirements that follow.
    • Users are required to consult with the appropriate Navarro College authority before placing any PCI Identity Data on a mobile device used for Navarro College business.
    • Users must adhere to the following restrictions and requirements before placing PCI Identity Data on any mobile device:
      • The Navarro College Authority must assess and determine, in advance:
        • That the storing of Navarro College PCI Identity Data on the mobile device is necessary to conduct College business operations;
        • That reasonable alternative means to provide the user with access to that Navarro College PCI Identity Data for the required purpose and timeframe are not readily available; and
        • That the business need necessitating storage of PCI Identity Data on the mobile device outweigh(s) the associated risk(s) of loss or compromise.
      • The Navarro College authority must maintain a written record of the assessment and determination.
        • Any PCI Identity Data placed on a mobile device shall be documented and tracked by the Navarro College authority. The information tracked shall include the identification of the individual authorizing storage of the data on the mobile device, the authorized user of the mobile device, the fixed asset inventory tag of the mobile device where applicable, information about the stored data, and the final disposition of that data. 6. General Security Requirements a. Users in the possession of mobile devices, which contain PCI during transport or use in public places, meeting rooms and other unprotected areas, must take all reasonable and appropriate precautions to protect and control these devices from unauthorized physical access, tampering, loss or theft and shall not leave such devices unattended in such areas.
        • Users of mobile devices shall follow the reporting, investigation and other guidelines outlined in the Navarro College Major Information Security Incident Response Policy, or other applicable policies that may be adopted from time to time, for lost or stolen mobile devices which may contain PCI.
        • In the event that a mobile device which may contain PCI is lost, stolen, or misplaced, and/or the user has determined that unauthorized access has occurred, the user must immediately notify his or her supervisor and CIO of the incident. The Security Coordinators designated under the Navarro College Major Information Security Incident Response Policy are responsible for initial coordination and evaluation of information security incidents in accordance with that policy.

ANTI-VIRUS/ANTI-SPAM


INTRODUCTION
Computer malware and spam impact productivity, increase support costs, and can result in the compromise or loss of data and reputation. Malware can originate from a range of sources, spread rapidly, and require a comprehensive approach to ensure the risk it poses is effectively managed. This comprehensive approach requires the full co-operation of all Navarro College staff, faculty, and students.

DEFINITIONS

Anti-Virus – A software product that detects and removes malicious email attachments, content within email or other documents. It may be on a local PC, a server or both.

Anti-Spam – A software product that detects and deletes spam using an analytical process that determines the validity of an incoming or outgoing email by its content.

Spam – Unsolicited e-mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; any junk e-mail.

Malware – software that is written and distributed for malicious purposes, such as impairing or destroying computer systems, or sending personal data about the user to unauthorized parties over the Internet. Computer viruses or worms are considered to be malware.

SCOPE

This policy applies to all College staff, faculty, students or third parties using devices connected to or interacting with the College Network. Unauthorized use of college email and technology services in connection with the transmission of unsolicited e-mail and/or malware, including the transmission of e-mail and/or malware in violation of this policy, may result in civil, criminal, or administrative penalties against the sender and those assisting the sender.

Third parties are defined as any individual, group contractor, vendor or agent not registered as a college staff member, faculty member or student. Third Party Access is defined as all local or remote access (including sending email) to the College Network or devices attached to the College Network for any purpose by any individual, group contractor, vendor or agent not registered as a College staff member, faculty member or student.

USER RESPONSIBILITIES
All Navarro College network users have a responsibility to protect any device they use to connect to the college network by ensuring that the correct anti-virus product is installed and that it is up to date. This relates to all college-owned hardware and authorized private hardware. All users are required to protect their systems from malware infection and follow the guidelines on spam email as outlined below.

ANTI-VIRUS PROTECTION FOR USERS OF COLLEGE-OWNED AND AUTHORIZED PRIVATE COMPANIES
Intentional or careless interference with or disruption of computer systems and networks and related services is not allowed. This includes but is not limited to the propagation of computer “worms,” “viruses” and “Trojan Horses” and other activities that could have a negative impact on the Navarro College computing environment in the judgment of the CIOor designee.

Unapproved anti-virus products may not be installed on college-owned computers. Users may not attempt to alter the configuration or disable the existing anti-virus product.  When requested by the Information Technology Department, users must install software designed to prevent or monitor malware infections. This software may not be disabled or uninstalled without permission from the CIO or designee.

Users must leave their machines turned on when they leave for the day to ensure that their systems receive necessary malware and security updates.

Users should not open suspicious emails or attachments, solicited or unsolicited, from unknown or unusual sources.

Users should scan all software or other content that they download from the Internet for malware.

Users should exercise caution when downloading software from the Internet and install software from reputable Internet sites only. If users are unsure about the legitimacy of the software or source, they should contact OIT via the helpdesk.

Users should exercise caution when accessing web-based E-mail, including but not limited to Hotmail and Yahoo. Users should be aware that email accessed on these sites has not been scanned by the College email gateway and may contain malware.

RESPONDING TO VIRUS INFECTIONS
All users must respond to any malware infection detection indicated by their anti-virus software by contacting the helpdesk in accordance with college procedures.

In the event that users are unable to clean or remove an infected file they should notify the Information Technology Department of the problem immediately.

All users should be alert to the possibility of a virus and report any suspicious behavior on their computer to the Information Technology Department immediately.

UNSOLICITED EMAIL (SPAM)
Users should exercise caution when divulging their college email account to third parties. Some organizations may provide email addresses to parties involved in sending unsolicited emails (spam), which may result in increased volumes of spam email being sent to a user’s account.

Using college network resources to distribute unsolicited email other than for college business is strictly prohibited. Users also may not deliver spam or cause spam to be delivered to any of Navarro College’s email services or customers.

Users should never divulge personal information in response to a request received via spam.

Users may not use any college email services to send spam. In addition, email sent, or caused to be sent, to or through the email services may not:

  • use or contain invalid or forged headers;
  • use or contain invalid or non-existent domain names;
  • employ any technique to otherwise misrepresent, hide or obscure any information in identifying the point of origin or the transmission path;
  • use other means of deceptive addressing;
  • use a third party’s internet domain name, or be relayed from or through a third party’s equipment, without permission of the third party;
  • contain false or misleading information in the subject line or otherwise contain false or misleading content;

Failure to comply with the technical standards described below or otherwise violate FERPA, the applicable Privacy Statement, Acceptable Use Policy, and Security Policy may result in formal disciplinary or legal action appropriate to the inappropriate behavior.  Navarro College does not permit or authorize any attempt to use the college email services in a manner that could damage, disable, overburden or impair any aspect of any of the college Information Technology Department services, or that could interfere with any other party’s use and enjoyment of any technology service.

ADMINISTRATION RESPONSIBILITIES
The Office of Information Technology Department has a responsibility to protect college systems and infrastructure from malware and virus infection and to filter network traffic as appropriate.

ANTI-VIRUS AND ANTI-SPAM MEASURES

The Information Technology Department will:

  • Evaluate, select, and deploy anti-virus software on file servers, desktops, laptops and other equipment to scan for malware from sources such as inbound and outbound email, external storage devices, emails and attachments (inbound), CD-ROMs. Software downloaded from the Internet;
  • Provide a method to reduce the impact of unsolicited or spam email in user email inboxes;
  • Take such action as it deems appropriate, including blocking traffic from a particular email address, internet domain, mail server or IP address to protect the network and college systems; and
  • Terminate any account on any email service which it determines, in its sole discretion, is transmitting or is otherwise connected with any email that violates this policy or any other applicable policy.

DESKTOP ANTI-VIRUS PROTECTION

The Information Technology Department must:

  • Select an effective desktop anti-virus product. This product must be licensed and made available to all staff and faculty users connecting to the college network using a college owned computer;
  • Monitor systems regularly for devices that do not have anti-virus software installed or have incorrect anti-virus products or settings;
  • Provide a central point of contact to College users for anti-virus matters;
  • Keep abreast of potential malware that may affect the College; and
  • Promote awareness of anti-virus issues among users.

EQUIPMENT AND MEDIA DISPOSAL PROCEDURES


INTRODUCTION
The disposal of media, computer equipment and computer software can create information security risks for Navarro College. These risks are related to the potential unauthorized release of sensitive or confidential information, violations of software license agreements, and unauthorized disclosure of intellectual property that might be stored in hard disks and other storage media.

DELETION OF OLD INFORMATION
Employees are required to delete information from their computers if it is clearly no longer needed or potentially useful. Use of an “erase” feature (e.g., putting a document in a trash can icon) is not sufficient for sensitive information because the information may still be recoverable. Sensitive information must deleted via an overwrite program that is available the Information Technology Department.

MEDIA DISPOSAL
Prior to disposal, storage media including floppy disks, CDs, zip disks, hard drives, and tapes containing sensitive information must be properly disposed of or destroyed.  All hardcopy containing sensitive information must be disposed of via a shredder. Storage media may not be donated to charity or otherwise recycled unless they have first been subjected to a data obliteration process.

EQUIPMENT DISPOSAL OR SERVICING
Before computer or communications equipment is sent to a vendor for servicing, all sensitive information must be removed. Likewise before any computer or communications equipment is marked for trade-in, disposal, donation or long-term storage, all sensitive information must be destroyed.

PHOTOCOPIES
All waste copies of sensitive information that are generated in the course of copying, printing, or other sensitive information handling must be destroyed according to the instructions found in this document. If a copy machine jams or malfunctions when employees are making copies of sensitive information, the involved employee should make a reasonable attempt to retrieve the information before leaving the machine.


INFORMATION SECURITY INCIDENT RESPONSE


INTRODUCTION
This procedure governs how major information security incidents will be addressed at Navarro College. The following are covered by these procedures:

  • Determination if the potential exists for exposing Protected Confidential Information (PCI).
  • If the potential exists to expose PCI, how the Information Technology Department will handle the incident. It is crucial that any information security incident is evaluated to determine its severity. The evaluation will determine the course of action to take based on Navarro College policy and Federal and State law. A major information security incident is defined as an information security incident that exposes data that is classified as PCI.

PCI is data, which exposed to any security risk or otherwise disclosed, would violate Federal or State law or Navarro College contract or policy. The following are examples of PCI and is not a complete list:

  • Non-Public Directory Information.
  • Social Security Number.
  • Date of Birth.
  • Mother’s Maiden Name.
  • Student Loan Data.
  • Bank Account Numbers.
  • Credit Card Numbers.
  • Academic Data.

PURPOSE
The purpose of these procedures is to:

  • Ensure that all information security incidents are evaluated to determine Navarro College exposure;
  • Ensure that the information security incidents are handled in a timely manner and if the incident has on-going exposure, mitigation steps are prudently taken in a timely manner;
  • Prevent disruptions to and misuse of Navarro College Information Technology Department (IT) resources; and
  • Ensure that IT resources are used in compliance with those laws and Navarro College policies.

SCOPE
These procedures apply to:

  • All IT resources owned or managed by Navarro College;
  • All IT resources provided by Navarro College through contracts and other agreements with the Navarro College; and
  • All users and uses of Navarro College IT resources.

DEFINITIONS
The following terms are used in this Policy. Knowledge of these definitions is important to an understanding of this Policy:

Appropriate Navarro College Authority:  District President or designee.

Compelling Circumstances: Circumstances in which time is of the essence or failure to act might result in property loss or damage, adverse effects on IT resources, loss of evidence of one or more violations of law or of Navarro College policies or liability to the Navarro College or to members of Navarro College community.

Expeditiously: The time to address the incident should be as soon as possible depending on the potential exposure of the incident. For a major information security incident, time is critical the initial determination if PCI data potentially could be exposed should occur with hours.

IT Resources: This includes, but is not limited to, computers, computing staff, hardware, software, networks, computing laboratories, databases, files, information, software licenses, computing-related contracts, network bandwidth, usernames, passwords, documentation, disks, CD-ROMs, DVDs, magnetic tapes, and electronic communication.

Major Security Incident: any information security incident that could potentially expose PCI. The standard is the incident has potential to expose information and not that information has actually been exposed.

Non-Navarro College Owned Device: any device that Navarro College did not purchase or explicitly accept management of the device. An example would be computers or laptops owned by faculty, staff and students.

Non-Public Directory Information: directory information that would not generally be available to the public such as an e-mail address.

Protected Confidential Information (PCI): data, which exposed to any security risk or otherwise disclosed, would violate Federal or State law or Navarro College contract or policy.  Information Security Incident:  An information security incident is defined as any incident that potentially exposes PCI to anyone who has not been authorized to access the data or anyone who abuses the access they have been granted. An incident may occur from an external or internal source.

The following are examples of security breaches and is not a complete list:

  • A system is breached by an external hacker.
  • A virus, worm, rootkit, key logger etc. compromises a system.
  • A laptop is lost or stolen.
  • A user gains access to unauthorized data through technical or social engineering.
  • A backup tape has been lost or stolen.
  • A thumb drive, CD, etc. is lost or stolen.
  • A user uses his/her access in a non-authorized manner.
  • Data is sent by e-mail to non-authorized users.
  • A hard copy report is lost or stolen that contains PCI data. As the examples illustrate above a security incident may occur from an accidental occurrence or a malicious activity.

INITIAL INCIDENT SEVERITY DETERMINATION
Any information security incident needs to be investigated to determine if any PCI may have been exposed. Any incident that may potentially expose PCI needs to follow the Major Information Security Incident Handling standards and procedures.

The following process is used to determine if the incident is a major incident:

  • Any Navarro College staff, faculty or student suspecting that an information security incident has occurred needs to notify expeditiously the CIO.
  • The CIO will expeditiously perform an initial review to determine if the incident may have compromised PCI.
  • If the review determines conclusively that no PCI was compromised, the college will follow their normal procedures.
  • If the review determines that PCI was potentially compromised then the CIO will contact the Vice President of Operations, Technology, and Advancement.

EMERGENCY RESPONSE
In the event that a security incident has compelling circumstances the Vice President of Operations, Technology, and Advancement or designee is authorized to take the necessary technical steps to mitigate the incident to stop further exposure.

Student HandbookInformation Security – User Responsibilities for Information Technology Resources