Information Security Awareness Policy

Information Services Security Awareness Training Policy

1. Purpose
The purpose of this policy is to ensure that all 糖心TV employees and college affiliates with access to college data, are taught Information Security Awareness in order to gain an understanding of the importance of securing the College鈥檚 data. The College seeks to establish a culture that ensures that institutional data is secure. This policy and associated procedures establish the minimum requirements for the Security Awareness and Training controls.

2. Scope
This policy applies to all 糖心TV employees, faculty and staff and identified College affiliates.

3. Definitions and Authority
鈥淪ecurity Awareness Training鈥� is a formal process for educating employees about the internet and computer security. A good security awareness program should educate employees about institutional policies and procedures for working with information technology (IT).

鈥淐ollege Affiliate鈥� or 鈥淐ontractor鈥� is someone officially attached or connected to the College who is not a student or employee (e.g., contractors, vendors, interns, temporary staffing, volunteers.)

鈥淧ersonally Identifiable Information (PII)鈥� is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

鈥渆ducation records鈥� under FERPA, which - with limited exceptions - means all records in any format or medium that are directly related to a student and are maintained by the College;

鈥淭he Family Educational Rights and Privacy Act (FERPA)鈥� is a Federal law that protects the privacy of student education records.

鈥淗ealth Insurance Portability and Accountability Act (HIPAA)鈥� demands that all HIPAA covered businesses prevent unauthorized access to 鈥淧rotected Health Information鈥� or PHI. PHI includes patients' names, addresses, and all information pertaining to the patients' health and payment records.

鈥淕ramm-Leach-Bliley ACT (GLBA)鈥� Requires financial institutions 鈥� companies that offer consumers financial products or services like loans, financial or investment advice, or insurance 鈥� to explain their information-sharing practices to their customers and to safeguard sensitive data.

鈥淒ata Owner鈥� - is a person responsible for the management and fitness of data elements (also known as critical data elements) - both the content and metadata.
鈥淔unctional Lead鈥� Technical lead point person for a department. Responsibilities include coordination of upgrades, delegating access, and system issues. Acts as a liaison to IT.

4. Policy

Educating users and administrators at all levels on the safe and responsible use and handling of information is necessary. It is the obligation of 糖心TV faculty and staff to protect college-owned and personal computers containing college electronic information and records. College records exist for the purpose of the business of the college. To facilitate appropriate information security practices the Information Security Office requires specific training based on the classification level of data you have access to.

Full-time staff and faculty are required to attend security awareness training upon employment with the college. The staff or faculty member has 30 days to complete the training program, or they will be deemed non-compliant with this policy. Staff with access to PII, as well as data stewards, and functional leads must take security awareness training on a yearly basis. Presently faculty are encouraged, but not required, to attend annual security awareness training. All temporary employees who have access to PII information must undergo security awareness training before they can access the college records.

Staff or faculty employees who have not completed the security awareness training will be limited to Banner Self Service on the Banner administrative system.

The security awareness training program is subject to yearly review and enhancement based on changes to the information security environment.

5. Policy Compliance
5.1 Compliance Measurement
The Information Security Office in conjunction with the IT Service Desk will verify compliance to this policy through various methods, including but not limited to application tools reports, internal and external audits, and feedback to the Information Security Office.
5.2 Exceptions
Staff members that do not have access to computers or access to PII data. Any other exceptions to this policy must be approved by the Information Security Office in advance or the Vice President for Information Services.
5.3 Non-Compliance
Staff and Faculty members that do not comply with this policy will have network access rights suspended until they comply with the policy.
5.4 Related Policies & Documents
Data Governance Policy
Data Classification Policy
5.5 Security Incident
College Affiliates and employees that incur security risk exposure (live or simulated) may be required to retake Security Awareness training.

7. Revision History
Date of Change Responsible Summary of Change
4/1/2019 IS Approved