Overview
This Information Security Plan (the “Plan”) describes Atlantic Cape Community College’s safeguards to protect confidential personal information.
This Information Security Plan (the “Plan”) describes Atlantic Cape Community College’s safeguards to protect confidential personal information.
Confidential Personal Identifiable Information (“CPII”), for purposes of this Plan, includes the following categories of information:
These safeguards are provided in order to:
This Plan also provides for mechanisms to:
Atlantic Cape recognizes the existence of both internal and external risks to the security of CPII. These risks include, but are not limited to:
Unauthorized access of CPII by someone other than its owner.
Compromised system security as a result of system access by an unauthorized person.
Interception of data during transmission.
Loss of data integrity.
Physical loss of data in a disaster or otherwise.
Errors introduced into systems.
Corruption of data or systems.
Unauthorized access of CPII by employees.
Unauthorized requests for CPII.
Unauthorized access through hard copy files or reports.
Unauthorized transfer of CPII through third parties.
Atlantic Cape recognizes that this may not be a complete list of the risks associated with the protection of CPII. Since technology is not static, new risks are created regularly. Accordingly, the Information Technology (ITS) will actively participate in and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks.
Chief Information Officer (CIO) and Chief Financial Officer (CFO) serve as the coordinators of this Plan. They are responsible for assessing the risks associated with maintaining and transmitting CPII and implementing procedures to minimize those risks to Atlantic Cape.
Whenever the College retains a service provider that will maintain, process or have access to CPII, the College will ensure that the provider has in place an information security program sufficient to protect CPII. The College will include in the contracts with service providers having access to CPII a provision requiring the providers to have in place security measures consistent with the requirements of New Jersey Law and regulations thereto and to assure that such CPII is used only for the purposes set forth in the contract.
Atlantic Cape maintains a computer security system that provides at a minimum to the extent technically feasible:
Secure user authentication protocols including:
control of user IDs and other identifiers.
a reasonably secure method of assigning, selecting and the rotation of passwords.
control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect.
restricting access to active users and active user accounts only.
blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.
Secure access control measures that:
restrict access to records and files containing CPII to those who need such information to perform their job duties.
assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the confidentiality and integrity of the security of the access controls.
Encryption of all transmitted records and files containing CPII that will travel across public networks, and encryption of all data containing CPII to be transmitted wirelessly.
Reasonable monitoring of systems and logs, for unauthorized use of or access to CPII.
Encryption of all CPII stored on laptops or other portable devices.
For files containing CPII on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the CPII.
Utilization of network segmentation for critical data with additional security controls surrounding critical data.
Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
Education and training of employees on the proper use of the computer security system and the importance of CPII security.
Email security controls such as MFA, Anti-Spam and Phishing technologies.
Formal data storage device destruction and disposal procedures.
Periodic penetration and vulnerability scanning, both internally and externally.
Implementation of all system/application changes affecting CPII managed via formal Change Management process and policy.
The Information Security Plan Coordinators work with the appropriate College departments to ensure that this security system infrastructure is appropriately maintained.
CPII will only be retained for as long as needed for the College’s reasonable business purposes, including for the purpose of complying with any state or federal law. Each department that stores CPII will annually review the CPII it has retained for the purpose of determining which information may be purged.
Any employee who violates this policy shall be subject to discipline pursuant to the College’s Code of Conduct or other relevant disciplinary policy.
Once an employee who has access to CPII concludes his/her employment, either voluntarily or involuntarily, such employee’s access to CPII shall be terminated.
This Plan is subject to periodic review and adjustment. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the Information Security Plan Coordinators, who may assign specific responsibility for implementation and administration as appropriate.