Information Technology Services Data Security and Controls
08:16:05 INFORMATION TECHNOLOGY SERVICES Data Security and Controls
- Chattanooga State Community College relies heavily on its electronic data processing systems and the data stored in them to meet its educational, informational and operational needs. College students and staff rely on the security of the computer systems to protect instructional, research, personal, operational and other sensitive data maintained in those computer systems. It is essential that these systems be protected from misuse and that both the computer systems and the data stored in them are accessed and maintained in a secure environment.
The purpose of this policy is to establish a minimum expectation with respect to access controls in order to protect data stored on computer systems throughout the system. This policy functions as data and computing standards and provides data security classifications for ChSCC data. This policy provides guidance on how data (including PCI and Identity Theft protected data) is to be secured, managed, retained, and disposed of.
- The scope of this policy includes all ChSCC staff, (including contractors and student workers), faculty, students, authorized users, contractors and visitors that have access to College facilities, computing resources or College data.
- The scope includes all data created and maintained by the College, (i.e. student, research, financial, payroll/personnel, etc.) except where superseded by grant or other contracts, or by federal Copyright Law, regardless of:
- medium on which it resides (e.g., paper, fiche, in electronic form on tape, cartridge, disk, CD-ROM, or hard drive, etc.) - and -
- form (e.g., text, graphics, video, voice, etc.)
- Included in the scope are all computer systems owned, leased or maintained by the College. This includes: microcomputers/PCs, servers, and various peripheral equipment including, but not limited to, printers and modems; and all Web pages and applications contained on College equipment or disseminated via College resources. This policy also covers all mobile devices (personal and college provided) where individuals have saved ChSCC data.
D. Data Security and Classification Requirements:
- College data, regardless of its medium and/or form, shall meet the following requirements. At a minimum, data shall be classified as public or confidential, be appropriately secured and not accessible to non-approved users when not in use. (Refer to 08:14:05 ITS Technology Responsible Use Policy)
- The decision on handling and classification is determined from three separate and distinct areas:
- Data identification - What is the institutional risk if the data is lost, stolen, or provided to unauthorized person?
- Data integrity - What is the institutional risk and impact on the institution should the data not be trustworthy?
- Data availability - What is the impact on the institution should the data not be available for some period of time?
E. Access to Data:
- Data will be accessed, used and disposed of in a manner commensurate with the data's classification and will be disseminated by officially designated offices only in accordance with ChSCC policies and procedures. All computer access granted to an authorized user will be removed when that user terminates employment, graduates, or withdraws from the College. (For further information please review 08:17 ITS Computer Access Policy (https://itservices.chattanoogastate.edu/. And https://policies.tbr.edu/guidelines/access-control.))
- Access to information assets must be restricted to authorized users and must be protected by appropriate physical, administrative, and logical authentication and authorization controls.
- Protection for information assets must be commensurate with the classification level assigned to the information.
- Each computer system shall have an automated access control process that identifies and authenticates users and then permits access based on defined requirements or permissions for the user or user type. ChSCC utilizes Active Directory for authentication.
- All users of secure systems must be accurately identified, a positive identification must be maintained throughout the login session, and actions must be linked to specific users.
- Access control mechanisms may include user IDs, access control lists, constrained user
- Types of Data:
- Public: Access to Public institutional data may be granted to any requester and/or it can be published with no restrictions. Public data is not considered sensitive. The integrity of "Public" data should be protected, and the appropriate department or unit must authorize replication or copying of the data in order to ensure it remains accurate over time. Especially important for reports being provided to any outside entity. The impact on the institution should public data not be available is typically low, (inconvenient, but not debilitation). Examples of "Public" Data include published "whitepapers", directory information, maps, department websites, and academic course descriptions. This data may be made generally available without specific data custodian approval.
- Access to confidential, internal, non-public institutional data must be requested from, and authorized by, the data owner who is responsible for the data. (Review 08:17 ITS Computer Access for more specific detail. https://itservices.chattanoogastate.edu/. Some confidential information is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law. The impact on the institution should confidential data not be available can be from moderate to very high, depending on the information. Examples of confidential data that if lost, corrupted or unauthorized disclosure occurred, could result in business, financial or legal loss include: official student grades, financial aid data, social security and credit card numbers (PCI Compliance information), and individuals' health information. (See ChSCC IT Policy 08:14 Responsible Use and 08:15 Security Incident Response for reportable situation requirements based on TBR Policy B-080 and 08:20 Red Flag and Identity Theft Prevention Program.)
F. Data Security, Management, Retention, and Disposition Requirements:
- ChSCC departments should not use, store, or display confidential data, identifying data, sensitive personal data, or PCI protected data, including Social Security Numbers (i.e., SSNs) unless required by law and then only within the requirements of this policy and federal/State/TBR policies. All ChSCC employees should ensure that there is no possibility of unauthorized viewing or unauthorized access to the system when leaving their PC unattended by either locking the keyboard of the PC or the office door. This should be done every time the PC is left unattended no matter the length of time the individual will be gone. A "clean desk" policy is in effect to ensure that all reports, etc., that contain protected data are locked up for the night.
- These types of data should not be stored on a personal or ChSCC issued desktop, laptop, or mobile device including phones, unless at least one of the following security recommendations is met.
- The data is only stored on an encrypted hard drive or within an encrypted application on a mobile device. If a mobile device is lost (whether it is ChSCC issued or personal) ITS must be notified immediately. ITS has authority to take action to prevent the loss of confidential or sensitive data up to and including the erasure of the hard drive, as needed to prevent loss of data.
- The data is not stored on the PC or laptop, but stored on a server located in a secure area, that is protected for the required level of data access.
- The data is stored on an encrypted removable drive such as an encrypted USB flash drive that is secured when not in use.
G Requesting Banner Confidential/Protected Data Access for Staff or Faculty:
- Only the specified owners of Confidential/Protected data can authorize access to the data under their control, this includes storage of data on a mobile device, including phones, whether they are ChSCC issued or personal. A process is in place to handle requests for access and subsequent authorization, including requests for report data. If you have an employee that requires access for Banner Confidential/Protected data, refer to ChSCC IT Policy 08:17 Computer Access. A process workflow is available at the ITS Web Site - http://itservices.chattanoogastate.edu/pdf/inb_access.pdf. In order to ensure employees only have the access that is needed to perform current job duties, ITS needs to be notified on any job change or change in employment. If an employee changes jobs within ChSCC, current access of that employee will be disabled, and new access requests are required.
H. User's Responsibility to Protect the Data:
- The best way to ensure data is kept secured is the user's dedication to protecting that data. Users should:
- Collect, distribute, and retain
- Ensure you delete personal and protected information when there is no longer a business need for its retention.
- When personal or protected data must be included in the distribution of data, include notification of that fact, including reference to this policy.
- Always comply with existing College policies/standards regarding the handling of Confidential/Protected data.
- Every individual is responsible for the use of their user-id and password.
I. Supervisor's Responsibility to Protect the Data:
- Supervisors have a special duty to protect ChSCC data and that is only request staff access to personal and protected data as needed to perform assigned duties. For specific information on requesting Internet Native Banner (INB) access, review 08:17 ITS Computer Access. Design reports, database systems, etc., so that personal and protected information can be identified. Be aware of who is working with protected data and ensure that unauthorized individuals do not have access to the data. Be prepared to supply information needed (e.g., name, address, email) and to notify impacted individuals if a data security breach occurs. (See ChSCC IT Policy 08:15 Security Incident Response)
J. Confidential/Protected Data Requirements:
- This type of data requires that an audit trail be in effect that monitors access and modification, and is appropriately backed up to allow for recovery. Data stored on servers maintained by ITS will be backed up based on customer requirements documented on the Roles and Responsibilities Service Level Agreements. Data transmitted over any communication network shall be transmitted in encrypted form or other appropriate and equally secure method. This level of data will only be accessible on the WWW with the permission of the appropriate College data custodian. WWW access to such data shall be secured in a manner that is commensurate with the classification and confidentiality of the data contained on the page/publication.
- Passwords are required on all computer systems (e.g., desktops, laptops, mobile devices, etc.) in which Confidential or Protected data is stored or maintained or have access to College networks. (See ChSCC IT Policy 08.13 Computer Passwords.) Appropriate hardware and software security (e.g., cable lockdowns, password access control, data compression and encryption, audit log of access, updates, etc.) should be placed on all microcomputers/PCs and mobile devices which have Confidential/Protected data stored on them (i.e., on the local drive).
K. Outside ChSCC access:
- Vendors, contractors, consultants and external auditors needing access to College data must read and acknowledge in writing that their firm has read, understood and will comply with all College data and computing guidelines/standards. Review Policy 08:17 ITS Computer Access for access requirements for any outside individual that requires access to the Computer Center or to any data. Vendors will be assigned a CHSCC escort as needed by the department requiring the access.
L. Computer System and Resource Security Requirements before Installation:
- Computer system and resource security requirements or a documented, equivalent compensating control is required to be in place before a system, application, tool, etc., is considered ready to be installed as production include:
- All vendor-supplied default passwords are changed before any computer or communications system, printer, copier, fax machine or other equipment is used for College related business.
- Authorized user logon ids/operator ids on administrative and research computer systems are inactivated or an authorized user's access connection is immediately disabled if the authorized user does not provide a correct password after five (5) consecutive attempts. (See ChSCC IT Policy 08.13 Computer Passwords for complete details.)
- Passwords or pin numbers used to protect access to College data are not hard-coded into software/source code developed by ChSCC staff or students.
M. Hardware Physical/Environmental Requirements:
- When technically and reasonably possible, workstations, personal computers, mobile devices and printers housed in unsecured public areas (e.g., student labs, libraries, etc.) should be physically secured, as needed to provide protection from theft and/or modification. All workstations and microcomputer/PC systems are outfitted with uninterruptible power supply (UPS) systems, electrical power filters, or surge suppressers, as appropriate in order to prevent damage.
- Master copies of software, to the extent consistent with applicable licenses and laws, shall be stored in a safe and secure location. These master copies shall not be used for ordinary business, but must be reserved for recovery from computer virus infections, hard disk crashes, and other computer problems.
O. Disk Maintenance:
- Proper disk maintenance practices are followed (e.g., clearly label back up data, application and operating system diskettes; store away from extreme cold/heat; protect from dust, excessive moisture or water; keep away from magnetic devices including radios, telephones, keys, wall magnets, etc.) When disposing (e.g., recycling, salvaging, transferring ownership to another party, etc.) of microcomputer/PC hard disks, the hard disks should be wiped and/or destroyed to make the data irretrievable. Iron Mountain currently has the contract for disk destruction.
References: These Standards comply with and are based on the laws of the United States, State of Tennessee, Tennessee Board of Regents, and other regulatory agencies. This includes all applicable federal and state laws which govern the privacy, confidentiality, security and use of data, and the use and security of computer systems and data including:
- The Department of Education "Family Educational Rights and Privacy Act of 1974" (as amended), 34 CFR, Part 99
- Payment Card Industry (PCI) Compliance, 07/01/2001
- Tennessee Board of Regents Guideline B-090 Gramm-Leach-Bliley Act, Safeguarding of Customer's Nonpublic Financial Information
- Tennessee Board of Regents Guideline G-052 Access Control
- Tennessee Board of Regents Guideline G-070 Disposal of Records - RDA2161.
- Tennessee Board of Regents Guideline B-80 Reporting and Resolution of Institutional Losses
State of Tennessee Department of Finance and Administration Office for Information Resources Information Security Program
If this Guideline conflicts with federal or state statute, the applicable statute shall apply.
Additionally, other College Policies, Guidelines, Standards and/or campus procedures may impose certain restrictions that are not specifically covered by state and federal statue orregulations including:
- Chattanooga State Community College IT Policy 08.13 Computer Passwords
- Chattanooga State Community College IT Policy 08:14 Responsible Use
- Chattanooga State Community College IT Policy 08:15 Security Incident Response Chattanooga State Community College IT Policy 08:17 Computer Access
- Chattanooga State Community College IT Policy 08:20: Red Flag and Identy Theft Prevention Program
Implemented by: Computer Services, 1/7/2005
Reviewed and Revised by: Computer Services, 9/30/08 Rev 1
Reviewed and Revised by: Computer Services, 3/27/09 Rev 2 Reviewed and Revised by: Computer Services, 12/1/2012 Rev 3 Reviewed and Revised by: Information Technology Services 4/19/2014 Rev 4 No Changes
Reviewed and Revised by: Information Technology Services 3/07/2016 Rev 5 Changes
Title Page - Added the following to the title of the policy," ....And Controls
Pages All - Changed Computer Services to Information Technology Systems
Page 1 Section - 2 Purpose. Added the information concerning PCI data, "This policy describes specific required capabilities in electronic communications systems and also specifies how ChSCC data (including PCI and Identity Theft protected data) is to be secured, ...."
Page 1 Section - Scope 3.1. Added the following per Reference #6, "....including mobile devices....."
Page 2 Section 5 - Access to Data. Added the following, "Access to information assets must be restricted...." Reference #4.
Page 2 Section 5 - Added the following, "Confidential , "Examples of confidential data that if lost, corrupted or unauthorized disclosure occurred, could result in business, financial or legal loss include: official student grades and financial aid data, social security and credit card numbers (PCI Compliance information), and individuals' health information. (See ChSCC IT Policy 08:14 Responsible Use and 08:15 Security Incident Response for reportable situation requirements based on TBR Policy B-080 and 08:20 Red Flag and Identity Theft Prevention Program.)
Page 3 Section 6 - Data Security, Management, Retention and Disposition. Added the following statement ".... All ChSCC employees should ensure that there is no possibility of unauthorized viewing or unauthorized access to the system when leaving their PC unattended by either locking the keyboard of the PC or the office door. This should be done every time the PC is left unattended no matter the length of time the individual will be gone...." "These types of data should not be stored on a personal or ChSCC issued desktop, laptop, or mobile device including phones, unless at least one of the following security recommendations is met. "A clean desk policy...."Added per References #4 and #9."
Page 3. Section 6. Added the following per Reference #6, "The data is only stored on an encrypted hard drive or within an encrypted application on a mobile device. If a mobile device is lost (whether it is ChSCC issued or personal) ITS must be notified immediately. ITS has authority to take action to prevent the loss of confidential or sensitive data up to and including the erasure of the hard drive, as needed to prevent loss of data." Page 3. Section 7 Requesting Banner Confidential/protected Data Access for Staff or Faculty. Added the following per Reference #6, "A process workflow is available at the ITS Web Site - http://itservices.chattanoogastate.edu/pdf/inb_access.pdf. In order to ensure employees only have the access that is needed to perform current job duties, ITS needs to be notified on any job change or change in employment."
Page 4 Section 10 Confidential and Protected Data Requirements. Added the following statement, "Data stored on servers...."
Page 5. Section 15. Disk Maintenance. Added the following, "Iron Mountain currently has the contract for disk destruction.