Data Security and Controls
08:16:00 Data Security and Controls
- Introduction: The purpose of this policy is to establish a minimum expectation with respect to access controls in order to protect data stored on computer systems throughout the Chattanooga State Community College system. This policy functions as data and computing standards and provides data security classifications for Chattanooga State data. This policy provides guidance on how data, (including PCI and Identity Theft protected data), is to be secured, managed, retained, and disposed of, whether managed/supported by Technology Division or other Chattanooga State departments and also includes personal equipment/applications, i.e., mobile devices.
- Failure to adhere to any of the requirements in the policy can result in the removal from the network, confiscation of even personal hardware/software and possibly disciplinary action.
- All data created and maintained by the College, except where superseded by grant or other contracts, or by Copyright Law, will be protected regardless of medium on which it resides (including, but not limited to, paper, in electronic form on disk, hard drive, USB flash drive, mobile device, etc., and/or form including text, graphics, video, voice, etc.
- College data, regardless of its medium and/or form shall meet the following requirements. At a minimum, data shall be classified as public or confidential, (see section D for more information), be appropriately secured and not accessible to non-approved users when not in use. This policy also includes personal equipment/applications, i.e., mobile devices. For further classification ask the questions:
- Data identification - What is the institutional risk if the data is lost, stolen, or provided to unauthorized person?
- Data integrity - what is the institutional risk and impact on the institution should the data not be trustworthy?
- Data availability - what is the impact on the institution should the data not be available for some period of time?
- Access to Public institutional data may be granted to any requester and/or it can be published with no restrictions. Public data is not considered sensitive. The integrity of “Public” data should be protected, and the appropriate department or unit must authorize replication or copying of the data in order to ensure it remains accurate over time. The Data Governance Committee should review any data, including reports being provided to any outside entity. The impact on the institution should public data not be available is typically low, (inconvenient, but not debilitation).
- Access to confidential, internal, non-public institutional data must be requested from, and authorized by, the data owner who is responsible for the data. (Review 08:17:00 Computer Access for more specific detail.) Confidential information is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law. The impact on the institution should confidential data not be available can be from moderate to very high, depending on the information. (See 08:14:00 Responsible Use and 08:15:00 Security Incident Response for reportable situation requirements based on TBR Policy B-080 and 08:20:00 Red Flag and Identity Theft Prevention Program.)
- Chattanooga State departments should not use, store, or display confidential data, identifying data, sensitive personal data, or PCI protected data, including Social Security Numbers (i.e., SSNs) unless required by law and then only within the requirements of this policy and federal/State/TBR policies. All Chattanooga State employees should ensure that there is no possibility of unauthorized viewing or unauthorized access to the system when leaving their PC unattended by either locking the keyboard of the PC or the office door. This should be done every time the PC is left unattended no matter the length of time the individual will be gone. A “clean desk” policy is in effect to ensure that all reports, etc., that contain protected data are locked up for the night. These types of data should not be stored on a personal or Chattanooga State issued desktop, laptop, or mobile device including phones, unless at least one of the following security recommendations is met.
- The data is only stored on an encrypted hard drive or within an encrypted application on a mobile device. If a mobile device is lost (whether it is Chattanooga State issued or personal) Technology Division must be notified immediately. Technology Division has authority to take action to prevent the loss of confidential or sensitive data up to and including the erasure of the hard drive, as needed to prevent loss of data.
- The data is not stored on the PC or laptop, but stored on a server located in a secure area, that is protected for the required level of data access.
- The data is stored on an encrypted removable drive such as an encrypted USB flash drive that is secured when not in use.
- Only the specified owners of Confidential/Protected data can authorize access to the data under their control, this includes storage of data on a mobile device, including phones, whether they are Chattanooga State issued or personal. A process is in place to handle requests for access and subsequent authorization, including requests for report data. If an employee requires access for Banner Confidential/Protected data, refer to 08:17:00 Computer Access. A process workflow is available at the Technology Division Web Site. In order to ensure employees only have the access that is needed to perform current job duties, Technology Division needs to be notified on any job change or change in employment. If an employee changes jobs within Chattanooga State, current access of that employee will be disabled, and new access requests are required.
- The best way to ensure data is kept secured is the user’s dedication to protecting that data. Users should:
- Collect, distribute, and retain only the minimal amount of personal and protected data that is related to business needs and/or assigned tasks.
- Ensure personal and protected information is deleted when there is no longer a business need for its retention.
- When personal or protected data must be included in the distribution of data, include notification of that fact, including reference to this policy.
- Always comply with existing College policies/standards regarding the handling of Confidential/Protected data.
- Every individual is responsible for the use of their user-id and password.
H. Supervisors have a special duty to protect Chattanooga State data and that is only request staff access to personal and protected data as needed to perform assigned duties. For specific information on requesting Internet Native Banner (INB) access, review 08:17:00 Computer Access. Design reports, database systems, etc., so that personal and protected information can be identified. Be aware of who is working with protected data and ensure that unauthorized individuals do not have access to the data. Be prepared to supply information needed (e.g., name, address, email) and to notify impacted individuals if a data security breach occurs. (See 08:15:00 Security Incident Response)
I. Confidential/Protected data requires that an audit trail be in effect that monitors access and modification, and is appropriately backed up to allow for recovery. This level of data will only be accessible with the permission of the appropriate College data custodian. WWW access to such data shall be secured in a manner that is commensurate with the classification and confidentiality of the data contained on the page/publication.
J. Passwords are required on all computer systems (e.g., desktops, laptops, mobile devices, etc.) in which Confidential or Protected data is stored or maintained or have access to College networks. (See 08.13:00 Computer Passwords.) Appropriate hardware and software security (e.g., cable lockdowns, password access control, data compression and encryption, audit log of access, updates, etc.) should be PCs and mobile devices which have Confidential/Protected data stored on them (i.e., on the local drive.)
K. Review 08:17:00 Computer Access for access requirements for any vendor, etc., that requires access to the Computer Center or to any data. Vendors will be assigned a Chattanooga State escort, as needed, by the department requiring the access.
L. Computer system and resource security requirements or a documented, equivalent compensating control are required to be in place before a system, application, tool, etc., is considered ready to be installed as production. include:
- All vendor-supplied default passwords are changed before any computer or communications system, printer, copier, fax machine or other equipment is used for College related business. (See 08.13:00 Computer Passwords for complete details.)
- Authorized user logon IDs on computer systems are inactivated or an authorized user’s access connection is immediately disabled if the authorized user does not provide a correct password after five consecutive attempts - Banner consecutive attempts are three (3).
- Password or pin numbers used to protect access to College data are not hard-coded into software/source code developed by Chattanooga State staff/faculty or students.
M. When technically and reasonably possible, workstations, personal computers, mobile devices and printers housed in unsecured public areas (e.g., student labs, libraries, etc.) should be physically secured, as needed to provide protection from theft and/or modification. All workstations and PC systems are outfitted with uninterruptible power supply (UPS) systems, electrical power filters, or surge suppressers, as appropriate in order to prevent damage.
N. Master copies of software, to the extent consistent with applicable licenses and laws, shall be stored in a safe and secure location. These master copies shall not be used for ordinary business, but must be reserved for recovery from computer virus infections, hard disk crashes, and other computer problems.
O. When disposing (e.g., recycling, salvaging, transferring ownership to another party, etc.) of hard drives, the hard drives should be wiped and/or destroyed to make the data irretrievable.
References:
1. The Department of Education “Family Educational Rights and Privacy Act of 1974” (as amended), 34 CFR, Part 99, 12/2/2011
2. Payment Card Industry (PCI) Compliance, 04/01/2016
3. State of Tennessee Department of Finance and Administration Strategic Technology Solutions 12/15/2016.
4. Tennessee Board of Regents Guideline B-090 Gramm-Leach-Bliley Act, Safeguarding of Customer’s Nonpublic Financial Information
5. Tennessee Board of Regents Guideline B-80 Reporting and Resolution of Institutional Losses, 2/11/2015 6. Tennessee Board of Regents Guideline G-052 Access Control, 9/26/2014
7. Tennessee Board of Regents Guideline G-070 Records Retention and Disposal of Records, 2/21/2017
8. Chattanooga State Community College Technology Division Policy 08.13 Computer Passwords, 05/30/2017
9. Chattanooga State Community College Technology Division Policy 08:14 Responsible Use, 05/30/2017
10. Chattanooga State Community College Technology Division Policy 08:15 Security Incident Response, 05/30/2017
11. Chattanooga State Community College Technology Division Policy 08:17 Computer Access, 05/30/2017 12. Chattanooga State Community College Technology Division Policy 08:20 Red Flag and Identity Theft Prevention Program, 05/30/2017
Dr. Rebecca Ashford, President October 24, 2017
Signature Date Approved
Policy Change
Division Name: Technology Division
Policy Number and Title: 08:16:00 Data Security and Controls
- Reformatted the whole policy to new format.
- All pages - Information Technology Services was changed to new division name - Technology Division.
- All pages - all policy references changed to reflect only policy assigned number and title.
4. Introduction was added to first para from other paras: The purpose of this policy is to establish a minimum expectation with respect to access controls in order to protect data stored on computer systems throughout the Chattanooga State Community College (Chattanooga State) system. This policy functions as data and computing standards and provides data security classifications for Chattanooga State data. This policy provides guidance on how data, (including PCI and Identity Theft protected data), is to be secured, managed, retained, and disposed of, whether managed/supported by Technology Division or other Chattanooga State departments and also includes personal equipment/applications, i.e., mobile devices.
5. Section A, para 1 was added:
1. Failure to adhere to any of the requirements in the policy can result in the removal from the network, confiscation of even personal hardware/software and possibly disciplinary action.
5. Section L, bullet statement 3 was added: …Banner consecutive are three.
Dr. Rebecca Ashford October 24, 2017
Signature Date Approved
|
|