Technology Security Program
08:16:01 Technology Security Program
- Introduction: The purpose of the Chattanooga State Community College's Technology Security Program is to provide an overview of the policies, standards and procedures that provide technology security guidance. This program is located on the Technology web site. These policies, standards and procedures document the practices undertaken to protect information, which falls under federal and state laws and regulations such as Health Insurance Portability and Accountability Act (HIPPA), Family Education Rights and Privacy Act (FERPA), and Payment Card Industry-Data Security Standard (PCI-DSS.) The intent of the program is to provide effective security balanced with the need for maintaining the open and collaborative network environment required for higher education institutions to foster scholarly activity and to remain competitive.
- The Technology Security Program establishes guidelines and principles for initiating, implementing, maintaining, and improving technology security management for Chattanooga State. The program is intended to protect the confidentiality, integrity and availability of technology resources and is not intended to prevent, prohibit, or inhibit the sanctioned use of technology resources as required to meet Chattanooga State's mission and academic and administrative goals.
- The program applies to all users, all information assets, facilities, applications, systems and network resources. Auxiliary organizations or any entity, including third parties, using Chattanooga State technology resources must operate those assets in conformity with the Chattanooga State Technology Security Program, unless otherwise formally exempted by the President or her designee. It is the collective responsibility of all users to ensure:
- Confidentiality of information, which Chattanooga State must protect from unauthorized access.
- Integrity and availability of information stored on or processed by Chattanooga State technology systems.
- Compliance with applicable laws, regulations, and Chattanooga State policies governing technology security and privacy protection. Chattanooga State information security practices must comply with a variety of federal and state laws, and institutional policies designed to protect individuals and organizations against the unauthorized disclosure of information that could compromise their identity or privacy. Legal regulations cover a variety of types of information including personally identifiable information, personal financial information, medical information, and confidential student information.
- Policy is developed and executed, and expectations are set for protecting technology assets. Policies are then supported by related standards, procedures and guidelines to facilitate campus compliance: Policies are high-level statements of principle that provide technology direction to the campus community.
- Due to the nature of technology requirements, Technology policies may contain compliance standards for the College as a whole.
- Standards may be used as necessary in order to establish specific actions and/or requirements that must be used in order to comply with policy. They provide a basis for verifying user compliance through audits and assessments.
- Procedures establish specific actions and/or requirements for Technology personnel to ensure policy compliance. They are used to provide verification of compliance through audits and assessments.
- Policy development is driven by numerous requirements: Chattanooga State directives, new legislation and regulations, audit findings, risk assessment and College strategic planning and initiatives. Required key campus stakeholders are consulted before implementation of planned changes to ensure all impacted parties fully understand the need for the change and resulting actions. Research is conducted to find potential models from other Tennessee Board of Regents Colleges to add conformity as necessary.
- The formulation and distribution of technology policies, standards, procedures, and guidelines connect the College's mission to individual conduct, institutionalize impartial expectations, support compliance with laws and regulation, mitigate institutional risk, and enhance productivity and efficiency in the College's operations.
- In collaboration with all appropriate College representatives, the executive director of information management or designated representative leads effort to develop, approve, and launch a suite of information security policies and standards. Utilizing Federal, State and TBR best practices in information security, these policies, standards and procedures formally establish the Chattanooga State Technology Security Program along with employee responsibility for information protection.
1. The security policy also incorporates security requirements of applicable regulations. These regulations include, but not limited to: FERPA, PCI-DSS, HIPPA and State policies such as State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/Apr 2008, Tennessee Code Ann. 39-17-902, Digital Millennium Copyright Act, Tennessee Code Annotated §49-7-1(c) Tennessee Code Annotated, Title 10, Chapter 7, 506, and TBR Information Technology Policies.
- Technology, along with data security, cannot be treated solely as a technology issue. Based on Chattanooga State's growing dependence on data and technology-based controls, data and technology security risks increasingly contribute to operational and reputational risk. Technology security is an intrinsic part of governance and consists of the leadership, organizational structures and processes that safeguard Chattanooga State's data, its operations and its reputation.
- TBR implements its statutory responsibility for governance and management of the institution and establishes the following:
- Standards for consistency among the institutions.
- Parameters to promote institutional flexibility and discretion.
- Appropriate participation in the consideration of proposed board policies and system-wide decisions. All such matters are reviewed by a structure of system sub-councils, the presidents as a council, the board staff, and a board committee prior to their consideration by the board.
- The College president gives vice president of Technology the responsibility for providing technology services, support and guidance to the College. The assistant vice president of Technology Management and the executive director of Information Management are responsible for development and implementation of all policies, standards and procedures as they relate to technology acquisition, implementation, and documentation. They are also responsible for the use of technology resources and for meeting its compliance obligations and the development and management of the Chattanooga State Technology Security Program.
- All users of the Chattanooga State technology systems are expected to follow established policies and procedures and to report potential security violations. Administrators across the College are responsible for ensuring technology security policies, standards and procedures are followed by employees in their respective areas.
- All users of technology resources are advised of the open nature of data disseminated electronically, and must not assume any degree of privacy or restricted access to data they create or store on campus systems. Chattanooga State is a public College and data stored on campus technology systems may be subject to disclosure under state law. The College will disclose information about individuals only to comply with applicable laws or regulations and/or to comply with or enforce applicable policy. All users are to ensure the confidentiality, integrity, or availability of campus data, and to respond to valid legal requests or demands for access to campus information. 08:16:00 Data Security and Controls provides specific guidance on protecting data.
1. User access to technology systems is based on the principle of least privilege. Proper authorization and approval by system/data owner is required for access. 08:17:00 Computer Access identifies practices used in requesting, granting, administering and terminating account access.
- Chattanooga State maintains a diverse technology environment with many services, which require unique identifying credentials in order to gain access and authorization. These credentials are managed as much as possible though a central identity management system - active directory. Active directory allows users to have one account ID and password for accessing multiple computing resources at the College. For many systems, this allows access to computing resources that is authorized on the basis of roles (faculty, staff, or student). This system continues to be developed with fundamental security principles in mind. Account administration and management is guided by 08:17:00 Computer Access.
- Incident management detail for Chattanooga State is located 08:15:00 Security Incident Response in conjunction with Chattanooga State 05:12:01 Sensitive Equipment Policy. These policies provide guidance for incidents, detection and analysis, containment, eradication, recovery and review for all "sensitive equipment," along with the process for responding to technology security incidents. Security incidents are managed by the technology security team, along with Chattanooga State police, who ensures that security incidents are promptly reported and resolved in a manner that restores operation quickly and, if required, maintains evidence for further disciplinary, legal, or law enforcement actions. Incident response program is reviewed annually and modified as needed to comply with applicable laws and College policies and standards.
1. In order to prepare for any potential incidents Chattanooga State technology personnel conduct system inventories and risk assessments for sensitive systems, provide management practices for desktops, servers, networks and projects, and review system hardening and data protection measures. Detection, analysis, containment, recovery and review include several mechanisms such as malicious code scanning, virus protection, intrusion detection, monitoring, logging and incident handling protocols. Multiple guidelines are in place to support these efforts.
2. To ensure the secure operation of technology facilities and resources, system activities must be managed and reviewed consistently. Identifying and prioritizing risks form the basis for determining necessary appropriate actions to take. Comparing actual system control information to projected goals of system management allows systems to be evaluated on a continuous basis. Since no set of system controls can achieve complete security, assessments are completed as needed to evaluate the effectiveness of the controls. Risk assessments are renewed as required.
- Physical areas where information assets contain protected data should be protected from unauthorized physical access. Many technology assets are located in public and non-public access areas and must be physically secured to prevent theft, tampering, or damage. Periodic review of physical controls in public areas are necessary to ensure system containment. Management conducts reviews and documents physical access rights to campus limited-access areas on a routine basis.
- Access to information technology resources is controlled on the basis of business need and security requirements. Network access control enforces specific security and business requirements. Access management, user registration and termination, and privilege management govern the allocation of rights. Sets of controls are in place that restricts access through technical structures and authentication methods. Passwords are managed through a formal process and secure log-on procedures. 08:13:00 Computer Passwords provides guidance.
1. Sensitive systems, i.e., PCI systems, are explicitly identified and receive special handling. Network access and routing controls are applied for users and equipment. Appropriate authentication controls are used for external connections and remote users. Physical and logical access to diagnostic and configuration ports and utility programs are controlled. Duties are separated to protect systems and data. Access rights are audited at regular intervals.
- System security is maintained over the lifetime of systems through a series of Chattanooga State policies and technology procedures. These are intended to protect Chattanooga State resources from project initiation through implementation and maintenance of the system, and upon retirement and disposal of the system. Project management standards specify strategic plan initiatives and require full project costs to be identified prior to purchase of technology. 08:25:00 Technology Projects provide guidance for the whole project lifecycle, while Technology Procedure 003 Technology Hardware and Software Lifecycle Management ensures systems are managed from initial purchase to removal from service. Implementation practices are specified by a change management standard which outlines planning, communicating, testing, planning a back-out strategy, gaining approval and executing the change in a controlled manner. Overall system security during the production lifetime is maintained via operational security standards including malicious code protection; logical access controls standards, data protection standards, facility security standards, personnel security standards and Technology System Security standards.
- In addition to defining security roles and responsibilities, personnel security is addressed through pre-employment screenings, including background checks, adequate position descriptions, terms of employment, and security education and training. 08:14:00 Technology Responsible Use provides user responsibilities regarding confidentiality, data protection, ethics, and appropriate use of facilities, materials and equipment. Third party users are made aware of their responsibility to comply with relevant laws, regulations and College expectations.
- Contingency planning is conducted to minimize the impact and loss of information assets in the event of a disaster. Business continuity plans should be developed by each Chattanooga State department and included in the overall Chattanooga State Business Continuity Plan. Plans are developed by using Business Impact Analysis to understand risks and to identify and prioritize critical business processes. An overall strategy is developed for crisis management, recovery and restoration. Plans are formalized with agreements as to the required levels of operation, the time frames, and the implementation strategy. Continuity plans are tested regularly to ensure that they are up to date and effective.
- Regular assessments should be performed by both system owners and data owners. Risk management reviews can be used to provide these assessments. Security configurations are reviewed annually and reapplied when systems undergo material modifications. Technology's management approach to technology and/or data security is to ensure all policies and procedures are reviewed on a regular schedule and as necessary to ensure continuing appropriateness, adequacy and effectiveness. Additionally, Technology management will plan meetings at regular intervals or if significant changes occur to assess opportunities for improvement or to manage security threats or other conditions.
- Any suspected violations to technology policies and/or procedures will be provided to the Vice President of Technology for review and due process. Student infractions will be coordinated with the Dean of Students and Student Affairs. Third party service providers who do not comply may be subject to appropriate actions as defined in contractual agreements or other legal remedies available to the College. Non-compliance may result in personal, criminal, civil, or other administrative liability. Chattanooga State reserves the right to temporarily or permanently suspend, block, or restrict access to campus information assets, when it reasonably appears necessary to do so in order to protect the confidentiality, integrity, availability or functionality of Chattanooga State technology assets; to protect Chattanooga State from liability; or to enforce this policy and its related standards and practices.
- Family Educational Rights and Privacy Act (FERPA), 12/2/2011
- Payment Card Industry (PCI) Compliance, 04/01/2016
- State of Tennessee Department of Finance and Administration Office/Office for Information Resources 12/15/2016
- Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00, 9/26/2014
- essee Board of Regents (TBR) Policy 4:01:05:60, Identity Theft Prevention, 6/19/2009
- Tennessee Board of Regents (TBR) Guideline -051 Password Management, 9/26/2014
- ssee Board of Regents (TBR) Guideline- 052, Access Control, 9/26/2014
- Tennessee Board of Regents (TBR) Guideline -053, Personal Identifiable Information, 9/26/2014
- Tennessee Board of Regents (TBR) Guideline -054, IT Acceptable Use, 2/21/2017
- Tennessee Board of Regents (TBR) Guideline -070, Records Retention and Disposal of Records, 2/21/2017
- Tennessee Board of Regents (TBR) Guideline - 075, Litigation Hold Notice, 11/6/2007
- Chattanooga State Community College Chattanooga State 08-15, Security Incidence Report, 5/30/2017
- Chattanooga State Community College Chattanooga State 08-17 Computer Access, 5/30/2017
- Chattanooga State Community College Chattanooga State 08-18 Network Access, 5/30/2017
Dr. Rebecca Ashford, President October 24. 2017 Signature Date Approved
Division Name: Technology Division
Policy Number and Title: 08:27:00 Technology Security Program
- Formatted the whole policy to new format.
- All pages - Information Technology Services was changed to new division name - Technology Division.
- Removed Section C.
Dr. Rebecca Ashford, President October 24, 2017
Signature Date Approved