RSCC Policies & Guidelines
Roane State Community College
Policy Number: GA-18-10
Subject: Information Technology Security Program
- Purpose
Roane State Community College (RSCC) will protect the college’s information resources as mandated by the Gramm- Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information Rule, Information Security Program (the “Program”) by:
- Protecting the security and confidentiality of customers’ nonpublic financial information;
- Protection against any anticipated threats or hazards to the security or integrity of such information; and
- Protection against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
- Definitions
- Customer – person who has a continuing relationship with the college for provision of financial services, such as financial aid.
- Customer Information - any record containing nonpublic personal financial information about a customer.
- Non-public financial information – any record not publicly available that RSCC obtains about a customer in the process of offering a financial product or service, as well as such information provided to the college by another source. Nonpublic financial information includes information that a person submits to apply for financial aid (e.g., tax returns and other financial information), that the college collects from third parties relating to financial aid (e.g., FAFSA information), and that the college creates based on customer information in its possession.
- Security event - an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.
- Policy
- Introduction
TBR institutions are covered by GLBA because they offer and process financial aid applications, provide loans to students, and receive customer information from students and others in connection with those activities.
- Program Coordinator
- The college Chief Information Office (CIO) will serve as the RSCC Program Coordinator who shall be responsible for overseeing and implementing the Program. The coordinator may obtain assistance from other sources, but ultimate responsibility for the Program remains with the coordinator.
- The coordinator shall develop the Program to include, but not be limited to:
- Consulting with the appropriate offices to identify units and areas of the college with access to customer information and maintaining a list of the same.
- Assist the appropriate offices of the college in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and making certain that appropriate safeguards are designed and implemented in each office and throughout the college to safeguard the protected data.
- Work with the college contract officer(s) to guarantee that all contract with third party service providers that have access to and maintain customer information include a provision requiring that the service provider maintain appropriate safeguards for customer information.
- Work with responsible college officers to develop and deliver adequate training and education for all employees with access to customer information.
- Security and Privacy Risk Assessments
- The Program shall identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of the safeguards in place to control those risks.
- Risk assessments should include consideration of risks in each office that has access to customer information.
- Risk assessments must be written and include, at a minimum, consideration of the risks in the following areas:
- Criteria for the evaluation and categorization of the identified security risks and threats.
- Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of existing controls in the context of identified risks and threats.
- Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Program will address the risks.
- The college will periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Such assessments must reassess the sufficiency of safeguards in place to control the risks.
- Information Security Personnel and Employee Training
- Roane State will utilize qualified information security personnel, whether employed by Roane State or through vendors, sufficient to manage information security risks and to assist in oversight of the Program. Security personnel must be provided with security updates and training sufficient to address relevant security risks. The college will verify that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.
- The Program Coordinator will provide college employees with security awareness training that is updated as necessary to reflect risks identified by the risk assessment. This training may be developed and implemented in conjunction with vendors, the human resources office, and the Office of General Counsel. The training shall occur on a regular basis, as deemed appropriate by the coordinator, and it shall include education on relevant policies and procedures and other safeguards in place or developed to protect customer information.
- Design and Implementation of Safeguards
- The Program will include safeguards to control the risks identified through the risk assessments, including by:
- Implementing and periodically reviewing access controls, including technical, and as appropriate, physical controls to authenticate and permit access only to authorized users, and to limit authorized users’ access only to customer information that they need to perform their duties and functions (or in the case of customers, to access their own information).
- Identifying and managing the data, personnel, devices, systems, and facilities that enable the college to achieve operational purposes in accordance with their relative importance to operational objectives and risk strategy.
- Protecting by encryption all customer information held or transmitted by the college both in transit over external networks and at rest. To the extent the coordinator determines that encryption of customer information, either in transit or at rest, is infeasible, the coordinator may approve a method to secure such customer information using effective alternative compensating controls.
- Adopting secure development practices for in-house developed applications used to transmit, access, or store customer information and procedures to evaluate, assess, or test the security of externally developed applications used to transmit, access, or store customer information.
- Implementing multi-factor authentication for any individual accessing any information system, unless the coordinator has approved in writing the use of reasonably equivalent or more secure access controls.
- Developing, implementing, and maintaining procedures for the secure disposal of customer information. These procedures must be periodically reviewed to minimize the unnecessary retention of data. Disposal must occur no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates unless:
- The information is required to be kept for a longer period in accordance with TBR Policy 1.12.01.00, Records Retention and Disposal of Records; (Access the complete TBR policy at https://policies.tbr.edu/.)
- The information is necessary for operational purposes; or
- Targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
- Adopting procedures for change management.
- Implementing policies, procedures, and controls designed to monitor and log the activity of authorized users and to detect unauthorized access or use of, or tampering with, customer information by such users.
- The Program must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.
- For information systems, monitoring and testing must include continuous monitoring or periodic penetration testing and vulnerability assessments. In the absence of effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the college must conduct:
- Annual penetration testing of information systems based on relevant risks identified through risk assessments; and
- Vulnerability assessments, including any systemic scans or reviews of information systems designed to identify publicly known security vulnerabilities. Such vulnerability assessments must be conducted at least every six months and whenever there are material changes to college operations, and when circumstances or events may have a material impact on the Program.
- Oversight of Service Providers and Contracts
- Roane State will take reasonable steps to select and retain third party service providers that are capable of maintaining appropriate safeguards for the customer information to which they have access. Service providers must be periodically assessed based on the risk they present and the continued adequacy of their safeguards.
- The college will require, by contract, that current and potential service providers with access to customer information maintain sufficient procedures to detect and respond to security events.
- The college will require, by contract, that all applicable third party service providers implement and maintain appropriate safeguards for customer information.
- Incident Response Plan
- The Program must include a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the college’s control.
- To the extent the following requirements are not already required by the State of Tennessee’s incident response plan, the coordinator shall ensure that the incident response plan addresses:
- The goals of the incident response plan
- The internal processes for responding to a security event
- The definition of clear roles, responsibilities, and levels of decision making authority.
- External and internal communications and information sharing.
- Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls.
- Documentation reporting of security events and related incident response activities.
- The evaluation and revision as necessary of the incident response plan following a security event.
- Evaluation and Revision of Program
- The coordinator must evaluate and adjust the Program in light of the results of testing and monitoring, any material changes to the college’s operations, the results of risk assessments, and any other circumstances that may have a material impact on the Program.
- The Program must include a plan by which it will be evaluated on a regular basis and a method to revise the Program, as necessary, for continued effectiveness.
- Assessment of the Information Security Program
- The coordinator, in conjunction with the appropriate administrators, shall assess the effectiveness of the Program annually.
- The coordinator shall make certain that necessary revisions to the Program are made at the time of the annual review to address any changes in the college organization that may affect the implementation and effectiveness of the Program.
- Annual Reporting to the Board of Regents
The System Office Coordinator will prepare a form for college coordinators to complete and return in time sufficient for inclusion in the report to the Board.
- The CIO of Information Technology shall be responsible for development and maintenance of this policy for issuance by the Vice President for Business & Finance.
Revision History: 01/25/2018
TBR Policy Reference: B-090
Revision Date Effective: 05/02/2023
Revision Approval By: Christopher L. Whaley, President
Original Date Effective: 12/14/2015
Original Approval By: Christopher L. Whaley, President
Office Responsible: Vice President for Business & Finance
Reviewed: 04/13/2023
© Roane State Community College
Roane State Community College does not discriminate on the basis of race, color, religion, creed, ethnicity or national origin, sex, disability, age, status as protected veteran or any other class protected by Federal or State laws and regulation and by Tennessee board of Regents policies with respect to employment, programs, and activities. View full non-discrimination policy.
Report Fraud, Waste and Abuse
Digital Millennium Copyright Act of 1998