Procedures
Organizational Security
Management Commitment
The college considers information to be a strategic asset that is essential to its core mission and business operations. Furthermore, the college values the privacy of individuals and is dedicated to protecting the information with which it is entrusted. Therefore, the college is committed to providing the resources needed to ensure confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the college.
The Security Mandate
The college will protect the confidentiality, integrity, and availability of college information as well as reduce the risk of information exposure that would damage the reputation of the college. This we will call the ‘security mandate’ of the college.
Organization and Governance
In order to promote the security mandate of the college, the President’s Cabinet shall:
Information Security coordination
In order to promote the security mandate of the college, management shall:
Allocation of information security roles and responsibilities
In order to promote the security mandate of the college, the following management roles shall be assigned in writing by the President’s Cabinet and appropriate boundaries should be set between these roles; note that some roles could either be combined into one person or be filled by consultants:
Management information security advisory council
Policy: An information security advisory council will be established by appointment of college executives to advise the CIO on policy issues, functional security issues, issues developing in the member areas of focus, to resolve issues, and liaison with the broader college community.
Authorization process for information processing facilities
Policy: The establishment of information processing facilities, whether comprised of single or multiple servers or services, will have the express approval of the CIO and be accountable to the CIO.
Relationship with Outside Vendors
Policy: Contracts or relationships with outside vendors that involve college data or information must be reviewed (or approved) by the CIO. See Vendor Management Procedure.
Cooperation between organizations
Policy: A comprehensive and effective information security program requires the coordination of all security efforts within the larger institution. The CIO will review the IT Security Program policy with the President’s Cabinet annually.
Independent review of information security
Policy: Periodic information security audits will be performed by external auditors, either as part of existing financial audits or as established by the Tennessee Board of Regents. Results of the audit will be presented to the CIO and the Internal Auditor who will promote corrective action within the organization.
Security of Third Party Access (Business Agreements)
Policy: Third party access may put information at risk without careful security management. Third parties requesting access to electronic networks, devices and data will assure compliance to all laws, college policies, and standards such as confidentiality, integrity, and availability, to protect the systems and information. The CIO examines for risk the proposed access by the third party before approving any access. The granting of access is usually for a limited time and is revocable. The CIO will coordinate with the Director of Procurement on all third-party contracts where access to information may be involved. See Vendor Management Procedure.
Outsourcing - security requirements in outsourcing contracts
Policy: To provide IT services that satisfy college requirements while controlling costs, maintaining flexibility, and providing special expertise as needed. Responsibility for overseeing outsourced relationships resides with senior management including the CIO. The overall vendor “program” should include framing to identify, measure, monitor, and control the risks associated with outsourcing. The contract with third parties includes the service provider’s responsibility for: 1) security and confidentiality of the college’s resources, 2) the protection against unauthorized use, 3) disclosing breaches in security and intrusions, 4) compliance with regulatory requirements, and 5) business continuity plans. The contract also includes college approval rights for any changes to services, systems, controls, key project personnel and locations of service, audits, periodic independent control review reports such as penetration testing, intrusion detection, reviews of firewalls and proper controls. See Outsourcing Procedures.
Risk analysis and assessment
Policy: RSCC shall regularly evaluate its IT systems and network for threats and vulnerabilities in order to protect its IT assets and reduce RSCC’s risk. An information risk analysis and assessment must be performed every three years and will become the basis of an Information Security Program or series of Programs. Risk controls will be reviewed annually. See Threat-Risk Assessment procedure.
Asset Classification and Control
Asset Standards
Policy: RSCC shall develop a set of IT asset standards to minimize the complexity and the cost of building and managing IT systems. See 410 ITAM101 - IT Asset Standards.
Accountability of Assets
Policy: IT assets shall be managed and accounted for in a manner consistent with RSCC’s business and technology requirements. See 410 ITAM102 – IT Asset Management.
Asset Assessment
Policy: RSCC shall assess (evaluate) its IT assets for conformance to college requirements. See 410 ITAM104 Asset Assessment Procedure.
Vendor Management
Policy: To ensure vendor performance capabilities are sufficient to meet IT requirements and to protect Roane State networks and confidentiality. See 410 ITAM103 IT Vendor Management Procedure.
Personnel Security
Job Definition and Resourcing
Policy: Job descriptions for each IT position will be developed by the director of the department in which the employee is assigned. Job descriptions will be reviewed annually by IT supervisors during the performance review process and upon any change in personnel or status. Job descriptions will be maintained by the Human Resources Department.
User Training
Policy: To improve RSCC’s performance by reducing training/skill gaps, anticipating RSCC’s training/skill needs, and continually improving training availability and methods, Information Technology will develop and offer user training for Roane State employees. See 420 ITTS105 – IT User-Staff Training Procedure.
Awareness Training
Policy: IT will provide Information Security Awareness training for all employees annually. Select employees whose jobs entail specific compliance requirements will be required to complete additional training. See GA-18-08 Data and Personally Identifiable Information (PII) Security.
Physical and Environmental Security
Policy: All College information and technology resources should have appropriate physical and environmental security controls applied commensurate with identified risks. See 430 ITSD109 - IT Physical and Environmental Security Procedures.
Access Control
Policy: To prevent unauthorized access to or use of college information, to ensure its security, integrity, and availability to appropriate parties.RSCC shall control access to its information to help ensure its confidentiality and integrity. See 430 ITSD106 – IT Access Control.
System Maintenance
Security of System Files (Change Management and Systems Update)
Policy: RSCC will review, evaluate, and appropriately apply software patches in a timely manner. If patches cannot be applied in a timely manner due to hardware or software constraints, IT will document the circumstances. See 440 ITSW101 Change Management and System Update Procedure.
Business Continuity and Disaster Recovery
Business Continuity Plan
Policy: To ensure continuity of college operations, Roane State will define recovery objectives and to specify a set of procedures for achieving those objectives by developing a Business Continuity Plan.
Disaster Recovery Plan
Policy: To ensure continuity of college operations, Roane State Information Technology will define recovery objectives and to specify a set of procedures for achieving those objectives. See ITSD104 – IT Disaster Recovery Procedure. Additionally, see Administrative Systems and Networking, Telecommunications and Technical Support Department Plans.
Compliance
Applicable Legislation and Regulations
Policy: Roane State will comply with known State and Federal legislation and Regulatory Agency requirements as related to Information Technology.
Records Management
Policy: Organize and manage IT records in a way that demonstrates controlled, consistent, and effective operations and conformance to Record Retention policies. See 400 ITAD102 IT Records Management Procedures.
Data Protection of Personal Information
Policy: Roane State will establish a standard for managing Personally Identifiable Information (PII) data on college-owned computers or devices that are used to store or transport sensitive or confidential information. In addition, this policy outlines responsibilities for Roane State employees who have access to such information. See GA-18-08 Data and Personally Identifiable Information Security policy.
Incident Management
Incident Response
Policy: To promptly report, investigate, and resolve all incidents that are or may be a threat to secure and effective IT operations and the network. See 430 ITSD108 – IT Incident Handling Procedures.
The Assistant Vice President for Information Technology is responsible for the development and maintenance of this policy for issuance by the Vice President of Business and Finance.
Roane State Community College does not discriminate on the basis of race, color, religion, creed, ethnicity or national origin, sex, disability, age, status as protected veteran or any other class protected by Federal or State laws and regulation and by Tennessee board of Regents policies with respect to employment, programs, and activities. View full non-discrimination policy.