Roane State Community College

1. Introduction: Roane State Community College will protect the college’s reputation, legal position, and ability to conduct its operations by managing, controlling, and protecting its information resources.
2. Purpose: This policy outlines the college’s commitment to protect confidentiality, integrity and availability of information and the reputation of the organization.
3. Scope: All faculty, staff, students and contract personnel.
4. Responsibilities: All members of the college community share in the responsibility for protecting college resources for which they have access or custodianship. The policy recognizes that people will need adequate information, training, and tools to exercise their responsibilities and that these responsibilities must be made explicit.
5. Definitions:
   
   Asset – Anything that has value to Roane State Community College (RSCC).
   
   Risk - The likelihood of a threat taking advantage of vulnerability and the resulting business impact.
   
   Risk Assessment – The process of risk analysis and risk evaluation by comparing the estimated risk against a given risk criteria to determine the significance of the risk.
   
   Risk Management – The coordinated activities to direct and control risks.
   
   Threat – Potential cause of an unwanted incident, which may result in harm or loss to the college.
   
   Vulnerability – A weakness of an asset or group of assets that may be exploited by one or more threats.
   
   Control – Means of managing risks, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management or legal in nature.
   
   Information Security – Preservation of confidentiality, integrity and availability of information. Additionally, other properties, such as authenticity, accountability, not-repudiation and reliability can be involved.

6. Procedures

   1. Organizational Security

      1. Management Commitment
         The college considers information to be a strategic asset that is essential to its core mission and business operations. Furthermore, the college values the privacy of individuals and is dedicated to protecting the information with which it is entrusted. Therefore, the college is committed to providing the resources needed to ensure confidentiality, integrity, and availability of its information as well as reduce the risk of exposure that would damage the reputation of the college.

      2. The Security Mandate
         The college will protect the confidentiality, integrity, and availability of college information as well as reduce the risk of information exposure that would damage the reputation of the college. This we will call the ‘security mandate’ of the college.

      3. Information Security Infrastructure

   2. Organization and Governance
      In order to promote the security mandate of the college, the President’s Cabinet shall:

      1. Oversee risk management and compliance programs pertaining to information security such as Gramm-Leach-Bliley, Red Flag Rules and PCI.
      2. Approve and adopt broad information security program principles and approve assignment of key managers responsible for information security.
      3. Strive to protect the interests of all stakeholders dependent on information security.
      4. Review information security policies regarding strategic partners and other third-parties.
      5. Strive to ensure business continuity.
      6. Review provisions for internal and external audits of the information security program.
      7. Collaborate with management to specify the information security metrics to be reported to the board.

   3. Information Security coordination
      In order to promote the security mandate of the college, management shall:

      1. Establish information security management policies and controls and monitor compliance.
      2. Assign information security roles, responsibilities, require skills, and enforce role-base information access privileges.
      3. Assess information risks, establish risk thresholds and actively manage risk mitigation.
      4. Ensure implementation of information security requirements for strategic partners and other third-parties.
      5. Identify and classify information assets.
      6. Implement and test business continuity plans.
      7. Approve information systems architecture during acquisition, development, operations, and maintenance.
      8. Protect the physical environment.
      9. Ensure internal and external audits of the information security program with timely follow-up.
      10. Collaborate with security staff to specify the information security metrics to be reported to management.

   4. Allocation of information security roles and responsibilities
      In order to promote the security mandate of the college, the following management roles shall be assigned in writing by the President’s Cabinet and appropriate boundaries should be set between these roles; note that some roles could either be combined into one person or be filled by consultants:

      1. Chief Information Officer (CIO) is a senior executive with responsibility for college information as an asset, including information technology. The CIO provides leadership and strategic vision for management including security management of information throughout the whole organization.
      2. Information Security Officer (ISO) – has responsibility for the design, implementation, and management of the college's Information Security Program. The ISO promotes a strategic vision for information security, oversees information security policy development and compliance, provides direction on user awareness and education programming, manages large-scale projects and initiatives as needed, and advises senior management on the risks to college information in the context of regulatory, legal, audit, contractual, and other applicable requirements. The ISO provides direction to security policy. This role is assigned to the Chief Information Officer.
      3. Auditor – Responsible for an independent review and examination of information system records and activities that test for adequacy of systems controls, compliance with established policy and operational procedures, and recommend any indicated changes in controls, policy, and procedures.
      4. Office of Counsel – Responsible to offer legal advice to the college. At Roane State this role is provided by Tennessee Board of Regents Office of the General Counsel.
      5. Data Stewards – Those persons responsible to see, within their area of assigned responsibility, that college information is used with appropriate and relevant levels of access and with sufficient assurance of its confidentiality and integrity in compliance with existing laws, rules, and regulations.

   5. Management information security advisory council
      Policy: An information security advisory council will be established by appointment of college executives to advise the CIO on policy issues, functional security issues, issues developing in the member areas of focus, to resolve issues, and liaison with the broader college community.

   6. Authorization process for information processing facilities
      Policy: The establishment of information processing facilities, whether comprised of single or multiple servers or services, will have the express approval of the CIO and be accountable to the CIO.

   7. Relationship with Outside Vendors
      Policy: Contracts or relationships with outside vendors that involve college data or information must be reviewed (or approved) by the CIO. See Vendor Management Procedure.

   8. Cooperation between organizations
      Policy: A comprehensive and effective information security program requires the coordination of all security efforts within the larger institution. The CIO will review the IT Security Program policy with the President’s Cabinet annually.

   9. Independent review of information security
      Policy: Periodic information security audits will be performed by external auditors, either as part of existing financial audits or as established by the Tennessee Board of Regents. Results of the audit will be presented to the CIO and the Internal Auditor who will promote corrective action within the organization.

   10. Security of Third Party Access (Business Agreements)
       Policy: Third party access may put information at risk without careful security management. Third parties requesting access to electronic networks, devices and data will assure compliance to all laws, college policies, and standards such as confidentiality, integrity, and availability, to protect the systems and information. The CIO examines for risk the proposed access by the third party before approving any access. The granting of access is usually for a limited time and is revocable. The CIO will coordinate with the Director of Procurement on all third-party contracts where access to information may be involved. See Vendor Management Procedure.

   11. Outsourcing - security requirements in outsourcing contracts
       Policy: To provide IT services that satisfy college requirements while controlling costs, maintaining flexibility, and providing special expertise as needed. Responsibility for overseeing outsourced relationships resides with senior management including the CIO. The overall vendor “program” should include framing to identify, measure, monitor, and control the risks associated with outsourcing. The contract with third parties includes the service provider’s responsibility for: 1) security and confidentiality of the college’s resources, 2) the protection against unauthorized use, 3) disclosing breaches in security and intrusions, 4) compliance with regulatory requirements, and 5) business continuity plans. The contract also includes college approval rights for any changes to services, systems, controls, key project personnel and locations of service, audits, periodic independent control review reports such as penetration testing, intrusion detection, reviews of firewalls and proper controls. See Outsourcing Procedures.

   12. Risk analysis and assessment
       Policy: RSCC shall regularly evaluate its IT systems and network for threats and vulnerabilities in order to protect its IT assets and reduce RSCC’s risk. An information risk analysis and assessment must be performed every three years and will become the basis of an Information Security Program or series of Programs. Risk controls will be reviewed annually. See Threat-Risk Assessment procedure.

7. Asset Classification and Control

   1. Asset Standards
      Policy: RSCC shall develop a set of IT asset standards to minimize the complexity and the cost of building and managing IT systems. See 410 ITAM101 - IT Asset Standards.

   2. Accountability of Assets
      Policy: IT assets shall be managed and accounted for in a manner consistent with RSCC’s business and technology requirements. See 410 ITAM102 – IT Asset Management.

   3. Asset Assessment
      Policy: RSCC shall assess (evaluate) its IT assets for conformance to college requirements. See 410 ITAM104 Asset Assessment Procedure.

   4. Vendor Management
      Policy: To ensure vendor performance capabilities are sufficient to meet IT requirements and to protect Roane State networks and confidentiality. See 410 ITAM103 IT Vendor Management Procedure.

8. Personnel Security

   1. Job Definition and Resourcing
      Policy: Job descriptions for each IT position will be developed by the director of the department in which the employee is assigned. Job descriptions will be reviewed annually by IT supervisors during the performance review process and upon any change in personnel or status. Job descriptions will be maintained by the Human Resources Department.

   2. User Training
      Policy: To improve RSCC’s performance by reducing training/skill gaps, anticipating RSCC’s training/skill needs, and continually improving training availability and methods, Information Technology will develop and offer user training for Roane State employees. See 420 ITTS105 – IT User-Staff Training Procedure.

   3. Awareness Training
      Policy: IT will provide Information Security Awareness training for all employees annually. Select employees whose jobs entail specific compliance requirements will be required to complete additional training. See GA-18-08 Data and Personally Identifiable Information (PII) Security.

   4. Physical and Environmental Security
      Policy: All College information and technology resources should have appropriate physical and environmental security controls applied commensurate with identified risks. See 430 ITSD109 - IT Physical and Environmental Security Procedures.

   5. Access Control
      Policy: To prevent unauthorized access to or use of college information, to ensure its security, integrity, and availability to appropriate parties.RSCC shall control access to its information to help ensure its confidentiality and integrity. See 430 ITSD106 – IT Access Control.

9. System Maintenance

   1. Security of System Files (Change Management and Systems Update)
      Policy: RSCC will review, evaluate, and appropriately apply software patches in a timely manner. If patches cannot be applied in a timely manner due to hardware or software constraints, IT will document the circumstances. See 440 ITSW101 Change Management and System Update Procedure.

   2. Business Continuity and Disaster Recovery

      1. Business Continuity Plan
         Policy: To ensure continuity of college operations, Roane State will define recovery objectives and to specify a set of procedures for achieving those objectives by developing a Business Continuity Plan.

      2. Disaster Recovery Plan
         Policy: To ensure continuity of college operations, Roane State Information Technology will define recovery objectives and to specify a set of procedures for achieving those objectives. See ITSD104 – IT Disaster Recovery Procedure. Additionally, see Administrative Systems and Networking, Telecommunications and Technical Support Department Plans.

      3. Compliance
         Applicable Legislation and Regulations
         Policy: Roane State will comply with known State and Federal legislation and Regulatory Agency requirements as related to Information Technology.

      4. Records Management
         Policy: Organize and manage IT records in a way that demonstrates controlled, consistent, and effective operations and conformance to Record Retention policies. See 400 ITAD102 IT Records Management Procedures.

      5. Data Protection of Personal Information
         Policy: Roane State will establish a standard for managing Personally Identifiable Information (PII) data on college-owned computers or devices that are used to store or transport sensitive or confidential information. In addition, this policy outlines responsibilities for Roane State employees who have access to such information. See GA-18-08 Data and Personally Identifiable Information Security policy.

      6. Incident Management
         Incident Response
         Policy: To promptly report, investigate, and resolve all incidents that are or may be a threat to secure and effective IT operations and the network. See 430 ITSD108 – IT Incident Handling Procedures.

The Assistant Vice President for Information Technology is responsible for the development and maintenance of this policy for issuance by the Vice President of Business and Finance.