Policy Title: Information Security Policy
Policy Number: 7.0
_____________________________________________________________________________________
Purpose:
This Information Security Policy (this Policy) defines the role of information security in supporting the College’s mission, while fostering an environment to protect the College community from all internal, external, deliberate, or accidental information security threats that may compromise the confidentiality, privacy, and integrity of Institutional Resources.
This Information Security Policy provides the basis for defining and regulating the management of information systems and other information assets. Adhering to these principles is necessary to ensure that information is appropriately secured against the adverse effects of failures in confidentiality, privacy, and integrity that would otherwise occur.
Definitions:
1. Authorized Users means anyone who is authorized to access and use Institutional Resources.
2. College or EWC means Eastern Wyoming College and all campuses, departments, offices, and units affiliated with Eastern Wyoming College.
3. Confidential (Level 2) has its meaning set forth in Administrative Regulation 7.0.1 Information Classification.
4. Contractor means a person officially attached or connected to the College who is not a student or Personnel (e.g., contractors, consultants, vendors, interns, temporary staffing).
5. Highly-Sensitive (Level 3) has its meaning set forth in the Administrative Regulation 7.0.1 Information Classification.
6. Information Technology Resources or IT Resources means any information technology resources owned or managed by the College, or hosted or managed on behalf of the College, including without limitation, networks, servers, websites, applications, and machines.
7. Institutional Data means any information or data, personal or non-personal, regardless of format or location, that is (1) substantive and relevant to the planning, managing, operating, documenting, staffing, or auditing of one or more functions of the College; (2) subject to a legal obligation requiring the College to secure the data; (3) clinical data or research data of the College or its personnel; or (4) used to derive any data element that meets the above criteria.
8. Institutional Resources means all information assets of the College, including IT Resources and Institutional Data.
9. Mission Critical Systems means Institutional Resources that are essential to the operation of the College.
10. Non-Public means any Institutional Data or Institutional Resource that is not classified as Public (Level 1) according to Administrative Regulation 7.0.1 Information Classification.
11. Personally Identifiable Information or PII means any data or information that alone or in combination with other information can identify, or be used to reasonably identify, an individual.
12. Personnel means any individual who works for or on behalf of the College, including, without limitation, faculty, academic advisors, staff, and advisors.
13. Public (Level 1) has the meaning set forth in Administrative Regulation 7.0.1 Information Classification.
14. Visitor is defined as anyone not enrolled at or employed by the College and can include, but are not limited to, non-registered students, friends, spouses, children, guest speakers and College sanctioned event participants.
Scope:
The College’s Information Security Policy encompasses the following policies:
• Board Policy 7.0 Information Security
• Board Policy 7.1 Graham-Leach-Bliley Act (GLBA)
• Board Policy 7.2 Accessibility
• Board Policy 7.3 Acceptable Use
• Board Policy 7.4 Visitor – Use of Institutional Resources
• Board Policy 7.5 Security Awareness Training
• Board Policy 7.6 Electronic Communications
• Board Policy 7.7 Emergency Notification
• Board Policy 7.8 Enforcement
• Board Policy 5.7 Family Education Rights and Privacy Act (FERPA)
The College’s Information Security Policy encompasses the following administrative regulations:
• Administrative Regulation 7.0.1 Information Classification
• Administrative Regulation 7.0.2 Business Continuity and Disaster Recovery
• Administrative Regulation 7.1.1 Risk Management
• Administrative Regulation 7.1.2 Vulnerability Management
• Administrative Regulation 7.1.3 Data Backup
• Administrative Regulation 7.1.4 Authentication and Access Control
• Administrative Regulation 7.1.5 Monitoring and Logging
• Administrative Regulation 7.1.6 Incident Response
This Information Security Policy, which encompasses the GLBA Policy and FERPA Policy, lists a set of policies and administrative regulations, which together constitute the Information Security Program of the College. If any inconsistency is found between this overarching Policy and any of the referenced policies or administrative regulations, the overarching Policy will take precedence. Each of the administrative regulations contains high-level descriptions of requirements and principles. The administrative regulations do not and are not intended to include detailed descriptions of regulation implementation. Such details will, where necessary, be supplied in the form of separate procedural documents.
Within the College’s IT environment, additional regulations may apply to specific computers, computer systems or facilities, software applications, databases and data sources, data types, or networks, and to the uses thereof, or to local workplaces or specific types of activities (collectively, Local Regulations).
Local Regulations must be consistent with policies and administrative regulations, but also may impose additional or more specific requirements or responsibilities on users.
Policy:
The Board of Trustees mandates the College to adhere to the establishment of its information security policies and administrative regulations in conformance with various applicable regulations and laws. To ensure an effective information security program is maintained, compliance with the policies, administrative regulations, and laws is mandatory. All Personnel, Contractors, students, and Visitors are expected to comply with all federal, state, and local laws pertaining to the protection of Non-Public information, as well as campus policies and administrative regulations meant to protect the security of information systems.
Institutional Resources are available to College Personnel, students and, in a limited number of cases, Contractors, Visitors, and the public. Use of all such Institutional Resources are subject to the standards set forth in College policies and administrative regulations. In general, every individual is responsible for:
• Being aware of and practicing safe computer hygiene, including maintaining the confidentiality of username and passwords, ensuring browsing occurs on protected networks, and properly disposing of physical and electronic documents containing Non-Public information.
• Paying attention to unexplained system behavior and unsolicited requests for information.
• Watching for inappropriate conduct from all employees and Visitors. Governance: Responsibility for the production, maintenance, and communication of this overarching Policy and all related policies and administrative regulations resides with the EWC President who may delegate that duty to the College’s Chief Information Officer (CIO).
The College establishes, publishes, maintains, and disseminates this Policy to all relevant Personnel, Contractors, students, vendors, and other partners of the College. The Policy is reviewed at least annually, and updates are made, as applicable, based on changes to the College’s environment or applicable laws, regulations, or industry standards.
• The College may audit networks and systems on a more frequent basis to ensure compliance with this Policy. Instances of non-compliance are presented to, reviewed, and approved by the CIO.
• All breaches of information security, actual or suspected, must be reported to and investigated by the CIO and/or his designee as set forth in the Incident Response Administrative Regulation.
Enforcement:
Those who violate this Policy, whether knowingly or unknowingly, may be subject to the following enforcement actions:
1. Forced compliance with the Policy
2. Disciplinary action, including termination of employment, if a Contractor or Personnel;
3. Disciplinary action, including expulsion from the College, if a student;
4. Suspension or termination of rights to access Institutional Resources;
5. Termination of vendor contract and or service agreement;
6. Prosecution to the fullest extent of the law; and
7. Other actions deemed appropriate by the College.
References: Federal Education Rights and Privacy Act (FERPA), §20 U.S.C. § 1232g; 34 CFR Part 99
National Institute of Standards and Technology (NIST), Special Publication 800-171, Rev. 2
Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801-6809, §§ 6821-6827
Revision History:
Original Adoption Date: 11/09/21
Revision Date(s): 12/12/23
Date Reviewed, no change: