Information Security and Acceptable Use
|
|
Overview
This Administrative Procedure defines OCC organizational expectations for responsible
use of OCC information technology by building a culture of information security risk
awareness and mitigation.
Authority
OCC must comply with information security requirements defined by applicable federal
and state regulations, OCC policies, and contractual obligations. This includes, but
is not limited to Michigan Act 566 (PA of 2006), Family Educational Rights and Privacy
Act (FERPA), Health Insurance Portability and
Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS),
Gramm–Leach–Bliley Act (GLBA), the FBI's Criminal Justice Information Services (CJIS)
Security Policy, Department of Education (DOE) and Digital Millennium Copyright Act
(DMCA).
Intellectual Property Ownership
This Policy does not create or supersede any existing ownership rights to intellectual
property. Existing intellectual property ownership rights defined by applicable law,
OCC policy, regulations, or contractual agreements do not change based on storage
location. OCC personnel who may have access to content in the course of performing
job responsibilities do not obtain ownership rights to that content.
Roles & Responsibilities
Appropriate levels of information security can only be achieved with a well-coordinated
team effort across the OCC organization. Stakeholders must work together to identify
risks and take responsibility for appropriate controls.
IT
IT promotes compliance and transparent discussion of risks associated with OCC Information
Technology.IT has oversight responsibility including establishing the Information
Security and Acceptable Use Policy and related Information Security Procedures, testing
for compliance, and reporting risk to internal and external stakeholders.
Data Owners (DO)
The DO is typically the responsible manager or department that collects or is the
primary user of a data asset. DOs are responsible for achieving compliance with this
Policy, applying for exemptions when justified, and accepting residual risk when security
threats cannot be further mitigated. DO responsibilities include approving or denying
requests to access their data and periodically reviewing access assignments and recommending
or taking corrective action if inappropriate access is detected.
Data Custodian (DC)
The DC is designated by IT and assists with the ongoing operational tasks of managing
information assets. For example, server and application administrators and software
developers may be considered DCs.
Data User (DU)
DUs are the individuals who the DOs authorized to access a data asset. DUs typically
have no role in determining the security requirements for the information asset or
performing server or application maintenance. Nonetheless, DUs must understand and
abide by the security requirements of the information asset and the expectations of
this Policy.
Data Classification
All College Data is subject to a risk-based data classification standard maintained
by IT and must be protected accordingly. Classifications are, Confidential Data, Controlled
Data, and Public Data. Data classification is the primary factor for establishing
necessary security controls. Additional controls may be warranted for systems where
integrity, availability, and/or accountability requirements are more critical than
the requirements for confidentiality.
Confidential Data
Confidential data is information pertaining to a person or entity that if disclosed
could reasonably be expected to put the person or the entity at risk of damage to
their financial standing, employability or reputation, if the information was released
to the public or used carelessly (criminal act). The College is bound by law to protect
some types of confidential data.
Confidential data should be shared only as mandated by law or as required for administrative or educational functionality. Examples of confidential data include the following:
Controlled Data
Controlled data is defined as information that is not confidential, but can be used
as personally identifiable or private information. This data must be guarded due to
proprietary, ethical or privacy considerations and must be protected from unauthorized
access, modification, transmission, storage or
other use.
This data is releasable in accordance with the Michigan Freedom of Information Act. Controlled data is generally restricted to users who have a legitimate purpose for access such information. Controlled data must be appropriately protected to ensure a controlled and lawful release.
One piece of Controlled data cannot in and of itself be used to identify anyone. Two or more pieces of data are needed. Examples of Controlled data include;
Public Data
Public data is information that is open to the public and that can be freely given
to anyone without any damage to the College or to an individual. Public data, while
subject to College posting or disclosure procedures, is available to all users and
to all individuals and entities external to the College community.
Examples of public data include:
General
OCC Information Technology are provided for the purpose of conducting the business
of OCC. However, Users are permitted to use OCC Information Technology for use that
is incidental to the User's official duties to OCC as permitted by this Policy.
Users have no expectation of privacy when using OCC Information Technology except as otherwise provided by OCC's Privacy Policy and applicable privacy laws. OCC has the authority and responsibility to access and monitor OCC Information Technology for purposes consistent with OCC's duties and mission.
College Data created or stored on a User's personally owned computers, mobile computing devices, removable storage devices, or in databases that are not part of OCC's Information Technology are subject to Public Information Requests, subpoenas, court orders, litigation holds, discovery requests and other requirements applicable to OCC Information Technology. The table below is provided to help Users understand the expectations associated with various scenarios involving data and computing devices:
OCC Information Technology | Personally Owned Computing Device | |
College Data |
|
|
Personally owned Data |
|
|
Users shall never use OCC Information Technology to deprive access to individuals otherwise entitled to access College Data, to circumvent OCC information security measures; or, in any way that is contrary to OCC's mission or applicable law.
Users in violation of Computer Fraud and Abuse Act of 1986 & Title 18 U.S.C. Sec 1030 (CFAA) will be subject to OCC disciplinary actions and may be turned over to Law Enforcement. Users may not intentionally deny access to designated administrators of OCC Information Technology.
Users may not delete logs from systems to hide possible security violations or prevent authorized investigations. This does not apply when done for other purposes, such as de-identifying research data.
All employee users shall complete initial and annual training covering general information security best practices, and, in addition, some employees may be required to complete and/or attend training on information security specific to their role(s) in the organization- as recommended and/or directed by the Chief Information Officer, the employee’s supervisor, or designee(s).
Users should report misuse of OCC Information Technology or violations of this Policy to their management, to IT Support Center, or to the CIO.
Confidentiality & Security of Data
Guidelines for Confidential Data and Controlled Data
Access to Confidential Data
Access to Confidential data is given to authorized users who have a business need
to know.
Electronic access must be protected by a strong password and users shall, log out, lock, or secure documents and computers prior to leaving their work area. Departments should promptly notify Information Technology Department of personnel changes.
Users shall access College Data only to conduct OCC business and only as permitted by applicable confidentiality and privacy laws. Users must not attempt to access data on systems they are not expressly authorized to access.
Users shall not disclose Confidential Data or Limit Access Data except as permitted or required by law and only as part of their official duties on behalf of OCC. Users may not use security-testing tools (e.g. password crackers, vulnerability scanners and/or exploitation code) from and/or against OCC Information Technology unless required for performance of official duties on behalf of OCC and approved by IT.
IT may temporarily limit or disable network connectivity for devices that pose a significant threat or disruption to OCC Information Technology or College Data.
OCC Information Technology may be observed by IT personnel responding to an investigation or incident, at the direction of OCC's Chancellor, OCC Human Resources, OCC Counsel, and/or law enforcement.
Electronic Distribution of Confidential Data
Confidential data must be encrypted during transmission over unsecured networks. Electronic
distribution of confidential data must be encrypted if sent to approve recipients
with the College email system, supported by the College. Email must be encrypted or
password protected to approve recipients outside of College premises. Transmission
of data must be via a secure method, such as secure file transfer protocol (SFTP).
Third party agreements with outside vendors must require encryption or password protection.
Instant messages, Google Docs, Dropbox, SkyDrive and similar Cloud services are not
to be used for electronic transmission of confidential data.
Electronic Distribution of Controlled Data
There are no restrictions to approved recipients within the College via the email
system supported by the College for limited information. If this information is sent
to approve recipients outside of the College email system it must be encrypted, password
protected, sent via private link, or faxed. Instant messages, Google Docs, Dropbox,
SkyDrive and similar Cloud services are not to be used for electronic transmission
of this data
Storage of Confidential Data and Controlled Data
Information on paper must be stored in a locked drawer or other locked and secure
location. It may not be downloaded or stored on laptops, flash drives or external
removal media. The data may be downloaded on desktop personal computers temporarily
for manipulation or processing. Backup files of confidential data must be encrypted.
Individual access controls shall be implemented at the network folder or directory level for Controlled electronic data. Google Docs, Dropbox, SkyDrive and similar Cloud services are not to be used for electronic transmission of this data.
Confidential Data or other information essential to the mission of OCC should be stored on an OCC managed network server when possible, rather than on an OCC-owned desktop workstation, laptop, or portable device.
Users are encouraged to store any College Data on OCC Information Systems, rather than personally owned equipment.
In cases when a User must create or store Confidential Data on a local hard drive or a portable device such as a laptop computer, tablet computer, or smart phone, the User must ensure the data is encrypted in accordance with OCC and any other applicable requirements.
Users may not store College Data with a third party storage service (often referred to as "cloud" storage) unless the service has been approved by IT. Because some computing devices are configured to automatically connect to potentially, insecure remote storage services, Users are encouraged to confirm current settings on any computing devices used to access College Data and disable features they do not intend to use. (IE. Personal: google docs/photos, iCloud, Dropbox, etc.)
Guidelines for Public Data
There are no restrictions for access to public information.
Distribution of Public Data within the College
There are no restrictions to public information distributed within the College.
Distribution of Public Data outside of the College
There are no restrictions to public information distributed outside of the College.
Electronic distribution of Public Data
There are no restrictions to electronic distribution of public information.
Storage of Public Data
There are no restrictions to storage of public information.
Incidental Use of OCC Information Technology
Incidental Use of OCC Information Technology must not interfere with User's performance
of official OCC business, pose an unreasonable burden on system resources, result
in direct costs to OCC, expose OCC to unreasonable risks, or violate applicable laws
or other OCC Policy.
Users are encouraged to use personally owned Technology, rather than OCC Information Technology, for conducting personal computing and must understand that personally owned content stored on OCC Information Technology may be visible to OCC personnel whose job responsibilities involve the management and monitoring of OCC Information Technology.
A User's Incidental Use of OCC Information Technology does not extend to the User's family members or others regardless of physical location.
Incidental Use may include communications such as e-mails, web pages, and social media posts; if such communications could be reasonably interpreted as expressing the opinion or position of OCC, they should be accompanied by a disclaimer (e.g. "The opinions expressed are my own, and not necessarily those of my employer, Oakland Community College"). Incidental Use to conduct or promote the User's outside employment, including self-employment, is prohibited.
Incidental Use for purposes of political lobbying or campaigning is prohibited.
Accessing, creating, storing, or transmitting sexually explicit materials during Incidental Use is prohibited. Questions regarding whether particular content is "sexually explicit material" should be directed to OCC Vice Chancellor of the affected Academic/Business area.
Email
Emails sent or received by Employees/Contractors in the course of conducting OCC business
are College Data that are subject to state records retention and security requirements.
Emails sent or received by Students from student.oaklandcc.edu domain are not subject
to state records retention but are OCC managed accounts and there should be no expectation
of privacy.
Employees/Contractors are expected to use OCC-provided email accounts for conducting
OCC business, rather than personal email accounts; Employees/Contractors are encouraged
to use personal email accounts for conducting personal communication and business,
rather than OCC- provided email
accounts.
Emails containing Confidential Data must be encrypted with tools and processes approved
by IT in order
to reduce risk of interception.
The following email activities are prohibited when using an OCC-provided email account:
Portable and Remote Computing
All electronic devices including personally owned computing devices used to access,
create or store Confidential Data or Controlled Data must be protected by mechanisms
(e.g. passwords or biometrics) that limit access to authorized Users, in accordance
with OCC Information Security Procedures. Any computing device on which Confidential
Data is stored or created must be encrypted in a manner which protects the Confidential
Data from unauthorized access.
College Data created and/or stored on personal computers, other computing devices and/or non-OCC Information Technology should be transferred to OCC Information Technology as soon as feasible for example, your network H:\ drive.
All remote access to Confidential Data and Controlled Data must be accomplished using an encrypted method approved by IT (client VPN on OCC issued equipment, point to point VPN with partner vendors, SSH, Remote Desktop Gateway, and VMWare Horizon client on personal or OCC equipment).
Portable computers, smart phones, and other computing devices are targets for theft. Because of this, Users are expected to take reasonable precautions to physically secure OCC Information Technology or personally owned computing devices containing College Data. This is especially important when theft is likely (e.g. place inside vehicle trunk when traveling; do not leave unattended at a coffee shop or food court; and/or lock in hotel safe when provided).
Access Control
Each individual provided with a system account shall maintain securely and never disclose
his/her account password or credentials or knowingly permit another individual to
access OCC Information Systems via his/her account, except in accordance with a lawful
investigation. Any individual who knowingly accesses OCC Information Systems with
a user account not specifically assigned to him/her is in violation of this Policy.
Similarly, Users may not share individually-assigned access control devices (e.g.
Door Cards/Badge, hardware tokens, and/or door keys) unless necessary to preserve
life safety.
Computing accounts will be assigned to individuals, except when a shared account is justified by the functions being performed. Accounts designed specifically for a shared purpose or specific system task, such as facilitating data backups or scheduled batch processing, will be granted only in cases when absolutely necessary and will be shared with as few individuals necessary to effectively perform OCC operations. Computing accounts providing access to OCC Information Systems will only be created when necessary to achieve OCC objectives. Access privileges will be assigned to provide the minimum necessary permission to perform job responsibilities.
OCC Information Systems are subject to risk-based authentication configuration settings defined in Information Security Procedures (e.g. password length, complexity, and 2-factor authentication). Account credentials should not be hard coded into scripts, software code, or system configurations. When hard coding credentials is deemed necessary, system owners will store these files in a secure manner and will maintain sufficient documentation to allow periodic manual changes to passwords or other credentials.
When employment relationships are subject to change or termination, responsible management will participate in checkout processes defined by Human Resources to ensure timely disabling of system access.
In order to limit the possibility of malicious access, IT may disable computing accounts based on reasonable indication that the account has been disclosed to, or compromised by, a malicious third party. IT shall assist in re-establishing control of the account by the intended User.
OCC Information Systems access should be designed to maintain separation of duties to reduce the risk of a malicious individual performing conflicting activities (e.g. requesting system access while also approving one's own system access). Compensating controls such as log monitoring and system enforced thresholds may also be implemented when conflicting duties cannot be separated.
Computer Systems Security
All OCC Information Systems, including production and non-production systems, must
be configured and operated in accordance with Information Security Procedures.
All OCC Information Systems should be updated with the latest compatible software patches. This includes patches for the operating system and third-party applications. High-priority patches may need to be installed outside of routine change control procedures at the request of IT Management in order to address critical security vulnerabilities.
IT may participate at key steps of projects involving access to Confidential Data or Controlled Data. IT should assess security controls and notify stakeholders of risks prior to introducing new solutions into production. Costs of security testing, if applicable, will be considered part of the project budget.
All software used at OCC, including commercial and open source, must be used in compliance with End User License Agreements (EULAs). Software requiring fees for usage may not be used in a manner intended to avoid paying such fees.
Harmful or unlicensed software should be removed from OCC Information Systems at the direction of IT. All desktop and Laptop computers located in unsecured areas (e.g., classrooms, labs, and hallways) will be equipped with lockdown hardware to prevent the theft of the equipment for OCC facilities.
Backup & Recovery
OCC Information Systems are subject to backup procedures and methods to ensure continuity
of operations. Data backups must be performed according to a schedule consistent with
data retention and destruction requirements appropriate for the data type and classification.
Backups must be periodically tested to ensure functionality.
When backup media is retired, it must be destroyed according to Information Security Procedures.
Data Destruction
Data must be stored and retained according to the OCC Records Retention Schedule.
To prevent access to Confidential Data by unauthorized parties, storage media must
be destroyed according to Information Security Procedures.
Storage media (e.g. hard drives, flash memory, magnetic data tapes, and floppy disks) must be securely overwritten before reuse and physically destroyed at the end of the useful life of the device. Paper and CD/DVD optical media must be securely shredded in a manner sufficient to prevent reassembly.
OCC-issued mobile computing devices are subject to electronic erase or factory reset procedures before the device is issued to another User or retired from service.
Vendors who host data remotely must provide OCC with a certificate of data destruction upon termination of the contract.
Physical Security
Locations that support access to OCC Information Systems must be protected in accordance
with value of the information assets at risk. High-risk locations include, but are
not limited to, data centers, server closets, wiring closets, file rooms, and labs.
Users are encouraged to wear OCC identification in restricted access areas
Users who work in restricted access areas should remain aware of unidentified individuals who may attempt to gain access.
Locked doors protecting restricted access areas should not be propped open if unattended.
Users will maintain a workspace where Confidential Data or Controlled Data is stored in a manner to mitigate risk of observation or theft by unauthorized parties (e.g. locked offices, locked file cabinets, and/or privacy screens).
Third-Party Vendors
All third-party vendors that host or access College Data are subject to assessment
by IT. Contracts with third parties will include expectations for information security.
Third parties will be expected to protect OCC Information Systems and College Data
with security equal to or better than levels defined in this Policy and applicable
Information Security Procedures. All third parties performing tasks or data processing
for OCC are required to notify OCC immediately if a security incident has occurred,
or is suspected to have occurred.
Business Continuity Planning
Individuals responsible for critical operations must maintain a business continuity
plan which accounts for facilities, equipment, staffing, and OCC Information System’s
needs.
Exemptions
Compliance with all elements of this Policy may not be possible in some situations
given the tradeoffs between risk, cost, and operational impact. Users may request
exemptions to elements of this Policy; requests will be subject to approval or denial
by the CIO within 30 days of the request when possible. When applicable, DOs will
be asked to accept risks associated with non-compliance. Exemption requests should
include an explanation of why compliance with specific Policy elements is not feasible
and should describe compensating controls that are in place to reduce risk. Approved
exemptions will include an expiration date and be tracked by IT.
Exemption requests not approved by the CIO may be appealed to OCC's Chancellor.
Disciplinary Actions
Instances of noncompliance, or attempted noncompliance, may constitute a security
violation that is subject to investigation and possible disciplinary action, civil
prosecution, and/or criminal prosecution in accordance with applicable policies and
laws.
Violations may result in disciplinary action by Human Resources in accordance with
pertinent policies, up to and including termination of work relationships. Students
involved in violations will be referred to the Dean of Student Services. Suspected
illegal activities will be escalated to OCC Public Safety and
appropriate law enforcement agencies.
This Policy does not create or supersede any existing OCC processes for taking disciplinary action.IT, which shall not take direct disciplinary action against a User, however IT may participate in existing OCC processes for taking disciplinary action.
Server and application administrators may be called upon to provide information to support a disciplinary investigation or similar purpose. Accessing emails, log files, or other data for investigative purposes (not to be confused with routine operations, troubleshooting, and system management) without proper authorization particularly in retaliation for whistleblower complaints – is an actionable abuse of privilege.
Data Breach
A data breach is any instance in which there is an unauthorized release or access
of PII or other information not suitable for public release. This definition applies
regardless of whether an organization stores and manages its data directly or through
a contractor, such as a cloud service provider. Data
breaches can take many forms including:
In the event of a data breach or suspected breach of data, Details should be reported to the IT Support Center immediately for evaluation and mitigation.
Confidentiality
Anyone involved with the discovery of, or the response to an IT security incident
(breach, etc.), should handle event details with the greatest level of confidentiality.
Information should only be shared on a ‘need to know’ basis and only with those who
are involved with the response to the incident. In the
event of an IT security incident, uncontrolled release of details about the nature
of the event and/or the information compromised in the incident can cause three negative
outcomes:
Acceptable Use
By acknowledging this Information Security and Acceptable Use Policy, users are acknowledging
Policies for Acceptable Use.
User Acknowledgement
Users must acknowledge that they received access and read the Information Security
and Acceptable Use Policy. They must understand and agree that use of OCC Information
Technology is conditional upon agreement to comply; noncompliance may result in disciplinary
action as outlined above.
Definitions (alphabetical order)
Confidential Data: The subset of College Data that is private or confidential by law or otherwise exempt
from public disclosure (e.g. Social Security Numbers, personally identifiable Medical
and Medical Payment information; Driver's License Numbers and other government-issued
identification numbers; Education Records subject to the Family Educational Rights
& Privacy Act (FERPA); financial account numbers, and/or other College Data about
an individual likely to expose the individual to identity theft).
Controlled Data: The subset of College Data that is not created for or made available for public consumption but that is subject to release under the Public Information laws (e.g. network diagrams, OCC emails, and/or OCC-ID number).
College Data: This Policy uses the term College Data to refer to data for which OCC has a responsibility for ensuring appropriate information security or would be liable for data exposure, as defined by applicable law, OCC policy, regulations, or contractual agreements. College Data may include information held on behalf of OCC or created as a result and/or in support of OCC business (e.g. financial records, personnel records, officially maintained student records, and/or records of official OCC committees), including paper records. This definition does not imply, address, or change intellectual property ownership.
Incidental Use: Occasional personal use of OCC Information Technology. Activities related to official duties on behalf of OCC, such as research and teaching, are not Incidental Use.
Information Security Procedures: Documented controls specified for specific technology components which, when implemented, reduce risk of compromise (e.g. change default passwords, disable unnecessary services, apply current compatible patches, include in backup scheme).
IT: The Information Technology department is led by the Vice Chancellor of Information Technologies/Chief Information Officer, and is assigned responsibility for planning and ongoing operation of college owned information technology such as telecommunications networks, computers, software, databases, system integration and hosted solutions.
Mobile computing device: Laptops, tablets, smart phones, or other devices designed to be easily portable that are capable of creating, storing, or processing College Data.
OCC: Oakland Community College
OCC Information Technology: All computer and telecommunications equipment, software, data, and media, owned or controlled by OCC or maintained on its behalf.
Public Data: The subset of College Data intended for public consumption (e.g. marketing materials, press releases, public websites, published papers, and/or OCC-issued email address).
User: Any individual granted access to OCC Information Technology, including guests and contractors.
Related Links
Change Log