The Lone Star College System is committed to preserving the security, confidentiality, integrity and availability of all forms of information used and maintained on behalf of faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals consistent with Lone Star College Systemís mission. Improper disclosure, modification, or destruction of information may result in harm to the operation of LSCS in support of its mission. As a result, specific procedures will be developed to help administer and manage the storage, processing and use of computer-based information. This Board Policy Section Vlll is in addition to all other provisions within the Board Policy Manual relating to Information Security and the storage, processing and use of computer based information; and this Section VIII shall take precedent in the event of any conflict or omission.
Information security is in part a risk management discipline addressing the preservation of information confidentiality, integrity and availability. All information is identified, valued, assessed for risk and protected as appropriate to the needs of LSCS. The information security effort is established via a hierarchical set of industry best practices and frameworks (e.g. ISO 27002) that help users and administrators to define and mitigate risks, maintaining a trade-off between information value and the cost of risk mitigation.
This policy presents the philosophy for information security within the Lone Star College System (LSCS, referred to as ďthe SystemĒ). It defines the fundamental requirement for the acceptable use and security in the transmission of all LSCS information.
LSCS values the ability to openly communicate and share information. LSCS information (whether belonging directly to LSCS or held in trust on behalf of its students or employees) must be safeguarded. Any person or organization that provides or uses LSCS information, or Information Technology (IT) assets within LSCS, has the individual and continual responsibility to maintain the confidentiality, integrity, and availability of this information. As such, all LSCS information users are required to abide by this policy and subsequent procedures and standards, as a condition for being granted access. Violation of this policy may result in immediate and unconditional termination of any or all access without prior notice and the user may be subject to disciplinary actions under Board Policy Sections IV and VI and prosecution under applicable statutes. (See Policy Section IV).
The Policy covers all information and electronic methods in the transmission of information that are owned or leased by LSCS. The methods of transmission may include but are not limited to:
This policy applies to all individuals and processes that access, view, use, or control LSCS information. Those individuals covered include, but are not limited to faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals consistent with Lone Star College Systemís mission.
The LSCS Board of Trustees reconfirms its commitment to the free and unfettered exchange of ideas that is the hallmark of an institution of higher education and the rights of employees and students to access, debate, disagree and discuss all educational materials without respect to the popularity or controversial nature of the ideas conveyed.
Using LSCSís electronic assets for abusive, unethical, or inappropriate purposes will not be tolerated and may be considered grounds for disciplinary action, including but not limited to termination of any and all access without prior notice.
LSCS provides Information Technology resources for the use of students, employees and others affiliated with the System for educational or System-related activities and to facilitate the efficient exchange of useful information. LSCS affiliates include, but are not limited to, all university, K-12 dual credit or other students and employees associated with or enrolled in programs delivered by these entities. As set forth within this Section VIII Information Security Policy, students, employees and LSCS affiliates may use the IT resources provided by LSCS including, but not limited to, computers, hardware devices, software packages, electronic mail (e-mail), and the LSCS network and software. All users are expected to conduct themselves in compliance with all policies of LSCS and relevant laws of the United States and Texas, and to observe the same high ethical and professional standards when communicating through computing resources as are required in face-to-face or other written communications.
Access to LSCS Information Technology (i.e. networks, computer labs, internet and electronic mail) is a privilege that is extended to current employees, students and former LSCS retired employees that are in good standing. Email services may be revoked with the termination of employment or may end with the failure to re-enroll in an LSCS educational program. LSCS email accounts will be issued only to those identified within this Section 2.3. LSCS reserves the right to access the E-mail system to engage in routine computer maintenance and housekeeping, to carry out internal investigations, to prepare responses to requests for public information or to disclose messages, data or files to law enforcement authorities, or for any other legitimate purposes of the System.
LSCS cannot guarantee the privacy or confidentiality of electronic documents, and any messages or information. A person that requires the assurance that such information is not disclosed to unauthorized entities or process, or by law, should not communicate over unsecured shared networks and/or by the E-mail system.
All access to networked systems must be logged. When determined to be critical to LSCS, the logging of transactions must be included regardless of the operating platform. Log data must be classified as sensitive. These logs must be retrievable through clearly defined procedures and must be maintained for time periods prescribed for audit, legal, and recovery purposes. As new applications, platforms, mediums, or other technical changes to system operations are made - and if practical and/or technically affordable - consideration of logging requirements and availability must be made. Requirements for logging data must be clearly established as system, architectural, technical, or network designs.
Messages sent as electronic mail should meet the same standards for distribution, display, and retention as if they were tangible documents or instruments. As with all records maintained by LSCS, and to the extent required by law, files saved as LSCS information, including e-mail, may be subject to public disclosure in response to a public information request.
The following conduct by users of LSCS information technology resources will be treated as a violation of this policy and may subject the user to discipline, including loss of computing privileges, up to and including termination for an LSCS employee and dismissal for a student:
Nothing in this policy shall prohibit LSCS or college system operators from intercepting and stopping e-mail messages, other computer programs, or websites, which have the capacity to overload any computer resource. Overloading of computer resources is defined as the l use of computational resources, such as bandwidth, disk space, or CPU time that adversely impact LSCS information assets. Violation of this policy may result in immediate and unconditional termination of any or all access without prior notice and the user may be subject to disciplinary actions under Board Policy Sections IV and VI and prosecution under applicable statutes. (See Policy Section IV).
LSCS Policy Manual Section VIII.A.2.08 Social Media removed by Board of Trustees on June 7, 2012
It is the responsibility of all employees and students to take reasonable steps to implement information security via appropriate procedures, and controls.
Users are prohibited from attempting to circumvent or subvert LSCS information systemís security measures. This does not preclude the use of security tools by appropriately authorized personnel. While the following list provides examples of disallowed practices, it is not a comprehensive list and is intended to only provide examples:
Disaster Recovery (DR) is comprised of plans and activities designed to recover technical infrastructure and restore critical business applications to an acceptable condition. DR is a component of Business Continuity Planning (BCP), which is the process of ensuring that essential business functions continue to operate during and after a disaster. LSCS OTS shall be responsible for the System Disaster Recovery. Business Continuity Plans must be developed with requirements based on the specific risks associated with the process or system. All staff must be made aware of the Business Continuity Plan and their own respective roles. Each Lone Star College and each Lone Star College System administrative unit shall be responsible for their respective Business Continuity Plans. A formal process for developing disaster recovery plans must be established and aligned with the Business Continuity Planning requirements.
Incident Response is a predefined process to establish information security requirements for response to unplanned computer system events, including network intrusions, denial of service, computer virus outbreaks, and other outages that negatively impact the availability of LSCS systems, applications, and/or information assets. Information security incident response procedures must include, but are not limited to, the following:
Access to LSCS information systems by third party vendors (i.e. contractors, partners, vendors, lessees) requires appropriate controls to protect LSCS information assets. All third parties that have access to LSCS information assets must comply with LSCS information security policies and may be required to show proof of such compliance at any time.
Periodic reviews and revisions of security controls, policies, and procedures will be conducted by authorized LSCS officers, auditors or by contracted independent third party. Additionally, periodic risk assessments of information technology systems and processes will be conducted to ensure that evolving risks are being appropriately addressed.
Ongoing security awareness for faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals consistent with Lone Star College Systemís mission on established security policies and procedures will be conducted. Security awareness refers to communicating security concepts in a variety of ways in order to make the above referenced individuals, groups and entities as a whole more security-aware.
With assistance of LSCS OTS, Human Resources will ensure that all employees receive information security training. Human Resources will require that all employees certify security training they received and shall maintain records to indicate the status of employee security training. Security training refers to specific training activities and accompanying materials in protecting LSCS information resources and in teaching to employees about security as it applies to their job.
It is the policy of the Lone Star College System to ensure that there are guidelines, safeguards, and controls in place to effectively manage and protect confidential information in accordance with applicable laws, regulations, and best practices. Such confidential information includes, but is not limited to, social security numbers, educational records as defined by the Family Educational Rights and Privacy Act ("FERPA"), health care information as defined by the Health Insurance Portability and Accountability Act ("HIPAA"), and customer information as defined by the Gramm Leach-Bliley Act ("GLB Act").
The Chancellor, or designee, will serve as the Information Security Officer (ISO). The ISO is responsible for assisting in governance, policy creation, identifying roles and responsibilities, risk assessment, awareness, and communication of the information security program. The ISO is responsible for establishing the strategies for implementing and enforcing security policies and for advising on security-related issues.
Security Policy and Compliance Governance is provided by a multi-disciplinary group that reviews and endorses information security policy objectives and strategies. They agree to the roles and responsibilities for information security across the System as defined in specific procedures. They promote and provide support for information security initiatives throughout the System. The governance is led by executive management and includes representatives from:
Security Operations translates security policies into technical requirements, standards, and solutions. They are responsible for tactical and security administration of the infrastructure and defining processes for implementing new policies. This may include the implementation and maintenance of technical controls such as firewalls, intrusion detection systems, anti-virus solutions, and network/host-based monitoring solutions. The OTS staff is responsible for the day-to-day implementation and maintenance of security controls. OTS will take reasonable steps to establish security controls while still meeting the mission of LSCS.
Information owners are the persons or groups generating information and responsible for establishing the rules for appropriate protection of information. They must align the information value with prudent control cost. They will partner with General Counsel in performing a risk assessment and information classification. Information owners are responsible for information security, for the confidentiality, integrity, and availability of the information for which they are entrusted.
Technology System Owners have responsibility for establishing the rules for appropriate use and protection of the methods of electronic information transmission. Technology System Owners collaborate with the Information Owners to meet the needs and requirements of the information classification and protection.
All users are responsible for ensuring that LSCS information assets are used only in proper pursuit of System business. Information will not be improperly disclosed, modified, or endangered; and access to LSCS information resources will not be made available to any unauthorized person. Users should be aware of and follow approved security controls. Users should comply with appropriate information security policies, procedures, and standards.
Violation of this policy may result in immediate and unconditional termination of any or all access without prior notice and the user may be subject to disciplinary actions under Board Policy Sections IV and VI and prosecution under applicable statutes. (See Policy Section IV).
Subject to all other Board Policy requirements and laws of the State of Texas, non-compliance with the policy statements described therein must be reviewed and approved in accordance with the Policy Variance/Exception Process defined by Lone Starís Office of Technology Services.
LSCS Policy Manual Section adopted by the Board of Trustees on May 5, 2011