VIII.A. Information Security
VIII.A.1. Information Security Policy
The Lone Star College System is committed to preserving the security, confidentiality, integrity and availability of all forms of information used and maintained on behalf of faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals consistent with Lone Star College System’s mission. Improper disclosure, modification, or destruction of information may result in harm to the operation of LSCS in support of its mission. As a result, specific procedures will be developed to help administer and manage the storage, processing and use of computer-based information. This Board Policy Section Vlll is in addition to all other provisions within the Board Policy Manual relating to Information Security and the storage, processing and use of computer based information; and this Section VIII shall take precedent in the event of any conflict or omission.
Information security is in part a risk management discipline addressing the preservation of information confidentiality, integrity and availability. All information is identified, valued, assessed for risk and protected as appropriate to the needs of LSCS. The information security effort is established via a hierarchical set of industry best practices and frameworks (e.g. ISO 27002) that help users and administrators to define and mitigate risks, maintaining a trade-off between information value and the cost of risk mitigation.
VIII.A.1.01 - Policy Objective
This policy presents the philosophy for information security within the Lone Star College System (LSCS, referred to as “the System”). It defines the fundamental requirement for the acceptable use and security in the transmission of all LSCS information.
VIII.A.1.02 - Policy Statement
LSCS values the ability to openly communicate and share information. LSCS information (whether belonging directly to LSCS or held in trust on behalf of its students or employees) must be safeguarded. Any person or organization that provides or uses LSCS information, or Information Technology (IT) assets within LSCS, has the individual and continual responsibility to maintain the confidentiality, integrity, and availability of this information. As such, all LSCS information users are required to abide by this policy and subsequent procedures and standards, as a condition for being granted access. Violation of this policy may result in immediate and unconditional termination of any or all access without prior notice and the user may be subject to disciplinary actions under Board Policy Sections IV and VI and prosecution under applicable statutes. (See Policy Section IV).
VIII.A.1.03 - Scope of Policy
The Policy covers all information and electronic methods in the transmission of information that are owned or leased by LSCS. The methods of transmission may include but are not limited to:
- Electronic Media;
- Social Media;
- Desktop and Laptop Computers;
- Network Infrastructure;
- Fax Machines;
- Printers; and
- Mobile Computing Devices such as PDA’s, smart phone devices, etc.
VIII.A.1.04 - Policy Applicability
This policy applies to all individuals and processes that access, view, use, or control LSCS information. Those individuals covered include, but are not limited to faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals consistent with Lone Star College System’s mission.
VIII.A.1.05 - Definitions
- Information - a definable piece of information, stored in any manner which is recognized as 'valuable' to the organization.
- Information Owner - the person or group generating information and responsible for establishing the rules for appropriate use and protection of information.
- Technology System Owner – the person or group responsible for establishing the rules for appropriate use and protection of the methods of Information transmission.
- User - the person accessing information for the purposes of generating, sending, receiving, storing, viewing, controlling, managing, or otherwise processing the content of the information.
- Health Insurance Portability and Accountability Act (HIPAA) - This federal act sets standards for protecting the privacy of patients' health information.
- Family Educational Rights and Privacy Act (FERPA) - federal law that protects the privacy of student education records.
- Gramm-Leach-Bliley Act (GLBA) - federal law that imposes restrictions on the disclosure of consumers' personal financial information.
- Social media - online services that enable individuals to share information through social interaction and networking.
VIII.A.2. Use of Computer Systems
The LSCS Board of Trustees reconfirms its commitment to the free and unfettered exchange of ideas that is the hallmark of an institution of higher education and the rights of employees and students to access, debate, disagree and discuss all educational materials without respect to the popularity or controversial nature of the ideas conveyed.
VIII.A.2.01 - Policy Statement
Using LSCS’s electronic assets for abusive, unethical, or inappropriate purposes will not be tolerated and may be considered grounds for disciplinary action, including but not limited to termination of any and all access without prior notice.
VIII.A.2.02 - System Property
LSCS provides Information Technology resources for the use of students, employees and others affiliated with the System for educational or System-related activities and to facilitate the efficient exchange of useful information. LSCS affiliates include, but are not limited to, all university, K-12 dual credit or other students and employees associated with or enrolled in programs delivered by these entities. As set forth within this Section VIII Information Security Policy, students, employees and LSCS affiliates may use the IT resources provided by LSCS including, but not limited to, computers, hardware devices, software packages, electronic mail (e-mail), and the LSCS network and software. All users are expected to conduct themselves in compliance with all policies of LSCS and relevant laws of the United States and Texas, and to observe the same high ethical and professional standards when communicating through computing resources as are required in face-to-face or other written communications.
VIII.A.2.03 - Email Privileges
Access to LSCS Information Technology (i.e. networks, computer labs, internet and electronic mail) is a privilege that is extended to current employees, students and former LSCS retired employees that are in good standing. Email services may be revoked with the termination of employment or may end with the failure to re-enroll in an LSCS educational program. LSCS email accounts will be issued only to those identified within this Section 2.3. LSCS reserves the right to access the E-mail system to engage in routine computer maintenance and housekeeping, to carry out internal investigations, to prepare responses to requests for public information or to disclose messages, data or files to law enforcement authorities, or for any other legitimate purposes of the System.
VIII.A.2.04 - Confidentiality
LSCS cannot guarantee the privacy or confidentiality of electronic documents, and any messages or information. A person that requires the assurance that such information is not disclosed to unauthorized entities or process, or by law, should not communicate over unsecured shared networks and/or by the E-mail system.
VIII.A.2.05 - Accountability
All access to networked systems must be logged. When determined to be critical to LSCS, the logging of transactions must be included regardless of the operating platform. Log data must be classified as sensitive. These logs must be retrievable through clearly defined procedures and must be maintained for time periods prescribed for audit, legal, and recovery purposes. As new applications, platforms, mediums, or other technical changes to system operations are made - and if practical and/or technically affordable - consideration of logging requirements and availability must be made. Requirements for logging data must be clearly established as system, architectural, technical, or network designs.
VIII.A.2.06 - Records
Messages sent as electronic mail should meet the same standards for distribution, display, and retention as if they were tangible documents or instruments. As with all records maintained by LSCS, and to the extent required by law, files saved as LSCS information, including e-mail, may be subject to public disclosure in response to a public information request.
VIII.A.2.07 - Prohibited Use
The following conduct by users of LSCS information technology resources will be treated as a violation of this policy and may subject the user to discipline, including loss of computing privileges, up to and including termination for an LSCS employee and dismissal for a student:
- Anonymous or forged e-mail messages;
- Unauthorized attempts to access another person's e-mail or similar electronic communications or to use another's name, or e-mail address, or to send unauthorized e-mail or similar electronic communications;
- Use of System e-mail or any other method for information transmission owned by LSCS for commercial purposes or personal financial gain;
- Attempted or actual access to any restricted computing resource without authorization;
- The transmission of copyrighted materials without the written permission of the author or creator through System e-mail or any other method for information transmission in violation of U.S. copyright law (See Board Policy Manual, Section IV);
- Use of System email or any other method for information transmission in a manner that disrupts the work or educational mission such as improper access and use of System global email address lists and other messaging;
- Use of LSCS computing resources to store, download, upload, display, print or e-mail computer images that constitute "obscene materials" as defined by Texas Penal Code §43.21 et.seq., as amended, regardless of whether such information is related to or required for a specific educational course or research directly related to an educational program;
- The display or transmission of messages, images, cartoons or other messages or images that are sexually explicit or that demean a person on the basis of race, ethnicity, gender, national origin, disability, religion or sexual orientation may constitute prohibited harassment (See Board Policy Manual, Section IV F.4);
- The uploading or downloading of unauthorized materials to or from any System server;
- The sharing of an account, password or other means of authentication that was provided to permit access to restricted computing resources; and
- Attempted or actual access to compromise any LSCS or external computer resource via unauthorized access and/or in an unauthorized manner.
VIII.A.2.08 - Overloading of Computer Resources
Nothing in this policy shall prohibit LSCS or college system operators from intercepting and stopping e-mail messages, other computer programs, or websites, which have the capacity to overload any computer resource. Overloading of computer resources is defined as the use of computational resources, such as bandwidth, disk space, or CPU time that adversely impact LSCS information assets. Violation of this policy may result in immediate and unconditional termination of any or all access without prior notice and the user may be subject to disciplinary actions under Board Policy Sections IV and VI and prosecution under applicable statutes. (See Policy Section IV).
LSCS Policy Manual Section VIII.A.2.08 Social Media removed by Board of Trustees on June 7, 2012
VIII.A.3. Requirements to Safeguard Information
VIII.A.3.01 - Policy Statement
It is the responsibility of all employees and students to take reasonable steps to implement information security via appropriate procedures, and controls.
VIII.A.3.02 - Security Responsibilities
- Legal, regulatory and contractual requirements are followed by LSCS.
- Users are responsible for upholding the confidentiality and integrity of all information when in their control. Users are prohibited from accessing, copying, altering, or destroying anyone else’s information without proper authorization.
- OTS is responsible for the creation of security controls, and procedures that appropriately and reasonably prevent, detect, contain, and identify risks to the confidentiality, integrity and availability of information.
- Users are individually responsible and accountable for any use of their account and password. Uniquely identifiable information (i.e. passwords) should not be shared under any circumstances.
- Users may not run or otherwise configure software or hardware to intentionally allow access to any LSCS information resources by unauthorized users.
- Users may have access to privileged information that must be protected. In receiving access to this information, users accept responsibility to protect the information access used on all information systems.
VIII.A.3.03 - Attempts to Circumvent Security
Users are prohibited from attempting to circumvent or subvert LSCS information system’s security measures. This does not preclude the use of security tools by appropriately authorized personnel. While the following list provides examples of disallowed practices, it is not a comprehensive list and is intended to only provide examples:
- Password decrypting or cracking tools;
- Denial of Service (DoS) or distributed denial of service (DDoS);
- Harmful activities (e.g. IP spoofing, port scanning, disrupting services, damaging files, or intentional destruction of or damage to equipment, software, or data);
- Unauthorized access (e.g. using another users account, using a special purpose account, escalating their own privileges);
- Unauthorized monitoring (e.g. keyboard logging, network packet capturing).
VIII.A.3.04 - Business Continuity & Disaster Recovery
Disaster Recovery (DR) is comprised of plans and activities designed to recover technical infrastructure and restore critical business applications to an acceptable condition. DR is a component of Business Continuity Planning (BCP), which is the process of ensuring that essential business functions continue to operate during and after a disaster. LSCS OTS shall be responsible for the System Disaster Recovery. Business Continuity Plans must be developed with requirements based on the specific risks associated with the process or system. All staff must be made aware of the Business Continuity Plan and their own respective roles. Each Lone Star College and each Lone Star College System administrative unit shall be responsible for their respective Business Continuity Plans. A formal process for developing disaster recovery plans must be established and aligned with the Business Continuity Planning requirements.
VIII.A.3.05 - Incident Response
Incident Response is a predefined process to establish information security requirements for response to unplanned computer system events, including network intrusions, denial of service, computer virus outbreaks, and other outages that negatively impact the availability of LSCS systems, applications, and/or information assets. Information security incident response procedures must include, but are not limited to, the following:
- Specific roles and responsibilities;
- Key contact information; and
- High-level guidelines for investigating, documenting and reporting security incidents.
VIII.A.3.06 - Third Party Access
Access to LSCS information systems by third party vendors (i.e. contractors, partners, vendors, lessees) requires appropriate controls to protect LSCS information assets. All third parties that have access to LSCS information assets must comply with LSCS information security policies and may be required to show proof of such compliance at any time.
VIII.A.3.07 - Security Audits
Periodic reviews and revisions of security controls, policies, and procedures will be conducted by authorized LSCS officers, auditors or by contracted independent third party. Additionally, periodic risk assessments of information technology systems and processes will be conducted to ensure that evolving risks are being appropriately addressed.
VIII.A.3.08 - Information Security Training and Awareness
VIII.A.3.08.1 - Information Security Awareness
Ongoing security awareness for faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals consistent with Lone Star College System’s mission on established security policies and procedures will be conducted. Security awareness refers to communicating security concepts in a variety of ways in order to make the above referenced individuals, groups and entities as a whole more security-aware.
VIII.A.3.08.2 - Information Security Training
With assistance of LSCS OTS, Human Resources will ensure that all employees receive information security training. Human Resources will require that all employees certify security training they received and shall maintain records to indicate the status of employee security training. Security training refers to specific training activities and accompanying materials in protecting LSCS information resources and in teaching to employees about security as it applies to their job.
VIII.A.4. Protection of Confidential Information
It is the policy of the Lone Star College System to ensure that there are guidelines, safeguards, and controls in place to effectively manage and protect confidential information in accordance with applicable laws, regulations, and best practices. Such confidential information includes, but is not limited to, social security numbers, educational records as defined by the Family Educational Rights and Privacy Act ("FERPA"), health care information as defined by the Health Insurance Portability and Accountability Act ("HIPAA"), and customer information as defined by the Gramm Leach-Bliley Act ("GLB Act").
VIII.A.4.01 - Policy
- The General Counsel will serve as the Privacy Officer for the System.
- The Privacy Officer's duties include the issuing of guidelines with regard to the use of social security numbers, educational records, health care information, customer information, and other confidential information.
- The guidelines will be issued by the Privacy Officer to help ensure that:
- The release, use, display, transmission, and retention of social security numbers are only allowed if permitted by law;
- Information that is considered an educational record (as defined by FERPA) will only be disclosed to someone other than an "eligible student" or an "eligible parent" with the consent of the student or as otherwise authorized by law;
- The use, receipt, or transmission of an individual's health care information (as defined by HIPAA) is allowed only as permitted by law;
- Customer information (as defined by the GLB Act), including financial information, which is collected or maintained, will be safeguarded as required by law; and
- The use and/or release of any other information determined by the Privacy Officer to be confidential is allowed only as required by and consistent with applicable law.
- No person having access to confidential information shall disclose confidential information in any manner except as established in the guidelines issued by the Privacy Officer.
- It is the responsibility of each Lone Star College and each Lone Star College System administrative unit to adhere to the guidelines that are issued by the Privacy Officer.
- The Privacy Officer will revise its guidelines whenever necessary to conform to changes in applicable law or regulations.
- Violation of this policy may result in immediate and unconditional termination of any or all access without prior notice and the user may be subject to disciplinary actions under Board Policy Sections IV and VI and prosecution under applicable statutes. (See Policy Sections IV and VI).
VIII.A.5. Roles and Responsibilities
VIII.A.5.01 - Board of TrusteesThe Board of Trustees is accountable for information systems security and must ensure governance/compliance with security policies, standards, and procedures are established throughout LSCS.
VIII.A.5.02 - Security Management
The Chancellor, or designee, will serve as the Information Security Officer (ISO). The ISO is responsible for assisting in governance, policy creation, identifying roles and responsibilities, risk assessment, awareness, and communication of the information security program. The ISO is responsible for establishing the strategies for implementing and enforcing security policies and for advising on security-related issues.
VIII.A.5.03 - Security Policy and Compliance Governance
Security Policy and Compliance Governance is provided by a multi-disciplinary group that reviews and endorses information security policy objectives and strategies. They agree to the roles and responsibilities for information security across the System as defined in specific procedures. They promote and provide support for information security initiatives throughout the System. The governance is led by executive management and includes representatives from:
- Office of Technology Services;
- Office of General Counsel;
- Policy Review Committee;
- SysTAC; (System wide Technology Advisory Council)
- Internal Audit; and
- Human Resources
VIII.A.5.04 - Security Operations
Security Operations translates security policies into technical requirements, standards, and solutions. They are responsible for tactical and security administration of the infrastructure and defining processes for implementing new policies. This may include the implementation and maintenance of technical controls such as firewalls, intrusion detection systems, anti-virus solutions, and network/host-based monitoring solutions. The OTS staff is responsible for the day-to-day implementation and maintenance of security controls. OTS will take reasonable steps to establish security controls while still meeting the mission of LSCS.
VIII.A.5.05 - Information Owners
Information owners are the persons or groups generating information and responsible for establishing the rules for appropriate protection of information. They must align the information value with prudent control cost. They will partner with General Counsel in performing a risk assessment and information classification. Information owners are responsible for information security, for the confidentiality, integrity, and availability of the information for which they are entrusted.
VIII.A.5.06 - Technology System Owners
Technology System Owners have responsibility for establishing the rules for appropriate use and protection of the methods of electronic information transmission. Technology System Owners collaborate with the Information Owners to meet the needs and requirements of the information classification and protection.
VIII.A.5.07 - Users
All users are responsible for ensuring that LSCS information assets are used only in proper pursuit of System business. Information will not be improperly disclosed, modified, or endangered; and access to LSCS information resources will not be made available to any unauthorized person. Users should be aware of and follow approved security controls. Users should comply with appropriate information security policies, procedures, and standards.
VIII.6. ComplianceCompliance with this Policy is continual and unconditional. Any person within the scope of this policy that believes that a violation of information system policy is occurring is required to immediately notify their immediate manager or OTS of the policy violation.
VIII.8. Policy Variance/Exception
Subject to all other Board Policy requirements and laws of the State of Texas, non-compliance with the policy statements described therein must be reviewed and approved in accordance with the Policy Variance/Exception Process defined by Lone Star’s Office of Technology Services.
LSCS Policy Manual Section adopted by the Board of Trustees on May 5, 2011