The College preserves Information security, confidentiality, integrity, and availability. The College employs a risk management philosophy that ensures all Information is identified, valued, assessed for risk, and protected, consistent with the College’s needs. Improper Information disclosure, modification, or destruction may harm the College’s mission-supporting operations. The College therefore engages a hierarchical set of industry best practices and frameworks that help users and administrators define and mitigate risks, maintaining a trade-off between information value and the cost of risk mitigation.
Users are responsible for acceptable use. All users must abide by the College’s Information policies, procedures, and standards, as an access condition. Failure to do so may result in immediate and unconditional complete or partial access termination, without prior notice. The user may be subject to disciplinary actions and or criminal prosecution, where applicable. Section VIII controls as regards Information security, confidentiality, integrity, and availability.
This Section covers all Information transmitted using the College’s resources. Transmission methods include the following non-exhaustive list: electronic media; social media; desktop and laptop computers; servers; network infrastructure; telephones; facsimiles; printers; and mobile computing devices. This policy applies to all individuals and processes that access, view, use, or control College Information. Covered individuals include, but are not limited to, faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals using College resources.
The College prohibits Users from engaging in the following when using College resources:
The Office of Technology Services (OTS) creates security controls and procedures that appropriately and reasonably prevent, detect, contain, and identify risks to Information confidentiality, integrity, and availability. Users, however, are also responsible for protecting the College’s Information.
Specific Responsibilities. (1) Users must uphold Information confidentiality and integrity of all Information in their control; (2) Users are prohibited from accessing, copying, altering, or destroying anyone else’s information without proper authorization; (3) Users are individually responsible and accountable for any use of their account and password. (4) Uniquely identifiable information (i.e., passwords) should not be shared under any circumstances; (5) Users cannot run, or otherwise configure, software or hardware that intentionally allows unauthorized access to College Information resources; (6) any IT System created within the College environment must be reviewed by the College’s Information Security Officer (ISO) for security standards, data classification ranking, and by OTS Technical Service for hardware requirements, capacity planning, and ongoing support the hardware and application.
Access to College Email is a privilege—not a right—generally extended to current employees, students, and former College retired employees that are in good standing. Email services may be revoked when employment ends, during administrative leave, for violating policies or procedures, or with the failure to re-enroll in a College educational program. The College may access the email system to engage in routine computer maintenance and housekeeping, carry out internal investigations, prepare responses to requests for public information, disclose messages, data, or files to law enforcement authorities, or for any other legitimate business purpose.
All access to networked systems must be logged. When determined to be critical to the College, transaction logging must be included regardless of the operating platform. Log data must be classified as sensitive. These logs must be retrievable through clearly defined procedures and must be maintained for time periods prescribed for audit, legal, and recovery purposes. As new applications, platforms, mediums, or other technical changes to system operations are made—and if practical and or technically affordable—logging requirements and availability must be considered. Requirements for logging data must be clearly established as system, architectural, technical, or network designs.
The Chancellor, or designee, serves as the Information Security Officer (ISO). The ISO is responsible for assisting in governance, creating procedures, identifying roles and responsibilities, risk assessment, awareness, and communicating the Information security program. The ISO, through the Office of Technology Services, is responsible for establishing strategies for implementing and enforcing security policies and for advising on security-related issues.
OTS has a process for variances and exceptions.
The College’s Chief Information Security Officer may effectuate this Policy via Chancellor Procedures.
LSCS Policy Manual Section adopted by the Board of Trustees on November 1, 2018