1.1. The Snow College Information Security Policy applies to all organizations within the College. ALL Snow College owned devices are affected by this policy unless otherwise stated. Additionally, any device that stores or has access to Snow College digital resources is affected. The principles of academic freedom and free exchange of ideas apply to this policy and are not intended to limit or restrict those principles. This policy is intended to be in accordance with federal and state laws and regulations regarding information security.
1.2. Each organization within the College must appropriately apply this policy to make certain they are meeting the requirements regarding Information Security. It is recognized that the technology at some organizations may limit immediate compliance with the policy; such instances of non-compliance must be reviewed and approved by the Information Security Office (ISO) and the Information Security Advisory Council (ISAC). Reference Section 4.19 for more information about policy exceptions.
1.3. College information technology resources are a valuable college asset and must be managed accordingly to assure their integrity, confidentiality, and availability for lawful educational purposes. This document describes the policy for use by all persons and/or organizations that have access to college data.
Note: Throughout the policy the terms, data, and information are used interchangeably. The appendices of this policy and any referenced standards are enforceable as part of the policy and are subject to change. This policy applies to mobile devices as applicable. For additional requirements pertaining to tablets and smartphones see Mobile Device Policy (12.5).
2.1. Provide policy to secure Personally Identifiable Information (PII) of college employees, students, and others affiliated with Snow College.
2.2. Help prevent the loss of information that is critical to the operation of Snow College.
2.3. Provide reasonable and appropriate procedures to assure the confidentiality, integrity, and availability of Snow College’s Information Technology Resources.
2.4. Implement and suggest mechanisms which help identify and prevent the compromise and(or) the misuse of data, applications, networks, systems, and hardware.
2.5. Define mechanisms which protect the reputation of Snow College and allow the college to satisfy its legal and ethical responsibilities with regard to its networks, systems, and data.
2.6. Provide written guidelines and procedures to manage and control information considered to be PII whether in electronic, paper, or other forms.
2.7. Assure the security and protection of PII in electronic, paper, or other forms.
All definitions are written In the context of Information Technology (IT)
3.1. IT Managed Systems - Computer hardware (including but not limited to servers, routers, switches, and access points) and software systems (including but not limited to Web hosts, customized databases, College databases, and faculty developed software for educational purposes) maintained by the IT Division and located in areas managed by IT personnel.
3.2. 3rd Party Managed Systems - Computer hardware (including but not limited to servers, routers, switches, and access points) and software systems (including but not limited to Web hosts, customized databases, College databases, and faculty developed software for educational purposes) maintained by any non - IT Division department.
3.3. Data - Data refers to any information that is stored, processed, or transmitted by a computer or network. This can include text, images, audio, video, and other types of digital content. Data is often organized and stored in databases, and can be analyzed and used for various purposes such as decision making, problem solving, and automating processes. The security and integrity of data is a critical concern in IT, and various measures such as encryption and access controls are used to protect it.
3.4. Computing Equipment - Computing equipment refers to any hardware or physical devices that are used to process, store, and transmit data. This can include a wide range of devices such as computers, servers, network equipment, storage devices, and mobile devices. Computers can include desktops, laptops, tablets, and smartphones that are used for various tasks such as data entry, communication, and multimedia. Servers are specialized computers that are used to store and manage data, and provide services such as web hosting, email, and file storage. Network equipment includes devices such as routers, switches, and firewalls that are used to manage and secure network traffic. Storage devices such as hard drives, solid-state drives (SSD), and tape drives are used to store data. Mobile devices such as smartphones and tablets are increasingly used for business purposes and are becoming a part of IT computing equipment.
3.5. Information Technology Resource (IT Resource) - An IT resource refers to any hardware, software, or service that is used to support the processing, storage, and transmission of data. Hardware resources include any physical device or equipment used to process, store, or transmit data, such as computers, servers, network equipment, storage devices, and mobile devices. Software resources include any program, application, or system used to process, store, or transmit data, such as operating systems, databases, and business applications. Service resources include any network or cloud-based service used to support the processing, storage, or transmission of data, such as web hosting, email services, and file storage services. IT resources also include people, and their roles, processes and procedures.
3.6. Kiosk - Computers located in public spaces designed to offer limited functionality with specialized hardware or software that allow anonymous access.
3.7. Computer Lab - A facility or room that is equipped with multiple computers, peripherals and other equipment for use by a group of people. Computer labs typically include a number of computers that are connected to a network and can be used for tasks such as word processing, internet browsing, and data analysis. They also include peripherals such as printers, scanners, and projectors, and may include specialized software and equipment such as graphic design software, programming languages and specialized hardware such as scientific equipment.
3.8. Mobile Device - A portable handheld electronic device that is capable of connecting to a wireless network and can perform a variety of functions, such as making phone calls, sending text messages, browsing the internet, and running various apps. Including but not limited to; tablets, e-readers, smartphones, PDAs, portable music players, smartwatches, and fitness trackers with "smart" capabilities are all mobile devices.
3.9. Portable Equipment - Laptops and other removable storage devices such as flash drives.
3.10. Public Information - Information that may be provided openly to the public.
3.11. Security - Measures taken to protect computer systems, networks, and data from unauthorized access, use, disclosure, modification, or destruction. IT security involves implementing a combination of technical, administrative, and physical controls to safeguard digital assets, prevent cyber attacks, and ensure the confidentiality, integrity, and availability of information. These controls may include firewalls, encryption, access controls, intrusion detection and prevention systems, regular software updates and patches, security awareness training, incident response plans, and disaster recovery procedures. The goal of IT security is to minimize the risk of security breaches and protect against potential threats to the confidentiality, integrity, and availability of data and systems.
3.12. Personally Identifiable Information (PII) - Any information that can be used to identify an individual, either alone or in combination with other information. PII can include a wide range of information, such as a person's name, address, telephone number, email address, Social Security number, driver's license number, financial account information, and more. Examples of PII include full name, home address, email address, telephone number, Social Security Number, driver's license, passport number, credit card numbers, bank account numbers, date of birth, fingerprints, facial recognition data, and IP address. This data would include any data protected by the Government Records Access and Management Act (GRAMA), Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA) or other laws governing the use of data or data that has been deemed as requiring protective measures. (For additional information on data classification types, reference policy 12.2 Data Classification and Handling.)
3.13. Strong Password - A password that is difficult for others to guess or crack. A strong password typically includes a combination of upper and lowercase letters, numbers, and special characters, and is at least 12 characters long. A strong password should avoid using easily guessable information, such as a person's name, address, phone number, date of birth, or common words. It should also avoid using easily guessable patterns such as consecutive numbers, or simple keyboard patterns.
3.14. User - An individual that interacts with a computer system or software to perform tasks, access resources, or utilize services owned by Snow College.
3.15. Workstation - A computer or device that is designed for use by an individual to conduct official business.
3.16. Endpoint Detection and Reponse (EDR) - Is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware. It focuses on monitoring and investigating endpoint devices, such as desktops, laptops, and servers, for potential security threats. EDR tools collect data on endpoint activity and use advanced analytics and machine learning to identify patterns and anomalies that may indicate a security breach.
3.17. Antivirus Software (anti-virus) - Is a program designed to detect, prevent, and remove malicious software, commonly referred to as malware, from a computer system. It works by scanning files and programs for known patterns of malicious code and other suspicious activity that could harm the system, and then taking appropriate action to isolate, quarantine, or remove the infected files. Antivirus software helps to protect computer systems from viruses, worms, Trojan horses, spyware, adware, and other types of malware that can cause damage, steal sensitive information, or disrupt normal system operation.
3.18. Multi-Factor Authentication (MFA) - Is a security process that requires users to provide two or more authentication factors to verify their identity before they can access a system, application, or service. These authentication factors may include something the user knows (such as a password), something the user has (such as a smart card or token), or something the user is (such as a fingerprint or face recognition). MFA is used to enhance security and protect against unauthorized access to sensitive information or systems.
3.19. HECVAT (Higher Education Cloud Vendor Assessment Tool) - A standardized questionnaire developed by the higher education community to assess the security and privacy capabilities of cloud service providers. It helps higher education institutions evaluate cloud vendors and their offerings against a common set of criteria, and provides a consistent way to communicate security and privacy requirements with vendors. The HECVAT questionnaire covers areas such as data encryption, incident response, access controls, and compliance with regulations like FERPA and HIPAA.
3.20. Default Passwords - Refers to the pre-configured, commonly known or easily guessable passwords that are set by manufacturers or vendors for various devices, software, or systems.
Information security or protection of confidential personal and internal information departments and other College units must take measures to protect PII and internal information that is used, processed, transmitted, or stored on IT resources in accordance with this policy and any additional information security rules developed by data stewards and/or ISO.
4.1. Information Confidentiality and Privacy - All users are expected to respect the confidentiality and privacy of individuals whose records they access. Users are responsible for maintaining the confidentiality of data they access or use and the consequences of any breach of confidentiality.
4.2. Handling Sensitive/Restricted Information. The unauthorized addition, modification, deletion, or disclosure of PII included in college data files is expressly forbidden.
4.3. On-site/Remote Computing Systems - All computing systems will be in compliance with this policy and college security standards regardless of whether they are on-site or remote. Any remote or third party computing systems that are unable to comply with the requirements of this policy may be required to relocate to the Snow College Data Center at the discretion of the ISAC and ISO. Cloud and other third party systems should in compliance with HECVAT requirements, unless exempted.
4.4. Personally Identifiable Information Collection - PII must only be collected for lawful and legitimate college purposes according to the requirements outlined in Utah System of Higher Education (USHE) Policy R345 – Information Technology Resource Security.
4.5. Public Information - Although there are no restrictions on disclosure of public information, the same precautions prescribed in this policy for protection of college data must be adhered to for the purpose of preventing unauthorized modification, deletion, etc. of public information.
4.6. Access Control - Access to Snow College data and its computing systems will be restricted to those users that have a legitimate business or educational need and appropriate approvals for access to such information. Users must ensure that PII is secured from unauthorized access and are responsible for safeguarding this information and related computing systems at all times through the use of strong passwords, MFA, and other secuirty measures as outlined in the Access Control Section of Appendix B.
4.7. Remote Access - Only authorized users will be permitted to remotely connect to Snow College computer systems, networks and data repositories to conduct college related business as required by the standard for secure remote access.
4.8. Physical Security - The physical security of computing resources will be accomplished utilizing current industry standards and appropriate technology and plans. Responsibility for computing systems security will reside with the IT office or the appropriate IT office specialist. See the Physical Security section of Appendix B for specific requirements.
4.9. Data Security -Users will ensure sensitive and PII are secure and the integrity of records is safeguarded in storage and transmission. Users who handle PII are responsible for the proper handling of this data while under their control. Refer to the Data Security section of Appendix B for specific Data Security Requirements.
4.10. Backup and Recovery - Administrators of computing systems will backup essential data according to a documented disaster recovery plan consistent with industry standards and store such data at a secure commercial site. 3rd party computing systems will have available, at a minimum, a documented disaster recovery plan covering backup procedures, timelines, storage locations/procedures, and recovery.
4.11. Security Incident Response and Handling - All suspected or actual security breaches of college or departmental system(s) will be reported immediately to the organization’s data security steward who will consult with the ISO to assess the level of threat and/or liability posed to the college or affected individuals and respond according to incident response guidelines. Snow College will report and/or publicize unauthorized information disclosures as required by law or specific industry requirements.
4.12. Service Providers - Service providers who design, implement, and(or) maintain systems, services, or data must provide contractual assurance that they will protect Snow College’s PII according to the appropriate standards. Such contracts must be reviewed by Snow College legal counsel for appropriate terminology regarding use and protection of PII and sensitive data.
4.13. Training and Awareness - Each new employee will be trained on the IT Technology Acceptable Use Policy and College Information Security Policy as they relate to individual job responsibilities. Such training will include information regarding controls and procedures to prevent employees from putting Snow college at risk. All employees will be required to complete additional security training when necessary.
4.14. Computer Labs- Snow College provides computing lab resources for utilization in legitimate and lawful academic endeavors. Computing equipment in these labs will conform to all requirements of this policy with the addition of requirements stated in the Computing Lab Section of Appendix B.
4.15. Software - Only approved and properly licensed software may be installed on college computer systems.
4.16. Antivirus and EDR - All devices that connect to Snow College's privileged or employee networks will have Antivirus and EDR installed.
4.16. Penalties and Enforcement - Penalties and enforcement of this policy will be in accordance with College policies. Appropriate disciplinary and/or legal action will be taken when warranted in any area involving violations of this policy.
4.18. Multi-Factor Authentication - MFA is required on all accounts, systems, and services where authentication is required, unless exempted.
4.19. Email - PII and other sensitive data should not be stored or transmitted via email, email is not a secure medium and can be vulnerable to interception and unauthorized access. This includes, but is not limited to passwords, Social Security numbers (SSNs), credit card numbers, financial account information, health information, and other types of confidential data. It is important to use secure methods of transmission, such as encrypted file sharing or secure messaging platforms, when handling sensitive information to protect against potential data breaches or cyber attacks.
4.20. Default Passwords - Default passwords for all systems and services should be changed on initial configuration, including printers and OIT devices.
4.21. Policy Review and Revision -
4.22. Policy Clarification - For clarification or further information on any items in this policy, the user is encouraged to contact the ISO, their data security steward or a member of the ISAC.
4.23. Exceptions to Policy - Any Snow College asset, user, service, etc that is unable to comply with this policy must file an exception. Exceptions to this policy must be approved by the ISO based on academic or business need and reviewed by the ISAC. The ISO will review exceptions annually for continued application and notify the exception holder of any concerns.
4.24. Additional Policies - Users should be aware that there are additional policies from other governing bodies that affect information security on campus and are outside of Snow College’s Policy and Procedures Manual. Users should be familiar with the policies listed below and ensure their security practices are in adherence to these policies at all times.
4.24.1. Board of Regents (BOR) R345 - Information Technology Resource Security
The security policy applies to all forms of data, both paper-based and electronic, that are processed, maintained, or transmitted by the computer systems owned or operated by Snow College. This includes, but is not limited to, data that is defined by law or policy as personally identifiable information (PII) or sensitive. All individuals and organizations with access to Snow College systems and data are subject to this policy. This policy covers data that is considered sensitive due to its confidentiality, integrity, or availability requirements. Sensitive data includes, but is not limited to, PII, financial information, proprietary information, and other information that requires protection to maintain the privacy and security of individuals, the organization, and its partners and customers. The policy outlines the procedures and guidelines for the storage, access, and transmission of sensitive and confidential information, including the appropriate use of encryption and access controls. The policy also specifies the requirements for backup and recovery of data and the secure disposal of information that is no longer needed. (need to reference this below). The policy applies to all employees, contractors, and third-party individuals who have access to Snow College systems and data, including those who work remotely or use personal devices to access college data.
The persons responsible for implementing this policy and their respective duties and/or responsibilities with respect to this policy are described here
College Deans/Managers/Supervisors - These individuals shall be responsible for oversight of their employees’ authorized use and access to College data in their areas of supervision. They will:
• Ensure that the management and control of risks outlined in this policy are adhered to by employees in their unit.
• Ensure employees’ access to data is appropriate.
• Regularly review and document employee access to senistive data.
• Provide employees with resources and methods to properly secure equipment where data is processed and(or) stored.
• Provide employees with approved resources and methods for external data storage.
Employees, including department chairs, faculty, staff, and student workers - These individuals:
• Shall not disclose PII to unauthorized individuals.
• Shall not modify or delete college data unless authorized.
• Shall maintain data in a secure manner.
• Shall complete the employee/student confidentiality training.
• Shall be required to sign a college confidentiality/FERPA agreement before access is granted to PII.
• Shall complete specific confidentiality training if they have job related responsibilities that require access to PII.
Information Security Advisory Council – A group of individuals appointed by the President to review and evaluate College security issues such as:
• Current practices and the associated risks to the institution.
• Actions needed to address those risks through appropriate policy and associated guidelines.
• Identify new processes that are needed.
• Implement new security standards as needed.
• Disseminate general guidelines related to security to the appropriate IT specialists.
• Function as the incident response team.
• Responsible for immediate response to any breach of security.
• Responsible for determining preventative measures and processes that are developed as a result of responding to and resolving security breaches or other resources.
• Report findings and recommendations regarding the incident to data stewards and College administration.
Information Security Office – This office, within the Business and Finance Division will:
• Assist the campus in identifying internal and external risks to the security and confidentiality of information.
• Provide guidance for handling college data in the custody of the college.
• Provide guidance for the security of all assets where data is processed and/or maintained.
• Promote and encourage good security procedures and practices.
• Develop and maintain Information security policy, plans, procedures, strategies, and best practices.
• Assist institutional or third-party auditors in the analysis of Snow College information assets and IT resources to further ensure policy compliance.
• Provide standards and guidelines consistent with college policies.
• Develop and provide information security training.
Internal Auditor – Internal auditor will:
• Evaluate the effectiveness of the current safeguards for controlling security risks.
• Provide recommendations for revisions to this policy as appropriate.
• Develop and perform random audits of departments and individuals as deemed necessary.
• Automatic logins may only be enabled on kiosks and digital signage. These are limited access accounts specifically designed for this purpose.
• PII, electronic or paper, must not be left in an accessible location to prevent unauthorized viewing and must be secured when unattended.
• All users must have their own user name and use a strong password. The sharing of user names and passwords is not allowed.
• Passwords of standard college accounts, will automatically expire and require change after 2 years, unless the password meets the requirements for different expiration criteria.
• College account access will automatically lock after 5 failed attempts. Accounts will automatically unlock after 5 minutes of inactive attempts.
• Passwords used for College access must not be the same as passwords used for personal accounts (banks, personal email, and credit cards).
• Passwords must not be placed in emails.
• First-time passwords for new users must be set to a unique value for each user and changed after first use.
• Passwords must not be written down in a visible or accessible location.
• Periodic user access reviews should be conducted by the organization’s supervisor and any unnecessary user access should be reported to IT Division and Human Resources and removed immediately.
• All workstations and lab computers must have a form of auto-lock feature enabled that requires a password to resume and set to activate at no more than an idle time of 20 minutes.
• Workstations visible to or accessible by anyone other than the authorized user must be manually locked when left unattended.
• At a minimum, users shall comply with generally accepted Snow College procedures to protect physical areas that contain college information.
• Individual organizations/departments within the college are responsible for physical security for personal computers and other local electronic information resources, including portable equipment, housed within their immediate work area or under their control.
• PII on portable equipment will be stored for the duration of business use only and the device storing the data will be encrypted. Example: USB and laptop devices.
• All College-owned computing equipment must be documented and managed in a college approved database or by property control.
• All computing systems must install the approved management policy framework, this includes but is not limited to, antivirus and EDR, software, and administrator access.
• PII data may only be stored on personal computers, servers or other computing equipment if the requirements outlined in USHE Policy R345, Information Technology Resource Security, are adhered to.
• Email security systems will scan all inbound messages to check for malicious emails and atttachments.
• All servers and endpoints must be approved and hardened with the IT Division before they will be allowed to transmit, proccess, or store Snow College data.
• Encryption technology will be utilized for mobile devices, such as laptops that are not in a locked room, for the storage and transmission of PII. Encyrption of data on critical servers systems when at rest will be implemented whenever possible, such as banner.
• All transmission of PII via the Internet must be through a properly secured connection point to ensure the network is protected.
• All workstations and kiosks connected to the Internet will have a vendor supported version of the operating system installed with the option enabled to automatically download and install software updates or must utilize administrator managed patch management software.
• The file and printer sharing firewall exception must be disabled on all kiosks, workstations, and lab computers.
• All computer labs will not store user profile information and include a process to remove this information on a scheduled basis. This will minimize the possibility of sensitive information being accessible by unauthorized users and minimize security issues assoicated with public computer labs.
