I. Overview
This Information Security Plan (the “Plan”) describes Atlantic Cape Community College’s safeguards to protect confidential personal information.
Confidential Personal Identifiable Information (“CPII”), for purposes of this Plan, includes the following categories of information:
- Customer Information is defined in the Gramm-Leach-Bliley Act (GLBA) to include any nonpublic personal information that the College obtains from a customer in the process of offering a financial product or service. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent or guardian when offering a financial aid package, and providing other financial services. Nonpublic personal information includes but is not limited to bank and credit card account numbers and income and credit histories, whether in paper or electronic format.
- Personal Information is defined in New Jersey, to include the person’s plus one or more of the following: Social Security Number; Driver license or state identification number; Account number or credit or debit card number in combination and security code, access code or password, etc. permitting access to the person’s account; Dissociated data that, if linked, would become PII or the means allowing access to said PII
These safeguards are provided in order to:
- Protect the security and confidentiality of CPII
- Protect against threats or hazards to the security or integrity of CPII
- Protect against unauthorized access to or use of CPII that could result in harm or inconvenience to any person.
This Plan also provides for mechanisms to:
- Identify and assess the risks to CPII maintained by Atlantic Cape
- Develop policies and procedures to manage and control these risks
- Implement and review the Plan
- Adjust the Plan to reflect changes in technology, the sensitivity of CPII and internal or external threats to information security.
II. CPII Risk Management
Atlantic Cape recognizes the existence of both internal and external risks to the security of CPII. These risks include, but are not limited to:
- Unauthorized access of CPII by someone other than its owner
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster or otherwise
- Errors introduced into systems
- Corruption of data or systems
- Unauthorized access of CPII by employees
- Unauthorized requests for CPII
- Unauthorized access through hard copy files or reports
- Unauthorized transfer of CPII through third parties
Atlantic Cape recognizes that this may not be a complete list of the risks associated with the protection of CPII. Since technology is not static, new risks are created regularly. Accordingly, the Information Technology (ITS) will actively participate in and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks.
A. Information Security Plan Coordinators
Chief Information Officer (CIO) and Chief Financial Officer (CFO) serve as the coordinators of this Plan. They are responsible for assessing the risks associated with maintaining and transmitting CPII and implementing procedures to minimize those risks to Atlantic Cape.
B. Design and Implementation of Safeguards Program
- Employee Management and Training
Employees in departments that use or have access to CPII in the course of their work for the College receive training on the importance of the confidentiality of CPII, including a review of the requirements of laws such as FERPA, HIPAA, GLBA, and the New Jersey law. Employees are trained in how to avoid risks such as laptop theft, wireless snooping, phishing attacks, virus infections, and spyware. Employees are also trained in the importance of keeping passwords secure. Departments which routinely handle CPII are responsible for training their employees in controls and procedures to prevent employees from providing confidential information to unauthorized individuals. Employees are also trained how to properly dispose of documents that contain CPII. Each department responsible for maintaining CPII is instructed to take steps to protect CPII from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. These training efforts should help minimize risk and safeguard CPII security. - Physical Security
Atlantic Cape has addressed the physical security of CPII by limiting access to only those employees who have a business reason to know such information. CPII is available only to Atlantic Cape employees with an appropriate business need for such information.
Paper documents containing CPII are kept in office file cabinets or rooms that are locked each night. Only authorized employees have access to those spaces. Storage areas holding paper documents containing CPII are kept secure at all times. No paper documents containing CPII may be removed from campus without the approval of a department manager. Paper documents that contain CPII are shredded or securely destroyed at the time of disposal. - Information Systems
Access to CPII via the College’s computer information system is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and password. Databases containing CPII, including but not limited to accounts, balances and transactional information, are available only to Atlantic Cape employees in appropriate departments and positions.
Atlantic Cape takes reasonable and appropriate steps consistent with current technological developments to make sure that all CPII in electronic form is secure and to safeguard the integrity of records in storage and during transmission. ITS runs threat detection software to identify systems that are compromised and/or infected so they can take appropriate steps to mitigate the risk. Passwords for central software systems are required to comply with complexity rules and must be changed regularly. When technically feasible, encryption technology is utilized for transmission of CPII. All CPII stored on laptops or other portable devices must be encrypted. When personal computers are redeployed, all memory components are completely reformatted or otherwise erased for any new use. - Responding to System Failures
Atlantic Cape maintains systems to prevent, detect, and respond to attacks, intrusions, and other system failures. ITS regularly reviews network access and security policies and procedures, as well as protocols for responding to network attacks and intrusions. Any security breaches or other system failures must be reported immediately to the Chief Information Officer (CIO). The college maintains both an Incident Response Plan (IRP) and Disaster Recovery (DR) Infrastructure for responding to incidents and recovery scenarios. Information Security Plan Coordinators shall be responsible for documenting responsive actions, as part of the IRP, taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of CPII.
C. Service Provider Oversight
Whenever the College retains a service provider that will maintain, process or have access to CPII, the College will ensure that the provider has in place an information security program sufficient to protect CPII. The College will include in the contracts with service providers having access to CPII a provision requiring the providers to have in place security measures consistent with the requirements of New Jersey Law and regulations thereto and to assure that such CPII is used only for the purposes set forth in the contract.
D. Computer System Security Infrastructure
Atlantic Cape maintains a computer security system that provides at a minimum to the extent technically feasible:
- Secure user authentication protocols including:
- control of user IDs and other identifiers
- a reasonably secure method of assigning, selecting and the rotation of passwords
- control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect
- restricting access to active users and active user accounts only
- blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system
- Secure access control measures that:
- restrict access to records and files containing CPII to those who need such information to perform their job duties
- assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the confidentiality and integrity of the security of the access controls
- Encryption of all transmitted records and files containing CPII that will travel across public networks, and encryption of all data containing CPII to be transmitted wirelessly
- Reasonable monitoring of systems and logs, for unauthorized use of or access to CPII
- Encryption of all CPII stored on laptops or other portable devices
- For files containing CPII on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the CPII
- Utilization of network segmentation for critical data with additional security controls surrounding critical data
- Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis
- Education and training of employees on the proper use of the computer security system and the importance of CPII security.
- Email security controls such as MFA, Anti-Spam and Phishing technologies
- Formal data storage device destruction and disposal procedures
- Periodic penetration and vulnerability scanning, both internally and externally
- Implementation of all system/application changes affecting CPII managed via formal Change Management process and policy
The Information Security Plan Coordinators work with the appropriate College departments to ensure that this security system infrastructure is appropriately maintained.
E. Retention of CPII
CPII will only be retained for as long as needed for the College’s reasonable business purposes, including for the purpose of complying with any state or federal law. Each department that stores CPII will annually review the CPII it has retained for the purpose of determining which information may be purged.
F. Violations of this Policy
Any employee who violates this policy shall be subject to discipline pursuant to the College’s Code of Conduct or other relevant disciplinary policy.
G. Termination of Access to CPII
Once an employee who has access to CPII concludes his/her employment, either voluntarily or involuntarily, such employee’s access to CPII shall be terminated.
H. Continuing Evaluation and Adjustment
This Plan is subject to periodic review and adjustment. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the Information Security Plan Coordinators, who may assign specific responsibility for implementation and administration as appropriate.