Information Technology Services Policy

 

PURPOSE

This policy provides the expectations and guidelines of Hudson County Community College (“College”) to all who use and manage the College’s Information Technology Services and Resources (“ITS Resources”).

The College provides ITS Resources to advance the College’s educational, service, business, and student success objectives. Any access or use of the College’s ITS Resources that interferes, interrupts, or conflicts with these purposes will be considered a violation of this policy. They will be subject to consequences, including revocation of ITS access.

POLICY

This policy applies to all members of the College community, including faculty, students, administrators, staff, alumni, authorized guests, and independent contractors who use, access, or otherwise employ, locally or remotely, the College’s ITS Resources, whether individually controlled, shared, stand-alone, or networked.

The Board delegates to the President the responsibility to develop procedures and guidelines for the implementation of this policy. The Information Technology Services and Finance Office will be responsible for implementing the policy.

Approved: June 2021
Approved by: Board of Trustees
Category: Information Technology Services
Scheduled for Review: June 2024
Responsible Office(s): Information Technology Services and Finance Office

 

Procedures

Acceptable Use for Information Technology Systems Procedure

Introduction

This procedure aims to ensure that the College’s Information Technology Systems (ITS) are used to further the College’s mission. This procedure conforms to the HCCC Information Technology Services Policy approved by the HCCC Board of Trustees.

Applicability

This procedure applies to all individual users accessing and using computing, networking, and information resources through any College facility. These users include all Hudson County Community College staff, faculty, administrators, and other persons hired or retained to perform College work.

This procedure covers all of the College’s Information Technology Systems, including computing, networking, and other information technology resources owned or operated by, procured through, or contracted by the College. Such resources include the College’s computing and networking systems (including those connected to the College’s telecommunications infrastructure, the College-wide backbones, local area networks, and the Internet), public-access sites, shared computer systems, desktop computers, mobile devices, other computer hardware, software, databases stored on or accessible through the network, ITS/Enterprise Applications facilities, and communications systems and services.

Accountability

The Chief Information Officer (CIO) and Directors/Managers of ITS/Enterprise Applications shall implement this procedure. User reports of suspected abuse and other complaints shall be directed to the CIO. The CIO shall report the incident to the Vice President for Business and Finance/CFO. Specifics of the procedure are outlined below under “Non-compliance and Sanctions.”

Privacy

The College places a high value on privacy and recognizes its critical importance in an academic setting. In limited circumstances, including but not limited to technical issues or failures, law enforcement requests, or government regulations, the College may determine that other interests outweigh the value of a user’s privacy expectation. Only then will the College access relevant IT Systems without the consent of the user. The College is committed to protecting user privacy as long as this does not compromise institutional resources. Circumstances under which the College may need to gain access are discussed below. Procedural safeguards have been established to ensure access is attained only when appropriate.

Conditions – In accordance with state and federal law, the College may access all aspects of IT Systems, without the consent of the user, in the following circumstances:

      1. When necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity of the College’s IT Systems;
      2. When required by federal, state, or local law or administrative rules; 
      3. When there are reasonable grounds to believe that a violation of law or a significant breach of College policy or procedure may have taken place, and access and inspection or monitoring may produce evidence related to the misconduct;
      4. When such access to IT/Enterprise Applications Systems is required to carry out essential business functions of the College; and,
      5. When required to preserve public health and safety.

Under the New Jersey Open Public Records Act, the College reserves the right to access and disclose data. This disclosure may include messages, data, files, and email backup or archives. Disclosure to law enforcement authorities and others shall be made as required by law, to respond to legal processes, and to fulfill its obligations to third parties. Even deleted email is subject to legal discovery during litigation through message archives, backup tapes, and un-deleting messages.

Process – The College will access data without the consent of the user only with the approval of the CIO and the Vice President for Business and Finance/CFO. This process will be circumvented only when emergency data access is necessary to preserve facilities’ integrity and preserve public health and safety. The College, through the CIO, will log all instances of access without consent. A user will be notified of College access to relevant IT Systems without consent. Depending on the circumstances, such notification will occur before, during, or after the access at the College’s discretion.

General Principles

  1. Access to information technology is vital to the College’s mission of providing its students with the highest quality educational services.
  2. The College owns its computing, networking, and other communications systems.
  3. The College also has various license-related rights to the software and information residing on or developed on these computers and networks. The College has the responsibility for the security, integrity, maintenance, and confidentiality of its communication systems.
  4. The College’s IT Systems exist to support staff, faculty, administrators, consultants, and students as they carry out the mission of the College. Toward these ends, the College encourages and promotes the use of these resources by the College community for their intended purposes. Access to and use of these resources outside of the College’s mission is subject to regulation and restriction to ensure that they do not interfere with legitimate work. Access and use of resources and services that interfere with the College’s mission and goals are prohibited.
  5. When the demand for information technology resources exceeds available capacity, ITS establishes priorities for allocating the resources. ITS gives a higher priority to activities essential to the mission of the College. In conjunction with the Chief Information Officer, the Vice Presidents shall recommend these priorities to the President.
  6. The College has the authority to control or refuse access to anyone who violates this procedure. Threatening other users’ rights, the availability and integrity of the systems, and information is a violation of this procedure. Consequences of procedure violation include deactivating accounts, access codes or security clearances, stopping processes, deleting affected files, and disabling access to information technology resources.

Rights of Users

  1. Privacy and confidentiality: As described more fully in section IV (above), the College will generally respect users’ rights to privacy and confidentiality. However, by their technological nature, electronic communications, especially email connected to the Internet, may not be secure from unauthorized access, viewing, or infringement. Although the College employs technologies to secure electronic messages, the confidentiality of email and other electronic documents cannot always be assured. Therefore, good judgment dictates crafting electronic documents that may become public without embarrassment or harm.
  2. Safety: The use by College faculty, staff, or administrators of the College’s IT Systems to transmit threatening, harassing, or offensive communication (or the display of offensive images or materials) is a violation of College procedure and may subject the violator to severe sanction. College personnel should report threatening, harassing, or offensive communications received over the network to the CIO as soon as possible.

Responsibilities of Users

  1. Individuals with access to the College’s computing, networking, and information resources are responsible for using them professionally, ethically, and legally and consistently with all applicable College policies. Users must take reasonable and necessary measures to safeguard the operational integrity and accessibility of the College’s systems. Users should maintain an academic and work environment conducive to efficiently and productively carrying out the College’s mission. Specifically, the responsibilities of users include:
      1. Respecting the rights of others, including their rights to intellectual property, privacy, and freedom from harassment;
      2. Safeguarding the confidentiality of sensitive College information and the privacy of student information following FERPA and College policy and procedures;
      3. Using systems and resources so as not to interfere with or disrupt the College’s normal daily operations;
      4. Protecting the security and the integrity of information stored on College IT/Enterprise Applications Systems;
      5. Knowing and obeying College and unit-specific policies and procedures governing access to, and use of, College IT Systems and information on those systems.

Specific Proscriptions on Network Use

  1. Individuals may not share passwords or log-in IDs or otherwise give others access to any system for which they are not the individual responsible for the data or system. Users are responsible for any activity conducted with their computer accounts and their password security. Only authorized persons may use the College’s IT/Enterprise Applications Systems.
  2. Individuals may not use another person’s network account or attempt to obtain passwords or access codes to another’s network account to send or receive messages.
  3. Individuals must identify themselves and their affiliation accurately and appropriately in electronic communications. They may not disguise the identity of the network account assigned to them or represent themselves as someone else.
  4. Individuals may not use the College’s systems to harass, intimidate, threaten or insult others; to interfere with another’s work or education; to create an intimidating, hostile, or offensive working or learning environment; or to conduct illegal or unethical activities, including plagiarism and invasion of privacy.
  5. Individuals may not use the College’s systems to gain or attempt to gain unauthorized access to remote networks or computer systems.
  6. Individuals may not deliberately disrupt the normal operations of the College’s computers, workstations, terminals, peripherals, or networks.
  7. Individuals may not run or install programs on any College computer system that may damage the College’s data and systems (e.g., computer viruses, personal programs). Users must not use the College’s network to disrupt external systems. If a user suspects that a program they intend to install or use may cause such an effect, they must first consult with ITS/Enterprise Applications.
  8. Individuals may not circumvent or avoid using authentication systems, data-protection mechanisms, or other security safeguards.
  9. Individuals must not violate any applicable copyright laws and licenses, and they must respect other intellectual property rights. Information and software accessible on the Internet are subject to copyright or additional intellectual property-right protection. College policy, procedures, and the law forbid the unauthorized copying of software that has not been placed in the public domain and distributed as “freeware.” Therefore, nothing should be downloaded or copied from the Internet without express permission from the owner of the material. Users must observe the material owner’s requirements or limitations on the material. The use of software on more than the licensed number of computers and unauthorized installation of unlicensed software are also prohibited.
    “Shareware” users must abide by the requirements of the shareware agreement.
  10. Activities that waste or unfairly monopolize computing resources and do not promote the College’s mission are prohibited. Examples of such activities include unauthorized mass e-mailings; electronic chain letters, junk mail, and other types of broadcast messages; unnecessary multiple processes, output, or traffic; exceeding network directory space limitations; game-playing, “surfing” the Internet for recreational purposes, or other non-work-related applications during business hours; and excessive printing.
  11. Reading, copying, changing, or deleting programs or files that belong to another person or the College without permission is prohibited.
  12. Individuals must not use the College’s computing resources for commercial purposes or personal financial gain.
  13. Use of the College’s IT Systems that violates local, state, or national laws or regulations or College policies, standards of conduct, or guidelines is prohibited.
  14. Email Communications:
      1. The College’s email system exists to support the College’s work, and email use must be related to College business. However, incidental personal, noncommercial use without direct cost to the College that does not interfere with legitimate College business is also permitted.
      2. Electronic communications whose meaning, transmission, or distribution is illegal, unethical, fraudulent, defamatory, harassing, or irresponsible are prohibited. College email systems must not be used to communicate content that may be considered inappropriate, offensive, or disrespectful to others.
      3. Individuals should observe appropriate professional standards of civility and decency in all electronic communication.
      4. All email correspondence relating to College business (including that sent to students and prospective students) should be sent with a plain white background and should not use any decorative stationery.
      5. Broadcast emails to the College Community will relate to College policy and procedures, College news, a College-sponsored event, or items affecting the College Community. Items for sale, donation requests, and other non-College business matters are prohibited. Individuals may not send emails requesting this type of information via the College’s mailing lists.

World Wide Web

  1. The Hudson County Community College Web site is an official publication of the College. All information contained on the Web pages must be accurate and reflect the official College policy and procedures.
  2. Official College Web pages conform to the same standards as any College print publication. The CIO, Director of Marketing and College Relations, Web Services Manager and the pertinent Vice President or their designee shall have the ultimate responsibility for each page’s content and design.
  3. The Web Services Manager and College staff responsible for each division or department will regularly review the currency and accuracy of official Hudson County Community College web pages. Individual areas are responsible for communicating revisions and updates, as they occur, to the Web Services Manager, who will review them and arrange for their posting.

Non-compliance and Sanctions

Non-compliance with this procedure may result in denial or removal of access privileges to the College’s electronic systems, disciplinary action under applicable College policies and procedures, civil liability and litigation, and criminal prosecution under appropriate state, federal, and local laws.

The process for an investigation into suspected abuses and non-compliance with this procedure is as follows:

    1. Report suspected abuse to the CIO.
    2. If there is concurrence by the Vice President for Business and Finance/CFO, the CIO shall investigate the report.
    3. CIO shall report any discovered abuse to the appropriate divisional Vice President, who will determine appropriate disciplinary action.

Network, Email, and Internet Accounts Procedures

Eligible for Accounts are the following:

    1. All salaried Hudson County Community College full-time staff.
    2. All adjunct faculty and other consultants engaged by the College through letters of agreement, memoranda of understanding, or contract.
    3. All members of the Board of Trustees.
    4. Hudson County Community College part-time staff who have a demonstrated need for computer resources available from ITS/Enterprise Applications (other than general Internet access), related to their work at the College, are eligible for temporary accounts.
    5. Employees of affiliated educational institutions that have relationships with Hudson County Community College, and a demonstrated need for ITS/Enterprise Applications computer resources (other than general Internet access), are eligible for temporary accounts.
    6. Affiliated organizations with an academic mission whose activities related to the College require computing resources that the affiliate cannot reasonably supply on its own are eligible for temporary accounts.

ITS removes accounts when:

    1.  The account holder no longer meets the eligibility requirements.
    2. The account is temporary, and the expiration date passes without renewal.
    3. The account holder has not accessed the account in 18 consecutive months.

Passwords

    1. Accounts are created with a pre-assigned password that account holders must change upon logging in for the first time, and consistent with College procedures.
    2. It is strictly forbidden to share or divulge passwords.

Hudson County Community College Email Procedure

Individuals with access to the College’s IT Systems are responsible for using them professionally, ethically, legally, and following applicable College policies and procedures. Users should maintain an academic and work environment conducive to efficiently and productively carrying out the College’s mission.

Electronic communications whose meaning, transmission, or distribution are illegal, unethical, fraudulent, defamatory, harassing, irresponsible, or violate College policies or procedures are prohibited. Electronic communications should not contain anything that could not be posted on a bulletin board, seen by unintended viewers, or appear in a College publication. Material that may be considered inappropriate, offensive, or disrespectful to others should not be sent or received as electronic communications using College facilities. The CIO will oversee the enforcement of this procedure.

A. Actions Considered Violations of this email procedure are as follows:

      1. Sending unauthorized bulk email messages (“junk mail” or “spam”).
      2. Using email for harassment, whether through language, frequency, content, or size of messages.
      3. Forwarding or otherwise propagating chain letters and pyramid schemes, whether or not the recipient wishes to receive such mailings.
      4. Malicious emails, such as “mail-bombing” or flooding a user site with very large or numerous pieces of email.
      5. Forging of sender information other than accountname@hccc.edu or another preapproved header address.
      6. Sending email for commercial purposes or personal financial gain.

The College has the right to remove access to accounts found in violation of this procedure.

B. Email Rules and Controls:

      1. The College does not archive email.
      2. The College does filter email for spam and malicious content.
      3. The College blocks email accounts that send spam and malicious content.

Approved by Cabinet: July 2021
Related Board Policy: Information Technology Services

 

Computer Life Cycles Procedure

Introduction

This procedure aims to ensure access to the current computing technology required to promote student success and fulfill employee job responsibilities. This procedure provides the Office of Information Technology Services (ITS) scheduled replacement of computers for employee, classroom, and lab use. 

Purpose

The purpose of this procedure is to set the parameters and process for personal computer replacements. This procedure excludes unique purpose workstations and terminals for use with Virtual Desktop Infrastructure (VDI). 

Scope

This procedure covers personal computers used by full-time faculty, full-time staff, labs, and classrooms. Computers purchased under grants or for a dedicated use must be handled separately by the parameters of their grants and purpose. This policy does not apply to peripheral equipment, office phones, cell phones, printers, scanners, Audio/Visual equipment, servers, or other IT-related equipment. That equipment is replaced by ITS according to need, condition, and budgetary resources based on their analysis, judgment, and support contracts. 

Hardware Platforms 

Each year, the College will determine standard specifications for desktop and laptop computers based on job function to contain costs, maintenance, and support efficiencies. ITS has developed the equipment standards, reviewed by the All College Council Technology Committee, and approved by the Chief Information Officer and the Vice President for Finance and Business/Chief Financial Officer. Since ITS supports one device per employee, users will be assigned a laptop and docking station rather than a desktop computer. Desktop computers will be given in areas where their use will be shared, such as reception areas, classrooms, labs, and adjunct or workstudy work areas.

Procedure

    1. Personal computers will be maintained and supported by ITS through their designated period of service. The current period of service for HCCC personal computers is five years.
    2. Each year, ITS will replace a portion of personal computers on the inventory list. ITS will deploy faculty and staff personal computers over the summer and fall. ITS will also refresh part of the classroom, lab, and open-access computers each year. Estimated replacement budgets will be presented at annual budget hearings. ITS recognizes that some faculty, staff, and students have different computing needs. Academic labs with specialized computers will be built into the replacement budget when possible. Faculty and staff who require a non-standard machine that exceeds a standard personal computer's cost will be required to obtain Office/School approval. Their Office/School will fund the price difference.
    3. Faculty and staff who want to borrow a laptop will complete a request form requiring the manager's approval. Upon manager approval, ITS will provision a laptop.
    4. ITS will work with the computer's user to migrate employee data to the replacement computer. ITS will remove the older personal computer. ITS will hold the old computer's hard drive for two weeks to 90 days to ensure that no data was lost during the deployment.

      1. Retirees may be given the option to purchase their old computer for a fair market value determined by ITS. These purchases are "as is," and ITS will remove all HCCC software and data before the transfer of ownership. Employees will write a check to Hudson County Community College, which will be deposited in the College’s account.
    5. In some cases, computers may be reused or redeployed to other locations on campus at ITS's discretion.
    6. When personal computers need to be moved, the Office/School must contact ITS. ITS is responsible for an accurate inventory. Users should not relocate personal computers themselves. Computers should not be reassigned or redistributed without notifying ITS and obtaining approval.
    7. When an employee with a personal computer exits the College, ITS will be notified by the Office/School and Human Resources. In most cases, this computer will be redistributed to the next employee hired in that position.
    8. If a personal computer breaks and cannot be repaired, ITS will replace the computer with a new machine. That computer then becomes the personal machine for that employee. 

Approved by Cabinet: April 2023
Related Board Policy: Information Technology Services

 

Requests for Access to Information Systems Containing Sensitive Data Procedure

Introduction

 This procedure designates Hudson County Community College's (HCCC) System/Data Owners. These individuals oversee access to information systems containing sensitive data, such as the Colleague ERP System. Oversight is necessary to protect and preserve the confidentiality, integrity, and availability of HCCC's data and to comply with information technology standards and regulations applicable to HCCC.

The designated System/Data Owners for Hudson County Community College's information systems containing sensitive data shall have the authority to approve individuals, access to these systems.

Designation of System/Data Owners

 The following Executive Staff members are designated as System/Data Owners for information systems containing sensitive data.

 Colleague ERP System

Student Module

Vice President for Student Affairs and Enrollment

Student Financials Module

Vice President for Business and Finance/CFO

Financial Aid Module

Associate Dean of Financial Aid

Human Resources Module

Vice President for Human Resources

 Document Imaging System

Enrollment Services, Admissions, and Advising Documents

Vice President for Student Affairs and Enrollment

Student Financial Aid Documents

Associate Dean of Financial Aid

Financial Documents

Vice President for Business and Finance/CFO

Requests for Access to Information Systems Containing Sensitive Data

Requests for access to information systems containing sensitive data shall be granted on a "least privilege" basis, meaning access only to such information and systems necessary to perform the individual's regular work duties.

Executive staff members designated as System/Data Owners or designated managers in functional areas shall review requests for access to information systems containing sensitive data from staff members under their administrative authority. They shall validate that users are granted access on a "least privilege" basis to only those privileges necessary to perform their regular work duties. They shall approve requests by submitting a system access request form located on the portal. If the access is not warranted, the request will be denied.

Removal of Access to Information Systems Containing Sensitive Data

Executive Staff members shall ensure that supervisors promptly notify Information Technology Services (ITS) when user access to an information system is no longer required and when a user's access must be modified because of a change in the employee's core duties.

ITS will be notified immediately by phone call, followed by an email to the Chief Information Officer (CIO), upon the termination of a superuser employee or in the event of an employee's involuntary termination. Routine terminations, transfers to another college department, or changes in duties must be submitted within five business days using the system access request form located on the portal.

Review of Access to Information Systems Containing Sensitive Data

An annual review of all user accounts for sensitive IT systems shall be conducted by ITS to assess the accounts' continued need and associated access level.

Responsibilities

The CIO shall have overall responsibility for developing and maintaining the technical procedures consistent with this procedure, and shall comply with the applicable standards of Hudson County Community College.

Appendix A describes the form's location for requesting access to college information systems.

Definitions

 Data includes any information within HCCC's purview, including student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, legal files, institutional research data, proprietary data, and all other data that pertain to or support the administration of the College.

Information System comprises the total components and operations of a record-keeping process, including information collected or managed using computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

Sensitive data – includes any information that could adversely affect the College's interests, the conduct of agency programs, or the privacy to which individuals are entitled if compromised in confidentiality, integrity, or availability. Data are classified as sensitive if compromise of those data results in a material and significant adverse effect on the College's interests, the affected agency's inability to conduct its business, breach of privacy expectations, or is required by law to be kept confidential.

Superuser – is an employee who has enrollment panel or elevated privileged access; e.g., a security administrator.

 References

  • Family Educational Rights and Privacy Act (FERPA) (20 USC § 1232g; 34 CFR Part 99)
  • Financial Services Modernization Act (Gramm-Leach-Bliley Act) (15 USC § 6801 et seq.)
  • Health Insurance Portability and Accountability Act (HIPAA) (Public Law 104-191)

Review Periodicity and Responsibility

 The CIO shall review this procedure annually, and, if necessary, recommend revisions.

APPENDIX "A"

System Access Request Forms:

Colleague Access

https://myhudson.hccc.edu/ellucian

Account Creation Request or Disable Request

https://myhudson.hccc.edu/its

Approved by Cabinet: July 2021
Related Board Policy: ITS

 

Information Security Plan Procedure

Introduction

The purpose of the development and implementation of this comprehensive written information security plan procedure (“Plan”) is to create effective administrative, technical, and physical safeguards for the protection of “personal information” of prospective students, applicants, students, employees, alumni, and friends of Hudson County Community College, and to comply with our obligations under New Jersey regulation 201 CMR 17.00.  The Plan sets forth our procedures for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting “personal information” of the College’s constituents.

For purposes of this Plan, “personal information” is defined as a person’s first name and last name, or first initial and last name, in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account where Hudson County Community College is the custodian of that data; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Purpose

The purpose of this Plan is to:

    1. Ensure the security and confidentiality of personal information;
    2. Protect against any potential threats or hazards to the security or integrity of personal information; and,
    3. Protect against unauthorized access to, or use of, personal information in a manner that creates a substantial risk of identity theft or fraud.

Scope

In formulating and implementing the Plan, the institution will: (1) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personal information; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information; (3) evaluate the sufficiency of existing policies, practices, procedures, information systems, and other safeguards in place to control risks; (4) design and implement a plan that puts safeguards in place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5) regularly monitor the Plan.

Data Security Coordinator

HCCC has designated the Chief Information Officer (CIO) and Vice President for Business and Finance/CFO to implement, supervise and maintain the Plan. The CIO and Vice President for Business and Finance/CFO will be responsible for:

    1. Initial implementation of the Plan;
    2. Oversight of ongoing employee training on the elements and requirements of the Plan for all owners, managers, employees, and independent contractors that have access to personal information;
    3. Monitoring the Plan’s safeguards;
    4. Assessing Third Party Service providers that have access to and host/transmit/backup/maintain personal information, and requiring those service providers by contract to implement and maintain such appropriate security measures to protect personal information;
    5. Reviewing the scope of the security measures in the Plan annually, or whenever there is a material change in HCCC’s business practices that may implicate the security or integrity of records containing personal information; and,
    6. Reviewing legislation and laws and updating policies and procedures as required.

Internal Risks

To combat internal risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personal information, and in order to evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately: 

Administrative Measures

      1. A copy of the Plan shall be distributed to the President, the President’s Cabinet, Information Technology Services (ITS) staff, and other designated staff members handling personal information. Upon receipt of the Plan, each individual needs to acknowledge in writing that they received a copy of the Plan.
      2. After training, all staff will be required to sign confidentiality agreements that describe the handling of personal information. The confidentiality agreements will require staff members to report any suspicious or unauthorized use of “personal information” to the CIO or the Vice President for Human Resources.
      3. The amount of personal information collected must be limited to what is reasonably necessary to accomplish legitimate business purposes. Personal information use is addressed through audits in various areas.
      4. All data security measures shall be reviewed at least annually, or whenever there is a material change in HCCC’s business practice or change in law that may reasonably implicate the security or integrity of records containing personal information. The CIO and Vice President for Business and Finance/CFO shall be responsible for this review and shall fully apprise department heads of the results of that review and any recommendations for improved security arising from that review.
      5. Whenever there is an incident that requires notification under N.J. Stat. § 56:8-163, New Jersey’s personal information data breach reporting law, there shall be an immediate mandatory post-incident review of events and actions taken, if any, to determine whether any changes in HCCC’s security practices are required in order to improve the security of personal information under the Plan.
      6. Each department shall develop rules (bearing in mind the business needs of that department) that ensure reasonable restrictions upon physical access of personal information are in place, including a written procedure that states how the record’s physical access is restricted. Each department must store such records and data in locked facilities, secure storage areas, or locked cabinets.
      7. Except for System Administration accounts, access to electronically stored personal information shall be electronically limited to those employees having a unique login ID, with appropriate access. Access will not be granted to employees whom the CIO determines do not need access to electronically stored personal information.
      8. When a confidentiality agreement is not in place, visitor or contractor access to sensitive data, including but not limited to passwords, encryption keys, and technical specifications, when necessary, must be agreed to in writing.  Access shall be limited to the minimum amount necessary. If remote login is needed for access, that access must also be approved through HCCC’s ITS Department.

Physical Measures

      1. Access to records containing personal information shall be limited to those who are reasonably required to know such information to accomplish HCCC’s legitimate business purpose. To mitigate against unneeded disclosure, sensitive and personal information will be redacted, paper records will be stored in locked facilities, and data security controls for electronic records will be implemented.
      2. At the end of the workday, all non-electronic files and other records containing personal information must be stored in locked rooms, offices or cabinets.
      3. Paper records containing personal information shall be disposed in a manner that complies with N.J. Stat. § 56:8-163, New Jersey’s personal information data breach reporting law. This means records should be disposed of using a cross-cut shredder, or other methods that render the information illegible.

Technical Measures

      1. HCCC does not allow employees to store personal information on portable media. This includes laptops, USB, CDs, etc. When employees who have access to personal information are terminated, HCCC shall terminate their access to network resources and physical devices that contain personal information. This includes termination or surrender of network accounts, database accounts, keys, badges, phones, and laptops or desktops.
      2. Employees are required to change their passwords on a routine basis for systems that contain personal information.
      3. Access to personal information shall be restricted to active users, and active user accounts only.
      4. Where technically possible, all HCCC maintained systems that store personal information will employ automatic locking features that lock access after multiple unsuccessful login attempts.
      5. Electronic records (including records stored on hard drives and other electronic media) containing personal information shall be disposed of in accordance with and manner that complies with N.J. Stat. § 56:8-163, New Jersey’s personal information data breach reporting law. This requires that information be destroyed or erased so that personal information cannot practicably be read or reconstructed.

External Risks

      1. To combat external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personal information, and in order to evaluate or improve where necessary the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

a.) There are reasonably up-to-date firewall protection and operating system security patches reasonably designed to maintain the integrity of personal information installed on systems with personal information.

b.) There are reasonably up-to-date versions of system security agent software that include malware protection, and reasonably up-to-date patches and virus definitions installed on systems processing personal information.

c.)When stored on HCCC’s network shares, files containing personal information should be encrypted. HCCC does not allow personal information to be stored on laptops, PCs, USB devices, or other portable media.  HCCC will deploy encryption software to comply with this objective.

d.) Any personal information transmitted electronically to third-party vendors should be sent via the vendor’s encrypted service or through HCCC’s designated encrypted service for secure transmission. 

e.) All new service providers that store HCCC’s personal information in electronic form will need to adequately demonstrate security measures through the EDUCAUSE HECVAT or similar instrument. These vendors must also be approved by HCCC’s Vice President for Finance and Business/CFO.

f.) Human Resources and Information Technology Services personnel shall follow the procedures outlined in the HCCC Acceptable Use Procedure for Information Technology Systems related to the creation, transfer, or termination of accounts, along with policies for password storage and role-based security.

g.) All personal information will be disposed of following HCCC Policies and Procedures.

h.) As resources and budget allow, HCCC will implement technology that will allow the College to monitor databases for unauthorized use of, or access to, personal information, and employ secure authentication protocols and access control measures pursuant to HCCC’s procedures.

 

Approved by Cabinet: July 2021
Related Board Policy: Information Technology Services

 

Information Security Incident Response Plan Procedure

Purpose

This plan guides how to respond to information security incidents at Hudson County Community College (HCCC). The plan identifies the roles and responsibilities of the HCCC incident response team and the steps to be taken in the event of an incident. The Information Security Incident Response Plan (ISIRP) aims to minimize the impact of an incident, preserve evidence for investigation purposes, and restore normal operations as quickly as possible.

Definitions

Incident: An event that results in a loss of confidentiality, integrity, or availability of information or information systems.

Response: The actions that are taken to mitigate the impact of an incident and restore the affected systems and data to their normal state.

Incident Response Team (IRT): The Incident Response Team (IRT) is responsible for implementing the ISIRP. The IRT consists of representatives from relevant departments, including but not limited to Information Technology Services (ITS), Finance (Risk Management), Legal Counsel, HR, and Communications. The IRT is responsible for coordinating the response to an incident and ensuring that all necessary resources are available.

Roles and Responsibilities

The IRT is responsible for the following:

  • Responding to incidents and mitigating their impact.
  • Investigating incidents and determining their cause.
  • Restoring systems and data that have been affected by an incident.
  • Communicating with stakeholders about incidents.
  • Logging and reporting incidents.
Incident Reporting

All suspected or confirmed information security incidents must be reported to ITS immediately. ITS will then assess the incident and determine if it is a security incident. ITS will escalate the incident to the IRT if it is a security incident.

Response Steps
Incident Categorization:

The IRT will categorize the incident based on its severity and impact. The categories are as follows:

Category 1: Minor Incident - No significant impact on the college or its operations.
Category 2: Moderate Incident - Limited impact on the college or its operations.
Category 3: Major Incident - Significant impact on the college or its operations.
Category 4: Critical Incident - Severe impact on the college or its operations.

Incident Response by Category:

The IRT will follow the below steps to respond to an incident:
Category 1: No formal response is required.
Category 2: The IRT will investigate the incident and take appropriate action to contain and mitigate the incident.
Category 3: The IRT will coordinate with relevant departments and external resources, such as law enforcement and cybersecurity experts, to investigate the incident and take appropriate action to contain and mitigate the incident.
Category 4: The IRT will implement the HCCC Emergency Management Plan, which outlines the steps to follow during a significant crisis.

ISIRP Steps for IRT to Follow

The IRT will follow these steps in the event of an incident:

  1. Respond to the incident report.
  2. Mitigate the impact of the incident.
  3. Categorize the effects on the above scale.
  4. Investigate the incident.
  5. Determine the cause of the incident.
  6. Restore systems and data that have been affected by the incident.
  7. Communicate with stakeholders about the incident.
  8. Log and report the incident.
Tools and Resources

The IRT will use the following tools and resources to respond to incidents:

  • Security software: Sophos, Crowdstrike
  • Data backup and recovery systems: Cohesity, Arcserve, OneDrive
  • Communication channels: Email, Text, Social Media
  • Third-party cybersecurity experts: NJ Edge, CyberSecOp, Cybersecurity Insurance consultants
Testing and Training

The IRT will test and train regularly on the procedures and tools in place.

Communication Plan

The IRT will communicate with the following stakeholders in the event of an incident:

  • Students
  • Faculty
  • Staff
  • Media
  • Law enforcement
  • Regulatory agencies
Metrics and Reporting

The IRT will document all aspects of the incident, including but not limited to the incident type, severity, impact, response, and resolution. Documentation will be stored securely and accessible only to authorized personnel.

The IRT will collect and analyze the following metrics related to incidents:

  • Number of incidents
  • Cost of incidents
  • Time to recover from incidents

The Associate Vice President for Technology and CIO will report on these metrics to the HCCC Board of Trustees.

Review and Update

The AVP CIO will review the ISIRP annually and update it to reflect the changing security landscape and the HCCC's evolving needs.

Approved by Cabinet: May 2023
Related Board Policy: Information Technology Services

 

Vendor Risk Management Plan Procedure

Introduction

This Vendor Risk Management Plan aims to establish a framework for effectively managing and mitigating risks associated with third-party vendors at Hudson County Community College. The procedure outlines the processes and procedures for vendor evaluation, selection, and ongoing monitoring to ensure vendor relationships' security, compliance, and reliability. The procedure primarily focuses on collecting and reviewing information about the vendor's suitability and security and assessing terms and conditions and contract language during initial contract signing and renewal.

  1. Vendor Selection Process
    1. Vendor Identification: Identify potential vendors based on the college's requirements and needs.
    2. Initial Vendor Evaluation: Evaluate potential vendors using the following criteria:
      1. Qualifications and expertise
      2. Reputation and references
      3. Financial stability
      4. Security and compliance standards
      5. Service level agreements
    3. Request for Proposal (RFP): Prepare and issue an RFP, if necessary, to shortlisted vendors outlining the college's expectations, requirements, and evaluation criteria.
    4. Vendor Evaluation: Evaluate vendor proposals based on predefined criteria and conduct any necessary interviews or presentations.
    5. Vendor Selection: Select the vendor(s) based on evaluation results, considering factors such as cost, capabilities, and risk profile.
  1. Higher Education Community Vendor Assessment Toolkit (HECVAT) Collection and Review
    1. HECVAT Form Requirement: All potential vendors must submit their completed HECVAT; SOC 2 audit findings may be substituted for a HECVAT.
    2. Initial Review: Review the HECVAT to assess the vendors' security practices, data protection measures, and compliance with relevant regulations.
    3. Risk Assessment: Conduct a risk assessment based on the information provided in the HECVAT to identify potential risks associated with the vendor relationship.
    4. Mitigation Actions: Develop mitigation actions to address identified risks, such as requesting additional information, conducting security audits, or establishing contractual obligations for security and privacy.
  2. Terms and Conditions Review
    1. Contract Review: Review the terms and conditions of the proposed vendor contract, focusing on areas related to data privacy, security, compliance, and intellectual property.
    2. Legal Review: Engage legal counsel, if necessary, to ensure contract language adequately protects the college's interests and aligns with applicable laws and regulations.
    3. Negotiation and Amendment: Collaborate with the vendor to negotiate and amend contract language to address any identified concerns or gaps.
    4. Approval and Signing: Obtain necessary approvals for the contract and sign the agreement once all parties are satisfied with the terms and conditions.
  3. Ongoing Vendor Management
    1. Regular Monitoring: Continuously monitor vendor performance, security practices, and compliance throughout the contract duration.
    2. Contract Renewal Review: Contract Renewals are contingent upon Community College Contract Law Statutes. Conduct a thorough review of vendor relationships, including re-evaluation of new HECVAT, terms and conditions, and contract language, during the contract renewal process.
    3. Vendor Performance Evaluation: Periodically assess vendor performance against established service level agreements and expectations.
    4. Incident Response: Follow the Incident Response procedure to address any security breaches or data incidents involving vendors promptly.
    5. Vendor Offboarding: Develop a process to ensure proper offboarding of vendors, including returning sensitive information and terminating system access.
  4. Documentation and Reporting
    1. Documentation
      1. Contract Repository: All vendor contracts, including their terms and conditions, amendments, and related documents, should be stored in the college's contract management system. Ensure that the contract repository is organized, easily accessible, and regularly updated.
      2. Completed HECVAT and Security Documentation: Maintain a record of all HECVATs and security audits received from vendors, including any supporting documentation or clarifications provided by the vendors.
      3. Risk Assessments: Document the results of risk assessments conducted based on the HECVAT and any additional assessments or audits performed.
      4. Incident Reports: Keep a record of any security incidents or breaches involving vendors, along with the corresponding incident response actions taken.
    2. Reporting
      1. Executive Reporting: Provide regular reports to executive management, including the Chief Information Officer (CIO) and Cabinet, summarizing the vendor risk landscape, mitigation efforts, and notable incidents or concerns.
      2. Contract Renewal Report: Prepare a comprehensive report highlighting the findings from the contract renewal review, including any recommended changes or enhancements to vendor relationships.
      3. Compliance Reporting: Generate periodic reports on vendors' compliance with applicable regulations, contractual obligations, and agreed-upon security standards.
    3. Record Retention
      1. Retention Period: Vendor Risk Assessment documentation will follow record retention schedules for vendor-related documentation, ensuring compliance with legal, regulatory, and internal requirements.
      2. Data Privacy and Protection: Adhere to applicable data privacy and protection regulations when storing and handling vendor-related documents, ensuring proper safeguards are in place.

Approved by Cabinet: May 2023
Related Board Policy: Information Technology Services

Return to Policies and Procedures