Information Security Plan Procedure

 

Introduction

The purpose of the development and implementation of this comprehensive written information security plan procedure (“Plan”) is to create effective administrative, technical, and physical safeguards for the protection of “personal information” of prospective students, applicants, students, employees, alumni, and friends of Hudson County Community College, and to comply with our obligations under New Jersey regulation 201 CMR 17.00.  The Plan sets forth our procedures for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting “personal information” of the College’s constituents.

For purposes of this Plan, “personal information” is defined as a person’s first name and last name, or first initial and last name, in combination with any one or more of the following data elements that relate to such resident: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account where Hudson County Community College is the custodian of that data; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Purpose

The purpose of this Plan is to:

    1. Ensure the security and confidentiality of personal information;
    2. Protect against any potential threats or hazards to the security or integrity of personal information; and,
    3. Protect against unauthorized access to, or use of, personal information in a manner that creates a substantial risk of identity theft or fraud.

Scope

In formulating and implementing the Plan, the institution will: (1) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personal information; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information; (3) evaluate the sufficiency of existing policies, practices, procedures, information systems, and other safeguards in place to control risks; (4) design and implement a plan that puts safeguards in place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5) regularly monitor the Plan.

Data Security Coordinator

HCCC has designated the Chief Information Officer (CIO) and Vice President for Business and Finance/CFO to implement, supervise and maintain the Plan. The CIO and Vice President for Business and Finance/CFO will be responsible for:

    1. Initial implementation of the Plan;
    2. Oversight of ongoing employee training on the elements and requirements of the Plan for all owners, managers, employees, and independent contractors that have access to personal information;
    3. Monitoring the Plan’s safeguards;
    4. Assessing Third Party Service providers that have access to and host/transmit/backup/maintain personal information, and requiring those service providers by contract to implement and maintain such appropriate security measures to protect personal information;
    5. Reviewing the scope of the security measures in the Plan annually, or whenever there is a material change in HCCC’s business practices that may implicate the security or integrity of records containing personal information; and,
    6. Reviewing legislation and laws and updating policies and procedures as required.

Internal Risks

To combat internal risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personal information, and in order to evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately: 

Administrative Measures

      1. A copy of the Plan shall be distributed to the President, the President’s Cabinet, Information Technology Services (ITS) staff, and other designated staff members handling personal information. Upon receipt of the Plan, each individual needs to acknowledge in writing that they received a copy of the Plan.
      2. After training, all staff will be required to sign confidentiality agreements that describe the handling of personal information. The confidentiality agreements will require staff members to report any suspicious or unauthorized use of “personal information” to the CIO or the Vice President for Human Resources.
      3. The amount of personal information collected must be limited to what is reasonably necessary to accomplish legitimate business purposes. Personal information use is addressed through audits in various areas.
      4. All data security measures shall be reviewed at least annually, or whenever there is a material change in HCCC’s business practice or change in law that may reasonably implicate the security or integrity of records containing personal information. The CIO and Vice President for Business and Finance/CFO shall be responsible for this review and shall fully apprise department heads of the results of that review and any recommendations for improved security arising from that review.
      5. Whenever there is an incident that requires notification under N.J. Stat. § 56:8-163, New Jersey’s personal information data breach reporting law, there shall be an immediate mandatory post-incident review of events and actions taken, if any, to determine whether any changes in HCCC’s security practices are required in order to improve the security of personal information under the Plan.
      6. Each department shall develop rules (bearing in mind the business needs of that department) that ensure reasonable restrictions upon physical access of personal information are in place, including a written procedure that states how the record’s physical access is restricted. Each department must store such records and data in locked facilities, secure storage areas, or locked cabinets.
      7. Except for System Administration accounts, access to electronically stored personal information shall be electronically limited to those employees having a unique login ID, with appropriate access. Access will not be granted to employees whom the CIO determines do not need access to electronically stored personal information.
      8. When a confidentiality agreement is not in place, visitor or contractor access to sensitive data, including but not limited to passwords, encryption keys, and technical specifications, when necessary, must be agreed to in writing.  Access shall be limited to the minimum amount necessary. If remote login is needed for access, that access must also be approved through HCCC’s ITS Department.

Physical Measures

      1. Access to records containing personal information shall be limited to those who are reasonably required to know such information to accomplish HCCC’s legitimate business purpose. To mitigate against unneeded disclosure, sensitive and personal information will be redacted, paper records will be stored in locked facilities, and data security controls for electronic records will be implemented.
      2. At the end of the workday, all non-electronic files and other records containing personal information must be stored in locked rooms, offices or cabinets.
      3. Paper records containing personal information shall be disposed in a manner that complies with N.J. Stat. § 56:8-163, New Jersey’s personal information data breach reporting law. This means records should be disposed of using a cross-cut shredder, or other methods that render the information illegible.

Technical Measures

      1. HCCC does not allow employees to store personal information on portable media. This includes laptops, USB, CDs, etc. When employees who have access to personal information are terminated, HCCC shall terminate their access to network resources and physical devices that contain personal information. This includes termination or surrender of network accounts, database accounts, keys, badges, phones, and laptops or desktops.
      2. Employees are required to change their passwords on a routine basis for systems that contain personal information.
      3. Access to personal information shall be restricted to active users, and active user accounts only.
      4. Where technically possible, all HCCC maintained systems that store personal information will employ automatic locking features that lock access after multiple unsuccessful login attempts.
      5. Electronic records (including records stored on hard drives and other electronic media) containing personal information shall be disposed of in accordance with and manner that complies with N.J. Stat. § 56:8-163, New Jersey’s personal information data breach reporting law. This requires that information be destroyed or erased so that personal information cannot practicably be read or reconstructed.

External Risks

      1. To combat external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personal information, and in order to evaluate or improve where necessary the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and effective immediately:

a.) There are reasonably up-to-date firewall protection and operating system security patches reasonably designed to maintain the integrity of personal information installed on systems with personal information.

b.) There are reasonably up-to-date versions of system security agent software that include malware protection, and reasonably up-to-date patches and virus definitions installed on systems processing personal information.

c.)When stored on HCCC’s network shares, files containing personal information should be encrypted. HCCC does not allow personal information to be stored on laptops, PCs, USB devices, or other portable media.  HCCC will deploy encryption software to comply with this objective.

d.) Any personal information transmitted electronically to third-party vendors should be sent via the vendor’s encrypted service or through HCCC’s designated encrypted service for secure transmission. 

e.) All new service providers that store HCCC’s personal information in electronic form will need to adequately demonstrate security measures through the EDUCAUSE HECVAT or similar instrument. These vendors must also be approved by HCCC’s Vice President for Finance and Business/CFO.

f.) Human Resources and Information Technology Services personnel shall follow the procedures outlined in the HCCC Acceptable Use Procedure for Information Technology Systems related to the creation, transfer, or termination of accounts, along with policies for password storage and role-based security.

g.) All personal information will be disposed of following HCCC Policies and Procedures.

h.) As resources and budget allow, HCCC will implement technology that will allow the College to monitor databases for unauthorized use of, or access to, personal information, and employ secure authentication protocols and access control measures pursuant to HCCC’s procedures.

Approved by Cabinet: July 2021
Related Board Policy: ITS

Return to Policies and Procedures