Information Security Standard Practices

Designation of Representatives: The College's Chief Technology Officer is designated as the Program Coordinator who shall be responsible for coordinating and overseeing the Program. The Program Coordinator may designate other representatives of the College to oversee and coordinate particular elements of the Program. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the Program Coordinator or his or her designees.

Scope of Program: The Program applies to any record containing nonpublic information about a student or other third party who has a relationship with the College, whether in paper, electronic or other form that is handled or maintained by or on behalf of the College or its affiliates. For these purposes, the term nonpublic information shall mean any information (i) a student, faculty, staff or other third party provides in order to obtain a service from the College, (ii) about a student, faculty, staff, or other third party resulting from any transaction with the College, or (iii) otherwise obtained about a student, faculty, staff, or other third party in connection with providing a service to that person.

Elements of the Program:

1. Risk Identification and Assessment. The College intends, as part of the Program, to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromising action of such information. In implementing the Program, the Program Coordinator will establish procedures for identifying and assessing such risks in each relevant area of the College's operations, including:

• Employee training and management. The Program Coordinator will coordinate with representatives in the College's Human Resources, Student Services, and Administrative Services to evaluate the effectiveness of the College's procedures and practices relating to access and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of the College's current policies and procedures.
• Information Systems and Information Processing and Disposal. The Program Coordinator will coordinate with representatives of the College's Information & Educational Technology Department to assess the risks to nonpublic information associated with the College's information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic information. This evaluation will include assessing the College's current polices and procedures relating to Acceptable Use of the College's network, network security, and document retention and destruction. For audit purposes certain document retention requirements are governed by the California Community College Chancellor's Office. The Program Coordinator will also coordinate with the College's Information & Educational Technology Department to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
• Detecting, Preventing and Responding to Attacks. The Program Coordinator will coordinate with the College's Information & Educational Technology Department to evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. In this regard, the Program Coordinator may elect to delegate to a representative of the Information & Educational Technology Department the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by the College.

2. Designing and Implementing Safeguards. The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic information, whether in electronic, paper or other form. The Program Coordinator will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.

3. Overseeing Service Providers. The Program Coordinator shall coordinate with those responsible for the third party service procurement activities in the Purchasing Department and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic information of students and other third parties to which they will have access. In addition, the Program Coordinator will work with the Purchasing Department to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the Vice President, Administrative Services. These standards shall apply to all existing and future contracts entered into with such third party service providers, provided that amendments to contracts entered into prior to June 24, 2002 are not required to be effective until May 2004.

4. Adjustments to Program. The Program Coordinator is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the College's operations or other circumstances that may have a material impact on the Program.