Information Security Policy

For the purpose of this policy, information resources refer to:

1. All Goldey-Beacom College owned computer hardware, software, communications equipment, networking equipment, networking and telecommunications protocols, associated storage, and peripherals.
2. All computer hardware, software, communications equipment, networking equipment, associated storage and peripherals that are connected to any Goldey-Beacom College information resource.
3. All computer hardware, software, communications equipment, networking equipment, associated storage and peripherals that store or transmit information that belongs to Goldey-Beacom College.
4. All College-related data, information and intellectual property that may be transmitted over or stored on any Goldey-Beacom College information resource or a personally owned resource connected to the College network.
5. All College-related data, information, intellectual property, and security and/or audit records stored, maintained, or transmitted by third-party services and vendors, who are authorized and approved by the College to store and manage this data.
6. Any paper reports, microfilm, microfiche, books, films or any media containing information, data or intellectual property that is the property of Goldey-Beacom College.

Information Security is the protection of information resources against unintended uses.  This includes, but is not limited to, protection against:

• inappropriate release of data (advertently or inadvertently),
• access of the College’s data without the permission of Goldey-Beacom College,
• illegal or unethical use of Goldey-Beacom College’s data, computing or network resources,
• disruption of computing and network resources at Goldey-Beacom College or by resources of Goldey-Beacom College,
• violations of intellectual property rights of Goldey-Beacom College and members of the Goldey-Beacom community,
• violations of intellectual property rights by members of the Goldey-Beacom community,
• other activities that interfere with the education, research, or service mission of the College.

This policy applies to all Goldey-Beacom students, faculty and staff.  This policy also applies to anyone who has access to or uses any Goldey-Beacom College information resources.  Contractors performing work for Goldey-Beacom College that involves any information resources must also meet the requirements of this policy.

This policy is meant to be consistent with all other College policies.  In the event that state or federal law, regulation or local policy imposes more specific or more stringent requirements than are required by this policy, the law, regulation or policy shall take precedence.

College employees/contractors are granted access to those information resources required to carry out the responsibilities of their position.  It is prohibited for any College employee/contractor to knowingly damage or misuse computing resources or data.

Access capabilities/restrictions apply to all information resources as defined above. Safeguards are taken to ensure the security of the resources and to maximize the integrity of the information.

Access privileges are determined based on the duties and responsibilities of each position. Users with access privileges are assigned an access username. Use of another person’s access username is prohibited.

Users are individuals who access and use College electronic information resources. Without exception, all members of the College community are “users” of Goldey-Beacom’s information resources. Users must:

• become knowledgeable about relevant security requirements and guidelines,
• protect the information resources they have access to or control, such as access passwords, computers, and data,
• adhere to all College information security policies and procedures,
• use Goldey-Beacom information resources in an ethical manner consistent with the College’s mission.

The Chief Information Officer, with the advice and consent of the Vice President for Operations and Planning, shall publish and enforce guidelines for users relating to physical security, logical security, passwords, software and patches, data backup, viruses, remote access and other topics critical to the information security posture of Goldey-Beacom College.

Data and information that are owned by Goldey-Beacom College must be protected to ensure the rights of Goldey-Beacom College, its students, faculty and staff are safeguarded.  These safeguards are required, in some cases, by law, in some cases by college policy, and in some cases by high ethical standards.

This Policy applies to all College information resources, including those used by the College under license or contract. “Information resources” include information in any form and recorded on any media, and all computer and communications equipment and software.

All information covered by this Policy is assigned one of three classifications depending on the level of security required. In decreasing order of sensitivity, these classifications are Confidential, Internal Use Only, and Unrestricted. Information that is either Confidential or Internal Use Only is also considered to be restricted.

Confidential

This classification covers sensitive information about individuals, including information identified in the Staff Personnel Policy Manual and Faculty Policy and Resource Manual, and sensitive information about the College. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. This information must not be downloaded, copied, or transmitted to any information resource which is not controlled/secured by the College. Specific categories of confidential information include information about:

1. 1. Current and former students whose education records are protected under the Family Educational Rights and Privacy Act (FERPA) of 1974, including student academic, disciplinary, and financial records; and prospective students, including information submitted by student applicants to the College.
   2. Current, former, and prospective students’ personal health information regulated by Health Insurance Portability and Accountability Act (HIPAA).
   3. Donors and potential donors.
   4. Current, former, and prospective employees, including employment, pay, benefits data, personal health information regulated by HIPAA, and other personnel information.
   5. Certain College business operations, finances, legal matters, or other operations of a particularly sensitive nature.
   6. Information security data, including but not limited to passwords, access codes, and encryption keys.
   7. Information about security-related incidents.

Internal Use Only

This classification covers information that requires protection against unauthorized disclosure, modification, destruction, and use, but the sensitivity of the information is less than that for confidential information. Examples of Internal Use Only information are internal memos, correspondence, and other documents whose access/distribution is limited as intended by the employee’s position.

Unrestricted

This classification covers information that can be disclosed to any person inside or outside the College. Although security mechanisms are not needed to control disclosure and dissemination, they are still required to protect against unauthorized modification and destruction of information.

Default classification

Information that is not classified explicitly is classified by default as follows: Information falling into one of the Confidentiality categories listed above is treated as Confidential. Other information is treated as Internal Use Only unless it is published (publicly displayed in any medium), in which case it is classified as Unrestricted.

It is a violation of this policy to:

1. Interfere with the normal operation of any Goldey-Beacom College information resource.
2. Use Goldey-Beacom College information resources to interfere with the normal operation of information resources outside of Goldey-Beacom College.
3. Use Goldey-Beacom College information resources to:
   1. Violate local, state, federal or international law.
   2. Cause, encourage or facilitate others in violating local, state, federal or international law.
4. Access or cause another to access any information resource without permission of the Chief Information Officer. The Chief Information Officer will maintain a consistent, documented process for granting access to information resources. Permission is given generally to access publicly accessible webpages.
5. Access or cause another to access intellectual property, copyright protected property or other legally protected property without permission from the property’s owner.
6. Release information resources without the approval of the appropriate office of Goldey-Beacom College.
7. Use any information resource to violate any policy of Goldey-Beacom College.
8. Use any information resource to violate the security policy, acceptable use policy or other operational policies of organizations or institutions outside of Goldey-Beacom College.
9. To promulgate software, data files or other materials that can be reasonably considered as viruses, Trojans or other malware.
10. To use information resources to take part in, encourage or foster the development, exploitation or use of software, data files or other materials that can be reasonably considered viruses, Trojans or other malware.
11. Scan any information resource of Goldey-Beacom College without written approval of the Chief Information Officer.
12. Capture or monitor network transmissions, telecommunications transmissions, or any information resources without written approval of the Chief Information Officer or, in the case of data, written permission of the appropriate College office.
13. Share usernames, passwords, encryption keys, identity cards or other means of access to information resources. Exceptions to this may be requested of the Chief Information Officer but will not generally be granted unless significant resource or operational inefficiency would occur by not granting an exception.
14. Connect or disconnect any device to an information resource without written permission of the Chief Information Officer. General exceptions are given to Information Technology staff who, as part of their normally assigned duties, continually connect and disconnect equipment from information resources. In addition, a general exception is given to connect storage devices to Goldey-Beacom College information resources if:
    1. The person connecting the device is authorized to use the information resource they are connecting to,
    2. The device does not interfere with the normal operation of information resource,
    3. Connecting this device does not otherwise violate this policy.
15. Install or connect to any Goldey-Beacom College information resource any telecommunications equipment or networking equipment without the written permission of the Chief Information Officer. General exceptions are given to Information Technology staff who, as part of their normally assigned duties, install or connect telecommunications and networking equipment.

Goldey-Beacom College reserves the rights to:

1. Examine or monitor any information resource including, but not limited to, equipment, software, computer files, information and data. It is not the policy of the College to routinely examine or monitor these resources. However, the College may choose to do so at any time. The following is a list of situations where the College may invoke this right. This is not intended as an exhaustive list.
   1. It is required by legal authority.
   2. The information resource in question may be in violation of this or other policies of the College.
   3. The Chief Information Officer with the coordination, advice and consent of the Vice President for Operations and Planning deems it necessary for the efficient and effective operation of the College’s information resources.
   4. The Chief Information Officer is directed to do so by the College President.
   5. It is required for Information Technology staff to perform repair or normal operation and maintenance activity.
   6. Reasons determined by a member of the Executive Council of the College.
2. Remove or block access to any information resource at any time on Goldey-Beacom College or elsewhere should the resource:
   1. Be in violation of this or any other policies of the College.
   2. Interfere with the operation of information resources at Goldey-Beacom College or elsewhere.
   3. Be in violation of state or federal law or regulation.
   4. For other reasons as determined and approved by Vice President for Operations and Planning or President.
3. Prohibit or inhibit any information resource that the Chief Information Officer with the advice of Vice President for Operations and Planning determines is:
   1. In violation of this or any policy of the College.
   2. Interfering with the operation of information resources at Goldey-Beacom College or elsewhere.
   3. In violation of state or federal law.
   4. Not in keeping with the high ethical standards of Goldey-Beacom College.
4. Report to local, state or federal authorities’ information resource related activities that appear to violate the law or regulation.

All members of the Goldey-Beacom College community will report violations or suspected violations of this policy to the Chief Information Officer at the following e-mail address: [email protected]. Alternatively, violations or suspected violations may be reported to the Vice President for Operations and Planning. Information Technology staff, who become aware of a potential or suspected violation of this policy through the normal course of their work, are required to inform the Chief Information Officer of the event. The Chief Information Officer with the advice and consent of the Vice President for Operations and Planning may, if appropriate, report violations of this policy to law enforcement.

Anyone found to have violated this policy will be sanctioned using the processes found in existing Goldey-Beacom College policy and employment contracts where applicable.

This policy will be reviewed and updated as needed, at least annually, based on the recommendations of the Office of Information Technology and the Vice President for Operations and Planning.