Effective and efficient information security programs require clear direction and commitment from top management and administration. Information security is an integrated function that requires effective organization and collaboration throughout the College.
3.1.1. Division Vice Presidents
Division Vice-Presidents are the offices of primary responsibility for information collected, maintained, and/or that has been identified as primarily utilized or “owned” by their respective divisions. Vice-Presidents may delegate operational management of these responsibilities by designation of an Information Security Officer (ISO) within their respective divisions. Vice Presidents may also designate other responsible party(ies) to work with the ISO to assist in implementing this program. These designated individuals ensure information assets within their span of control have designated responsible parties (owners), that risk assessments are carried out for the division, and that mitigation processes based upon those risks take place. The designated responsible party reports the status of the Information Security Program within the division as appropriate.
3.1.2. Deans, Directors, Chairs, Managers, and other Supervisors
Deans, Directors, Chairs, Managers, and other supervisors responsible for managing employees with access to information and information systems are responsible for specifying, implementing and enforcing the specific information security controls applicable to their respective areas. This includes ensuring all employees understand their individual responsibilities related to information security, and ensuring employees have the access required, and only the access required, to perform their jobs. Supervisors should periodically review all users’ access levels to ensure they are still appropriate, and take appropriate action to correct discrepancies/deficiencies. Supervisors have to proactively notify Human Resources and the IT Help Desk of any change in employment status that impacts access requirements. Supervisors are also responsible for reporting suspected misuse or other information security incidents to the CISO other appropriate party.
3.1.3. Chief Information Security Officer (CISO)
The Sinclair Community College Chief Information Security Officer (CISO) is designated as the Program Officer responsible for coordinating and overseeing the Information Security Program. The CISO must work closely with the various divisions throughout the campus. The CISO may recommend that Vice-Presidents of specific divisions delegate other representatives of the Institution to oversee and coordinate particular elements of the Program. The CISO also assists individuals who have the responsibility and authority for information (owners) with information security best practices relating to issues such as: establishing and disseminating enforceable rules regarding access to and acceptable use of information resources; conducting/coordinating information security risk assessment and analysis; establishing reasonable security guidelines and measures to protect data and systems; assisting with monitoring and management of systems security vulnerabilities; conducting/coordinating information security audits; and assisting with investigations/resolution of problems and/or alleged violations of College information security policies. Questions/issues regarding the information security program or interpretation of this document should be initially directed to the CISO.
3.1.4. Administrative System Information Security Team
The primary repository for information covered by this policy is Sinclair’s Administrative and Student Information System, the (Datatel) Colleague System. The Administrative System Information Security Team authorizes and/or approves all access to Colleague. The team is charged to develop and implement proactive measures to ensure administrative application security controls provide sufficient granularity to allow appropriate access to the information stakeholders required to successfully perform their duties, while meeting the College’s legal and ethical obligations to protect private, sensitive, and critical information. The team’s primary responsibility is to develop processes and standards to provide optimal availability, integrity, and confidentiality of administrative system information, including processes for: (1) users to request initial access; (2) users to request access changes; (3) documentation of user access authorized, as well as user/supervisor rights and responsibilities; and (4) resolution of security-related conflicts and issues. Primary/authoritative members of the team include the Division Information Security Officers and the Chief Information Security Officer. Associate/advisory members of the team are Department Information Security Officers and Administrative Systems Administrators. Specific responsibilities and procedures are detailed in the College’s Administrative System Security Standards.
3.1.5. Computer Security Incident Response Team (CSIRT)
The Computer Security Incident Response Team is responsible for providing information and assistance to stakeholders in implementing proactive measures to reduce the risks of computer security incidents, investigating, responding to and minimizing damage from such incidents when they occur. The team is also responsible for determining/recommending required follow-up actions resulting from incidents. The CSIRT is essentially a two-layer team. An operational team is charged with initial identification, response, triage, and determining escalation requirements. A management team is charged with College response to major or significant incidents. The operational team consists of the CISO and delegated IT staff members from Information Technology Services and Systems Development and Maintenance. Primary management team members include the CIO, Chief of Campus Police, Director of Public Information, Director of ITS, Director, Systems Development and Maintenance, CISO, Manager of Systems and Network Administration, a Business Services Advisor, a Legal Advisor, a Human Resources Advisor, and delegates with technical or business expertise specifically appointed by the Vice Presidents of the College. Associate members of the team include the information “owner” and may also include any stakeholder involved in the specific incident handling or notification process on an as-needed basis. Specific responsibilities and procedures are detailed in Sinclair’s Computer Security Incident Response Standards.
3.1.6. Information Technology Services (ITS) Department
The ITS Department staff members include systems and network administrators and engineers as well as technical services providers such as the IT Help Desk, User Support Technicians, and Voice communications administrators. ITS is primarily responsible for integration of technical information security tools, controls, and practices in the network environment, and is also often the end-users initial contact for reporting suspected information security failure or incidents. ITS staff must follow information security best practices for managing infrastructure and services.
3.1.7. Systems Development & Maintenance (SDM)
The Systems Development & Maintenance staff members include developers and database administrators who know and understand the technical and operational intricacies of the College information systems. SDM is primarily responsible for developing, practicing, integrating, and implementing security best practices for the College’s applications such as the administrative system and Web systems/applications. It is also responsible for training (Web) application developers in using application security principles, to make existing and new applications more secure.
3.1.8. Employees with Access to information
Employees with access to information and information systems must abide by applicable College policies and procedures, as well as any additional practices or procedures established by their unit heads or directors. Employees must use and safeguard covered information as governed by the regulations and the duties and responsibilities of their position. This responsibility includes protection of their account password and any other protection the account has, as well as reporting suspected misuse or information security incidents to the appropriate party (usually their supervisor).
3.1.9. Temporary staff, consultants, service providers
Temporary staff members (including student workers) are considered employees and have the same responsibilities as regular full- or part-time employees with access to information and information systems. Supervisors of temporary employees have the responsibilities outlined in paragraph 2 of this section.
Consultants, service providers, and other contracted third parties will be granted access to information on a ‘need to know’ basis. If a third party requires a network account, a Sinclair employee must ‘sponsor’ the third party by submitting a written request signed by the third party requestor and the sponsor, and approved by the appropriate vice-president, dean, or director. It is the sponsor’s responsibility to ensure the third party user understands the individual responsibilities related to the network account. The user is responsible for the security of his/her password(s) and accountable for any activity resulting from the use of his/her user ID(s) within reasonable scope of his/her control. Third party network accounts will be active for a maximum of one year. If account access is no longer required before a year’s time has elapsed, it is the sponsor’s responsibility to notify ITS to cancel the network account. If the account is needed for more than one year, it is the sponsor’s responsibility to renew the account prior to the expiration date by submitting an updated (written) request.
Third parties shall implement, maintain, and use appropriate administrative, technical, and physical security measures to preserve the confidentially, integrity, and availability of all electronically managed information. Upon termination of services, third parties will also return all information or certify destruction of information according to the agreement and/or specific terms of the contract. Third party providers are also responsible for protection of account and password(s) and any other protection the account has, as well as reporting suspected misuse or information security incidents to the appropriate party. In the event of an information security incident caused by a third party provider, the third party may be held liable for legal repercussions and expenses related to recovery/disclosure activities.
3.1.10. Students, community members
Students and community members are primarily responsible for the integrity of their own information and for reporting discrepancies to the appropriate office. All students and community members who are granted IT accounts must comply with Sinclair’s Acceptable Use of Information Technology Policy. This includes being responsible for all activity conducted via their College IT accounts within reasonable control, including protection of their passwords and any other protection the accounts have, as well as reporting suspected misuse or information security incidents.