|
Policy |
Information Security Policy |
|
Policy No. |
X3.1 |
|
Issue No. |
3.1.1 |
|
Issue Date |
4/11/06 |
|
Scope |
Global |
|
Effective Date |
4/11/06 |
|
Expiration Date |
N/A |
|
Approved by |
Sinclair Board of Trustees |
|
Title |
|
Sinclair Community College recognizes that all information assets created, collected, used, and maintained by the College in the course of conducting our teaching, learning, and public service mission are subject to varying degrees of concern regarding security and privacy. All information assets and supporting infrastructure provided by the College are the property of Sinclair Community College; however, the College recognizes that intellectual property and copyright laws may supersede College ownership of specific file content. This policy strives to optimally balance the principles of academic freedom and freedom of speech with the precepts of effective information security—confidentiality, integrity, and availability.
Purpose
The purpose of this policy is to formally establish an information security program within the College. Most of Sinclair Community College’s financial, administrative, and student systems are accessible through the campus network. As such, they are vulnerable to security breaches that may compromise sensitive information and expose the College to asset losses and other risks. An information security program is necessary to ensure that the College:
Establishes a college-wide approach to information security, including appropriate security awareness training and education for constituents.
Complies with federal and state statutes and regulations regarding the collection, maintenance, use, and security of information assets.
Establishes and implements prudent, reasonable and effective practices for the protection and security of information assets, including protection of sensitive and confidential information against accidental or deliberate unauthorized disclosure, modification or destruction.
Develops effective mechanisms for responding to real or perceived incidents involving breaches of information security.
This policy establishes a program charged with ensuring the College meets or exceeds its legal and ethical responsibilities for securing its critical and sensitive information assets.
Policy Statement
It is the policy of Sinclair Community College to protect its information assets in accordance with all applicable federal and state statutes and regulations, as well as with effective information security practices and principles generally accepted as ‘due diligence’ within the higher education community.
The College specifically prohibits unauthorized access to, tampering with, deliberately introducing inaccuracies to, or causing loss of Sinclair’s information assets. It also prohibits using information assets to violate any law, commit an intentional breach of confidentiality or privacy, compromise the performance of systems, damage software, physical devices or networks, or otherwise sabotage College information assets.
Sinclair Community College protects its information assets from threats and exploits, whether internal or external, deliberate or accidental. The degree of protection is based on the nature of the resource and its intended use. The College recognizes that no single office, policy, or procedure provides absolute security, therefore, all College employees and other stakeholders share responsibility to minimize risks and to secure the information assets within their control.
A formal information security program, guided by the Chief Information Security Officer (CISO), has been established within the College. Individuals within the information security organizational structure of the program are empowered to research, develop, implement, and disseminate operational policies, procedures, standards, guidelines, and other processes to support effective information security practices.
The vice president of each division shall be responsible for ensuring appropriate and auditable information security controls are practiced within their division. Each division shall appoint an information security officer to partner with the CISO to develop, implement, and maintain appropriate and effective information security practices.
Campus-wide security awareness, training, and education are vital to information security. Therefore, each division shall develop and document methods for ensuring that information security responsibilities regarding to applicable laws, regulations, guidelines and policies is distributed and readily available to stakeholders.
The College shall take appropriate action in response to misuse of College information assets. Any violation of this policy may result in legal action and/or college disciplinary action under applicable College and administrative policies and procedures. Distribution of specific procedures implementing this policy includes, but is not limited to, web pages, email, and printed documentation.
The Chief Information Officer will review the Information Security Program annually and report the result of this review to the President.