Maricopa County Community College District

First Draft6/1/2011

Maricopa County Community College District

Information Security Program

And Standards 2011-2013

Table of Contents

Executive Summary 4

Introduction 5

MCCCD Vision 5

MCCCD Mission 5

MCCCD Values 6

Purpose of the Document 7

Scope of the Program 7

Program Authority 7

Governance 7

Representatives and Responsibilities 8

Program Review 8

Disputes or Disagreements with Requirements of the Program 9

Major Components to the Information Security Program 10

Operational Controls 10

Staffing 10

User Administration 10

User Support 10

Contractor Access 10

Public Access 10

Resources 11

Continuity Strategies 11

Change Control 11

Incident Handling 11

Security Awareness 11

Training 11

Education 11

Physical Access 12

Environmental Considerations 12

Mobility 12

Technical Controls 12

Identity and Authentication 12

Access Controls 12

Auditing 13

Tracking 13

Cryptography 13

Management Controls 13

Regulation 13

Business Need 13

Cost 13

Risk Management 13

System Life Cycle 14

Strategic Planning 14

Program Strategy 14

Information Security Standards 15

Data 15

Login 17

Password 17

Network 18

Electronic Communications 20

Physical Access 20

Business Continuity 21

Appendix A – Security Standards Currently Documented 23

Explanation 23

Standards Documents 23

Appendix B - Regulatory and Business Requirements 75

Data Privacy 75

Data Security 81

Data Retention 87

Data Accessibility 89

Appendix C - Key Program Personnel 92

Appendix D - Program Revision History 93

Executive Summary

We have seen the world change dramatically over the past several years. This change has brought with it profound implications for our society and for MCCCD. The range of issues that impact information security continues to evolve. Technologies continue to proliferate and the effects must be assessed. Cyber threats are rapidly accelerating and becoming increasingly more sophisticated. A security strategy that can meet these challenges is necessary to safeguard MCCCD’s assets.

To ensure that the information, systems and technical infrastructure of MCCCD are secured effectively, an overall MCCCD Information Security Program has been developed. A strong security position is achieved through the application of proper controls, the establishment of responsibilities and the maintenance of a secure infrastructure. Proper, ongoing training and awareness for all MCCCD is also essential.

Basically, there are three core principles of information security:

1.  Confidentiality – Information must remain confidential where appropriate.

2.  Integrity – The data must not be altered, either maliciously or accidentally.

3.  Availability – The information necessary must be available to those authorized, when they need it.

Information security is not a technology issue. It is a management issue which requires leadership, accountability, due diligence, expertise, risk management, commitment and cooperation. Due to the level of technological integration at MCCCD, providing operational efficiencies and increasing the ability to easily share information and enhance services, what security measure one unit in MCCCD does or does not employ, directly impacts the security of all MCCCD.

Each person at MCCCD is responsible and accountable for the oversight and proper handling of the information with which they are entrusted – Confidentiality, Integrity and Availability. The public expects that information provided to MCCCD will be managed appropriately, with due care and diligence, in accordance with all laws, rules, policies and regulations. Any compromise, or unauthorized access, can potentially lead to a breach of information, possibly jeopardizing the health, safety or welfare of others.

Information security should be integrated at the very beginning of any project or new process. It should never be treated as an ad-hoc addition or an inconvenience. Trying to inject it after an event or project has occurred can be both less effective and time consuming. It is not a wise choice.

Remember, information security is everyone’s responsibility at MCCCD.

Introduction

We are the Maricopa Community Colleges. We are 10 colleges, 2 skill centers and numerous education centers, all dedicated to educational excellence and to meeting the needs of businesses and the citizens of Maricopa County. Each college is individually accredited, yet part of a larger system - the Maricopa County Community College District, which is one of the largest providers of higher education in the United States.

We offer approximately 1,000 occupational programs (degrees and certificates), and 37 academic associate degrees, and a total of 10,254 courses. We're the largest provider of health care workers and job training in Arizona, making us a major resource for business and industry and the place to be if you're seeking education and job training.

MCCCD Vision

A Community of Colleges…Colleges for the Community

… working collectively and responsibly to meet the life-long learning needs of our diverse students and communities.

MCCCD Mission

The Maricopa Community Colleges provide access to higher education for diverse students and communities. We focus on learning through:

•University Transfer Education

•General Education

•Developmental Education

•Workforce Development

•Student Development Services

•Continuing Education

•Community Education

•Civic Responsibility

•Global Engagement

MCCCD Values

The Maricopa Community Colleges are committed to:

Community - We value all people – our students, our employees, their families, and the communities in which they live and work. We value our global community of which we are an integral part.

Excellence - We value excellence and encourage our internal and external communities to strive for their academic, professional and personal best.

Honesty and Integrity - We value academic and personal honesty and integrity and believe these elements are essential in our learning environment. We strive to treat each other with respect, civility and fairness.

Inclusiveness - We value inclusiveness and respect for one another. We believe that team work is critical, that each team member is important and we depend on each other to accomplish our mission.

Innovation - We value and embrace an innovative and risk-taking approach so that we remain at the forefront of global educational excellence.

Learning - We value lifelong learning opportunities that respond to the needs of our communities and are accessible, affordable, and of the highest quality. We encourage dialogue and the freedom to have an open exchange of ideas for the common good.

Responsibility - We value responsibility and believe that we are each accountable for our personal and professional actions. We are responsible for making our learning experiences significant and meaningful.

Stewardship - We value stewardship and honor the trust placed in us by the community. We are accountable to our communities for the efficient and effective use of resources as we prepare our students for their role as productive world citizens.

Purpose of the Document

Over the recent years, many pieces of legislation have been passed that deal with the requirements imposed upon an institution mandating the protection of private information. Among those are the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability & Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Higher Education Opportunities Act (HEOA), and others. These laws are meant to protect private information by requiring institutions to adopt, manage, implement, operate and enforce proper safeguards and controls.

MCCCD has 10 colleges, 2 skill centers and numerous education centers. This provides the flexibility to meet the unique and diverse needs of teaching and learning. It does present a challenge, however, when providing information security safeguards consistently and effectively across the institution. This document is meant to provide a basis for coordinating and clearly communicating the need for collaboration across the district. It will present tangible and relevant information and outline resources in a practical manner, providing all MCCCD stakeholders with the knowledge and capabilities to ensure our private information is protected.

This document will operationalize the Information Security Program and provide the appropriate scope.

Scope of the Program

The safeguarding of private information and securing the systems that store and process this information is the responsibility of every MCCCD employee. We must maintain confidentiality, protect against inside and outside threats, identify risks and prevent unauthorized access to maintain information integrity, preventing potential harm to an individual or institution.

Program Authority

MCCCD’s Vice Chancellor of Information Technology Services/Chief Information Officer (CIO) is the designated Program Officer, responsible for the executive oversight of the Information Security Program. The Program Officer is responsible for strategic leadership and the information technology functions which store and process private information.

Governance

The Information Security Program incorporates the Information and Instructional Technology Governance Model.

Representatives and Responsibilities

The MCCCD Information Security Officer (ISO) is the focal point for implementation of MCCCD’s Information Security Program. The ISO reports directly to the CIO in matters regarding security issues, and provides for the planning, creation, coordination and routine oversight of the program.

MCCCD’s Legal Counsel provides guidance as necessary in legal matters to help ensure that the plan and the actions taken comply with legislative requirements.

The MCCCD Director of Security coordinates the efforts to ensure proper and sufficient physical safeguards are in place, and may be called upon to coordinate activities of law enforcement, if necessary, in the event of a major security incident where assistance is needed.

Each college and district division will appoint a primary point of contact, and alternate, for information security activities and issues. The point of contact will act as liaison and coordinate any efforts needed within their institution or organization, working under the direction of the ISO, or designee.

The MCCCD Internal Audit department, or external agency or service as needed, will provide assessment services for colleges and divisions, to ensure compliance with regulations and conformance with information security best practices. Objectivity, impartiality and uniformity are necessary to maintain the integrity of the program and to protect private information.

Program Review

The Information Security Program will be reviewed annually, at a minimum. The ISO will convene a team to evaluate the program and document to determine possible changes which will better align the program with recent changes in regulatory requirements, advances in technology or improvements to best practices. Any proposed changes to the program will be submitted to the CIO for approval.

Disputes or Disagreements with Requirements of the Program

Any disputes or disagreements with requirements outlined in the Information Security Program must be submitted to the ISO in writing. The submittal shall include the person’s name, organization and a clear description of what is in dispute and the reason for the dispute. A meeting may be requested by either party to further investigate details. The ISO is responsible for researching and responding to the submitter in a reasonable timeframe. If the response is unsatisfactory to the submitter, they may request that the matter be escalated to the CIO for final decision. Note: because of the nature of information security, and to protect the privacy of such information, cases may exist where specific information or details may not be shared in the discussions or response.

Major Components to the Information Security Program

In support of the efforts to ensure information privacy, protection of MCCCD assets, and compliance with laws and regulations, the program is modeled after the National Institute of Standards and Technology (NIST) guidelines, global standards and best practices.

There are three major components to the program: operational controls, technical controls, and management controls. Each is heavily dependent on the proper functioning and reliability of the others to ensure alignment and effective execution of the program.

Operational Controls

Generally speaking, these are typically controls that are implemented and executed by people, as opposed to systems. These controls improve the security of an individual system or group of systems and adhere to all applicable security policies.

Staffing

In order to have proper operation controls for staffing, MCCCD must define the requirements of a job, determine the sensitivity of the position, fill the position and ensure proper training. When done properly, both MCCCD and the individual staff member will know what information the staff member has access to and the appropriate regulations and policies relating to that information.

User Administration

User administration refers to the entire life cycle of a user account. This includes account creation, account management (identification, authentication, and access authorizations), auditing (periodically verifying), and timely modifications or removal of access.

User Support

User support means providing ongoing assistance and training. It also includes being able to recognize problems which may be security related, such as degradation of system performance due to a possible breach. These problems would then be communicated to the user who can perform the necessary processes.

Contractor Access

Operational controls on contractor access means providing contractors and consultants necessary support, while being cognizant of the typical shorter duration of their needs. Access granted to contractors needs to be closely monitored so that their rights to information are promptly removed upon contract completion.

Public Access

When systems are open to public access (e.g. web servers) greater precautions and monitoring may be necessary due to the increased potential for external threats. Not only should access to the system be scrutinized, but care must be taken with the information stored on the system as well.

Resources

Resources identify the business function, the resources needed to perform that function and the duration of the need. MCCCD ITS does not have unlimited resources and care needs to be taken so that the demand for resources does not overwhelm the supply.

Continuity Strategies

Continuity strategies address how to keep critical functions operational in the event of a disruption, whether it be system wide or local. As systems at MCCCD progress, they are becoming more integrated and therefore more interdependent. The loss of a single system can result in reduced functionality for several other systems. Effective continuity strategies will minimize the impact of system outages.

Change Control

Change control ensures that changes to a system are controlled and coordinated, minimizing the risk of service disruption due to a faulty change. Effective change control reduces unexpected down time and aids in the diagnosis of issues. One of the first questions asked when a service disruption occurs is “What changed?” Effective change control can make finding that answer fast and efficient.