Information Security Plan

Approved by: Dr. Kimberley McCormick

Original Date Effective: 2019-09-03

Last Modified: 2023-06-08

PURPOSE

This program aims to ensure the security, confidentiality, integrity, and availability of data resources.

Internal controls provide a system of checks and balances intended to identify irregularities, prevent waste, fraud and abuse, and assist in resolving discrepancies accidentally introduced in business operations. When consistently applied throughout the College, these policies and procedures ensure that the information assets are protected from various threats to ensure business continuity.

This program reflects Jackson State Community College’s (JSCC) commitment to stewardship of sensitive personal information and critical business information in acknowledgment of the many threats to information security and the importance of protecting the privacy of College constituents, safeguarding vital business information, and fulfilling legal obligations. This program will be reviewed and updated at least once a year or when the environment changes

This program applies to the entire Jackson State community, including students, faculty, staff, alumni, temporary workers, contractors, volunteers, and guests with access to JSCC information assets. Such assets include but are not limited to data, images, text, and software, whether stored on hardware, paper, or other storage media.

COMMITTEE MEMBERS

The Director of Information Technology is the Information Security Program Coordinator and responsible for implementing controls and training to secure the institution and data from a breach.

The Compliance Officer is responsible for making sure the following is completed yearly:

Security training
IT risk assessment
CIRP tabletop exercise
Penetration test and follow-up work completed
IT policies are reviewed yearly

The Information Protection Committee (IPC) oversees the Information Security Program, which incorporates the needs of the Gramm-Leach Bliley Act. Each committee member has a stake in securing the institution’s information assets and sensitive data. This committee is responsible for creating and updating the information security program and any policies or guidelines relating to securing information.

The committee consists of the positions below:

Director, Information Technology (Chair)

Compliance Officer

Internal Auditor (non-voting member)

Director, Business Services

Director, Curriculum and Adjunct Services

Director, Financial Aid

Director, Records & Admissions

System Administrator, Information Technology

System Analysts, Information Technology

Manager, Business Services

Technology Services Manager, Information Technology

Vice President, Student Services

ERP Manager/DBA, Information Technology

Coordinator, Human Resources

DEFINITIONS

Access Control refers to the process of controlling access to systems, networks, and information based on business and security requirements.

Availability- “Ensuring timely and reliable access to and use of information…”

A loss of availability is disrupting access to or use of information or an information system.

Confidentiality- “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…”

A loss of confidentiality is the unauthorized disclosure of information.

Confidential Data or PII – Generalized term that typically represents data classified as confidential, according to the data classification scheme defined in this document. This term is often used interchangeably with sensitive data.

Control Activities are the policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out.

Data Owner – An administrator of an institution office or division or designee who may make data within their charge available to others for the use and support of the office or division’s functions and is responsible for the accuracy and completeness of data files in their areas and ensures the protection requirements are met before granting access to the data.

Domain-based Message Authentication, Reporting and Conformance (DMARC) – email authentication protocol designed to give email domain owners the ability to protect a domain from unauthorized use (spoofing).

Encryption- Process of converting information so that it is humanly unreadable except by someone who knows how to decrypt it.

Information Assets- Equipment or definable pieces of information in any form, recorded or stored on any media recognized as “valuable” to the College.

Information Security Program – Security Program as dictated by the Gramm-Leach Bliley Act.

Institutional Data – All data owned or licensed by the College.

Integrity- “Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity…”

A loss of integrity is the unauthorized modification or destruction of information.

IPS (Intrusion Prevention System) - A device (or application) that identifies a malicious activity, logs information about said activity, attempts to block/stop activity, and reports activity.

Mobile Device – Includes any portable device capable of collecting, storing, transmitting, or processing electronic data or images.

Multifactor Authentication (MFA) – a layered approach to securing data and applications where a user must present a combination of two or more credentials to verify their identity to authenticate into the resource.

Non-public information – Any information classified as Internal/Private Information according to the data classification scheme defined in the Data Classification and Handling Policy.

Security Incident – Any occurrence that involves the security of Information Assets or Institutional Data.

Sensitive Data – Generalized term that typically represents data classified as Confidential according to the data classification scheme defined in the Data Classification and Handling Policy.

VPN (Virtual Private Network) - A network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to the College’s network. VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

COLLEGE POLICY STATEMENT

This policy defines expectations and processes for an effective and comprehensive information security program protecting institutional information assets and sensitive data.

Each department will protect College resources by adopting and implementing, at a minimum, these security standards and procedures. Departments are encouraged to adopt standards that exceed the minimum requirements for protecting College resources controlled exclusively within the Department.

Individuals within the scope of this policy are responsible for complying with this policy and the Department’s policy, if one exists, to ensure the security of the College’s resources.

ENFORCEMENT

All individuals accessing Institutional data are required to comply with federal and state laws, College, and TBR policies and procedures regarding the security of highly sensitive data. Any College employee, student, or non-college individual with access to College data who engage in unauthorized use, disclosure, alteration, or destruction of data is in violation of this program and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

INFORMATION SECURITY PROGRAM

Through this document and associated policies, Jackson State Community College has established, documented, and implemented a program designed to improve the effectiveness of Information Technology operations. This program has been implemented to ensure the confidentiality and integrity of College information while maintaining appropriate levels of accessibility and security.

To ensure the security and confidentiality of sensitive information and to protect against any anticipated threats or hazards to the security or integrity of data, the College has put in place all reasonable technological means (i.e., security software, hardware) to keep information and facilities secure.

CONTROL ACTIVITIES

Control activities are the policies, procedures, Cyber Incident Response Plan (CIRP) techniques, and mechanisms that help ensure management's response to reduce risks. In other words, control activities are actions taken to minimize risk. Control activities occur throughout the College, at all levels and functions. They include various activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, risk assessments, security of assets, and segregation of duties.

To assist with mitigating a cyber incident such as a data breach, ransomware, phishing, etc., JSCC will review and test its Cyber Incident Response Plan annually

CONTROL ENVIRONMENT

As established by the College’s administration, the control environment sets the its tone and influences its people’s control consciousness. Leaders of each department, area, or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure.

Managers and employees must have personal and professional integrity to maintain competence that allows them to accomplish their assigned duties and understand the importance of developing and implementing good internal controls.

This requires managers and their staff to maintain and demonstrate at all times:

Personal and professional integrity and ethical values
A level of skill necessary to help ensure effective performance
An understanding of information security and internal controls sufficient to effectively complete their responsibilities

Managers and supervisors are also responsible for ensuring their employees know the relevance and importance of their activities and how they contribute to achieving the controlled environment.

ESTABLISHED POLICY CONTROLS

The Institutional computing resources support the College’s educational, instructional, and administrative activities. Using these resources is a privilege extended to members of the College community. Any employee using the College network for any reason must adhere to the following strict policies regarding its use.

IT Acceptable Use Policy

Email Acceptable Use Policy

Personally Identifiable Data (PII) Policy

Access Control Policy

Information Technology Resource Policy

Data Classification and Handling Policy

Mobile Device Policy

Wireless Network Policy

Downtime Policy

Enterprise Information System Updates Policy

Credit Card Security Policy

Technology Purchases Policy

Employees are entrusted with the safety and security of the College’s information assets.

Any person or organization within the College’s community who uses or provides information resources is responsible for maintaining and safeguarding these assets. Each individual student, staff, and faculty member at Jackson State Community College is expected to use these shared resources with consideration for others.

Individuals are also expected to be informed and responsible for protecting their information resources in any environment, shared or stand-alone. It is unacceptable for anyone to use information resources to violate any law or College policy or perform unethical academic or business acts.

TRAINING

The Institution recognizes that one of the most severe threats to information security, confidentiality, and integrity is errors made by employees unfamiliar with proper procedures for handling such information. Yearly training will be offered in a live, online, or recorded format with content designed for end users to understand data information security at all levels.

As part of the yearly training, employees must review and agree to abide by each of the IT policies above.

INFORMATION CLASSIFICATION

Information classification is required to determine information assets’ relative sensitivity and criticality, which provide the basis for protection efforts and access control. The Data Classification and Handling Policy establishes a baseline derived from federal laws, state laws, regulations, and College policies that govern the privacy and confidentiality of data.

The Data Classification and Handling Policy applies to all data (e.g., student, financial, academic, and employee) collected in electronic or hard copy form generated, maintained, and entrusted to the Institution except where a different standard is required by grant, contract, or law.

All institutional data must be classified into one of three sensitivity levels or classifications that the College has identified: Confidential, Internal/Private, and Public. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive, and tighter controls are required.

All College data must be reviewed periodically and classified according to its use, sensitivity, and importance to the College and in compliance with federal and/or state laws.

TIER 1: CONFIDENTIAL

Confidential information is information whose unauthorized disclosure, compromise, or destruction would severely damage the College, its students, or its employees (e.g., social security numbers, dates of birth, medical records, credit card, official student grades, financial aid data, or bank account information). Tier 1 data is intended solely for use within the College and is limited to those with a “business need to know.”

TIER 2: INTERNAL/ PRIVATE

Internal use information must be guarded due to proprietary, ethical, or privacy considerations. Although not explicitly protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of the information at this level could cause financial loss, damage to Jackson State’s reputation, or violate an individual’s privacy rights (e.g., unofficial student records, employment history, and alumni biographical information). Internal use information is intended for use by College employees, contractors, and vendors covered by a non-disclosure agreement.

TIER 3: PUBLIC

This information is not publicly disseminated but assessable to the general public. These data values are either explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on and off campus (e.g., an employee’s work email addresses or student directory information), or not explicitly classified elsewhere in the protected data classification standard. Knowledge of this information does not expose Jackson State to financial or reputational loss or jeopardize the security of College assets. Publicly available data may be subject to appropriate review or disclosure procedures to mitigate potential risks of inappropriate disclosure data to organize it according to its risk of loss or harm from disclosure.

IDENTITY & ACCESS MANAGEMENT

Identity and access management ensures accurate identification of authorized College members and provides secure authenticated access to and use of network-based services. Identity and access management is based on a set of principles and control objectives to:

Ensure unique identification of members of the College and assignment of access privileges
Allow access to information resources only by authorized individuals
Ensure periodic review of membership and review of their authorized access rights
Maintain effective access mechanisms through evolving technologies

Access Control refers to controlling access to systems, networks, and information based on business and security requirements. The objective is to prevent unauthorized disclosure of Jackson State’s information assets. College access control measures include secure and accountable means of identification, authentication, and authorization.

IDENTIFICATION

Identification is the process of uniquely naming or assigning an identifier to every individual or system to enable decisions about the levels of access that should be given. The key feature of an identification process is that each user of the College, and any other entity about which access decisions need to be made, is uniquely identifiable from all other users. JSCC uses a third-party id created when an individual is entered into our ERP system.

AUTHENTICATION

The authentication process determines whether someone or something is who or what it is declared to be. Authentication validates the identity of the person. Password authentication is an essential aspect of computer security. A poorly chosen password by itself could result in the compromise of Jackson State’s entire network. Adhering to secure password procedures will help reduce the compromise of user accounts on the College’s systems. As such, all users (including students, faculty, staff, guests, contractors, and vendors) are responsible for selecting and securing their passwords.

Multifactor authentication is another frontline defense for securing an account by asking the user to provide two or more pieces of evidence to authenticate. JSCC uses MFA for all public-facing systems.

AUTHORIZATION

Authorization is the process used to grant permissions to authenticated users. Authorization grants the user, through technology or process, the right to use the information assets and determines what type of access is allowed (read-only, create, delete, and/or modify).

The Data Owner must establish criteria for account eligibility, creation, maintenance, and expiration.
Data Owners must periodically review user privileges and modify, remove, or inactivate accounts when access is no longer required.
Procedures must be documented for the timely revocation of access privileges and return of institutionally owned materials (e.g., keys) for terminated employees and contractors.

REMOTE ACCESS

Remote access to information technology resources (switches, routers, computers, etc.) and sensitive or confidential information (social security numbers, financial aid information, campus ids, bank account numbers, etc.) are only permitted through secure, authenticated, and centrally managed access methods. Systems that contain sensitive student, personnel, and financial data will have limited availability off-campus access. The user must access through a centrally managed VPN that provides encryption and secure authentication if access is permitted. Laptops owned by the institution will be encrypted before they are given to the user.

It should also be understood that when accessing sensitive data from off campus, storing SSN, campus ID, or other sensitive data is prohibited onto local hard drives, floppy disks, or other portable media (including laptops, smartphones, iPads, flash drives, etc.).

External computers used to administer College resources or access sensitive information must be secured. This includes patching (operating systems and applications), possessing updated anti-virus software, and is configured in accordance with all relevant College policies and procedures.

COMMUNICATION AND OPERATIONS MANAGEMENT

System communications protection refers to the critical elements used to ensure data and systems are available and exhibit the confidentiality and integrity expected by owners and users to conduct their business. The appropriate level of security applied to the information and systems is based on the classification and criticality of the information and the business processes that use it. The System's integrity controls must protect data against improper alteration or destruction during storage, processing, and transmission over electronic communication networks.

The critical elements of system and communications protection are backup protection, denial of service protection, boundary protection, use of validated cryptography (encryption), public access protection, and protection from malicious code.

Operations management includes implementing appropriate controls and protections on hardware, software, and resources; maintaining appropriate auditing and monitoring; and evaluating system threats and vulnerabilities.

Proper operations management safeguards the College’s computing resources from loss or compromise, including primary storage, storage media (e.g., external disks, etc.), communications software and hardware, processing equipment, standalone computers, and printers.

NETWORK SECURITY

Network attacks launched from the Internet or from College networks can cause significant damage and harm to information resources, including the unauthorized disclosure of confidential information. To provide defensive measures against these attacks, firewall and network filtering technology must be structured and consistent.

Jackson State maintains appropriate configuration standards and network security controls to safeguard information resources from internal and external network-mediated threats. Firewalls and Intrusion Prevention Systems (IPS) are deployed at the campus to prevent denial of service attacks, malicious code, or other traffic that threatens systems within the network.

Microsoft A5 licensing has been implemented, which provides security features such as

Provides conditional access policy for MFA configuration
Information Protection allows JSCC to discover, classify, label, and protect sensitive documents and emails.
Office 365 Rights Management, which allows for the encryption of files and emails.
Microsoft Defender ATP, which provides advanced threat protection for endpoints using EDR and other alert settings and provides identity protection for end users.
Microsoft Purview Data Loss Prevention – policies are applied to email, files (SharePoint, OneDrive, and Teams) that alert when sensitive data is used and shared.
And Intune – which requires the device to be loaded into Mobile Device Management and configures devices based on policy.
- Sets a baseline security profile for EDR, Workstation Auditing, requires a password on wake, disables SMB v1, sets inactivity lock
- Sets Bit Locker settings for fixed and removable media drives (office machines only) for 256-bit encryption.
- Windows updates for Business applied using update rings for classrooms, offices, and laptops.

Barracuda Premium Plus for email protection has been implemented, which includes

Spam and malware protection – Identify and block spam, viruses, and malware delivered via email messages.
Attachment protection – uses behavioral, heuristic, and sandboxing technologies to protect against zero-hourand targeted attacks.
Web link protection (links inside email message) – automatically rewrites URLs so Barracuda can sandbox the link click to block any malicious links.
Phishing and Impersonation Protection (blocks impersonation of actual users) – automatically detect and prevent impersonation, business email compromise, and other targeted attacks by recognizing anomalies within the organization’s communication patterns.
Account Takeover Protection (allows block settings for compromised accounts) – stop phishing attacks used to harvest credentials for account takeover by detecting anomalous email behavior and alerting IT.
Domain Fraud Protection (protection of jscc.edu domain) – prevents email domain fraud with DMARC reporting and analysis.
Web Security – protects users from accessing malicious web content with advanced DNS and URL filtering.
Data Loss Prevention – create and enforce content policies by blocking outbound sensitive data, including SSN, credit cards, etc.
Automatic Remediation – all user-reported messages are automatically scanned for malicious URLs or attachments. When a threat is detected, all matching emails are automatically moved from users’ mailboxes a placed in their junk folders.
Threat Hunting and Response – Quickly identify and efficiently remediate post-delivery threats by automating investigative workflows and enabling direct removal of malicious emails.
Cloud to Cloud Backup – Every night, Microsoft 365 backup for email, OneDrive, SharePoint, and Teams.

SECURITY MONITORING

Security Monitoring provides a means to confirm that information resource security controls are in place, effective, and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. Early detection and monitoring can prevent possible attacks or minimize their impact on computer systems.

Any equipment attached to Jackson State’s network is subject to security vulnerability scans. The scans aim to reduce the vulnerability of College computers and the network to hacking, denial of service, infection, and other security risks from inside and outside the College. Information Technology scans College servers using a mixture of commercial and open-source software to monitor and assess the network’s security.

Information Technology also coordinates the vulnerability scans for departments required to use this service to meet the Payment Card Industry Data Security Standards (PCI DSS) for credit card processing. Suitably strong encryption measures are employed and implemented, whenever deemed appropriate, for information during transmission and in storage.

JSCC has engaged a third-party vendor to monitor JSCC activity network activity. ArmorPoint monitors workstations, servers, and network devices such as firewalls and switches. ArmorPoint provides

Unified security environment that automatically detects threats across devices, platforms, applications, and locations.
Will detect changes to file, software, or registry information.
Provides automation for event alerts, performance reports, and compliance reports. For instance, the SIEM can detect who logs into the firewall and what changes were made and send an alert notification.
Provides internal and external vulnerability scanning on a monthly basis.
Provides alerts on application control blocks, antivirus alerts, and alerts from the firewall.
Has advanced logging
Provides alerts for off-hours or geographic locations anomalies in Azure AD
Provides XDR (extended detection and response) Cybereason for Windows and MAC and XDR Crowdstrike for Linux
Managed SOC to detect malicious and suspicious activity across endpoints, network, and cloud services.

JSCC has also implemented ManageEngine AD Audit Plus, which provides the following:

Real-time change monitoring and alerting for who performed what change, when, and from where in our Windows environment.
Windows logon monitoring continuously tracks user logon activity and audits all user activity from login failures and logon hours to other login history information.
Account lockout analysis by sending alerts about locked-out accounts or authentication failures.
Tracks changes and sign-ins in Azure AD.
Audit privilege used to hold admins and other privileged users accountable for their actions.
Logs password policy changes
Tracks DNS Server zone changes.

TRANSMISSION

To protect the confidentiality and integrity of the College’s sensitive data, any data classified as Level 1, Confidential data, and having a required need for confidentiality and/or integrity shall only be transmitted via encrypted communication to ensure that it does not traverse the network in clear text. It is recommended that data classified as Level 2, Internal/Private, be transmitted via encrypted communications when possible.

STORAGE

Encryption of information in storage presents risks to the availability of that information due to the possibility of encryption key loss. Desktops and portable devices, such as laptops, flash drives (USB drives), and external drives, must be encrypted to protect the confidentiality and integrity of the College’s data. It is recommended that individuals with access to Tier 1, Confidential data should never download data that would reside on their personal computer or flash drive but instead use a network-shared drive.

DISPOSAL

All records should be disposed of according to the TBR Guideline G-070 Disposal of Records - RDA 2161. When data is stored on computer resources, at the time of disposal, all the devices, such as hard drives, tape, etc., should be wiped so that data cannot be recovered from the device.

MOBILE DEVICES

Personal and JSCC-owned mobile devices that connect to the Institutional network and have potential access to Institutional data must abide by the JSCC Mobile Device Policy

HARD COPY PII DATA

Never leave sensitive PII data in hard copy unattended and unsecured.

Physically secure Sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know. Sensitive PII data may be stored in a space where access control measures are employed to prevent unauthorized access by members of the public or other persons without a need to know (e.g., a locked room or floor or other space where access is controlled by a guard, cipher lock, or card reader), such measures is not a substitute for physically securing Sensitive PII in a locked container when not in use.

Sensitive data should not be sent by fax machine unless absolutely necessary. Scan and encrypt the document(s) and then email if possible. If the information must be sent faxed, do not send sensitive data to a fax machine without contacting the recipient to arrange for its receipt.

EMAILING PII DATA

Email Sensitive PII data only within an encrypted attachment with any necessary password provided separately (e.g., by phone, another email, or in person).

Email encryption should be used if sensitive PII data is within the body of the email.