Information Security Home

Security Policies Home

____________________________________________________________

SOUTHSIDE VIRGINIA COMMUNITY COLLEGE

INFORMATION TECHNOLOGY

SECURITY POLICIES

               ____________________________________________________________

2008

Status: Approved 10-16-08

Introduction:

The SVCC IT Security Plan will meet the following objectives:

• Maintain compliance with the COV ITRM Standard SEC501-01.

• Make employees aware of the security procedures required to ensure protection of information technology systems at SVCC.
• Define and explain employee responsibilities and duties with respect to the protection of information resources.
• Ensure that information resources are properly and consistently protected, regardless of their location, form, or supporting technologies.
• Enlist upper management support for the SVCC Information Security Plan.
• Enforce disciplinary actions when required to protect SVCC and COV information assets.
• Empower managers and other workers to make decisions about information security which are in keeping with standard policies and procedures, as are necessary and proper for each situation.
• Provide information system security audits and reviews.

SVCC must take appropriate steps to ensure its information systems are properly protected.  All SVCC information systems shall be protected, regardless of storage or transmission medium.

The SVCC Security Plan is predicated on the following concepts:

1.        Information security is the responsibility of each individual employee.

2.     All information access is granted on the basis of “least privilege” only.

The security policies and procedures given in this document were promulgated based on the concepts given above.

SVCC IT Security Roles:

Information technology security roles are assigned to individuals to ensure accountability and compliance among the information technology processes.  The role or working title and assignment of personnel for each security role may differ at each college however it is critical that each function be identified and the individuals assigned have the appropriate skill sets.  Individuals may be assigned multiple roles, as long as the multiple role assignments provide adequate separation of duties, provide adequate protection against the possibility of fraud, and do not lead to a conflict of interests. All roles are designated and approved by SVCC management as part of the Business Impact Analysis and Risk Assessment processes. Each employee’s IT security role will be reviewed and evaluated for accuracy, and updated annually on the Employee Work Profile (EWP) by the appropriate supervisors. SVCC IT Security Roles, Section B1, SVCC Security Plan.

SVCC Information Security Officer:

The SVCC ISO shall:

• Recommend to SVCC administration a college IT security program that meets or exceeds the requirements of VCCS and COV IT security policies and standards in a manner commensurate with risk. All aspects of the program are subject to the written approval of SVCC administration (President’s Staff). SVCC President’s Staff is responsible for the content of the final plan and all associated appurtenances thereto.

• Develop and maintain an IT security awareness and training program for the college staff, including contractors and IT service providers.

• Coordinate and provide IT security information to the VCCS ISO as required.

• Recommend to SVCC President’s Staff  a course of action to implement and maintain the appropriate balance of protective, detective and corrective controls for college and VCCS IT systems commensurate with data sensitivity, risk and systems criticality. All aspects of the program are subject to the written approval of SVCC administration (President’s Staff). SVCC President’s Staff will determine the content of the final plan and all associated supporting documentation.

• Mitigate and report all IT security incidents in accordance with §2.2-603 of the Code of Virginia and related VCCS requirements and take appropriate actions to prevent recurrence.

• Maintain liaison with the VCCS ISO.

Other Security Roles:

System Administrators:

The System Administrator is an analyst, engineer, or technician who implements, manages, and/or operates a system or systems.  The System Administrator assists College and System Office management in the day-to-day administration of the IT systems, and implements security controls and other requirements of the local IT security program on IT systems for which the System Administrator have been assigned responsibility. System administrators will be so designated on their SVCC Employee Work Profiles (EWP).

 Security Administrator:

The Security Administrator manages security controls over networks and systems to prevent improper or unauthorized use of data. Security administrators will be so designated on their SVCC Employee Work Profiles (EWP).

Super User:

As a part of the AIS and SIS security model VCCS provides a special set of permissions, often described as the "Super User" role, which has access to all panels (navigations) available in the system except those supporting security administration and the “Enrollment” panel. The role as defined also permits those who are assigned this role full authority to read, change, and delete the information stored in the associated databases. Superusers will be so designated on their SVCC Employee Work Profiles (EWP).

IT System Users:

System users will be so designated on their SVCC Employee Work Profiles (EWP). Users are defined as COV employees having access to an information system or its data and not specifically given any other IT security role.

System Owner:

The System Owner is the manager responsible for operation and maintenance of an IT system. System Owners will be so designated on their SVCC Employee Work Profiles (EWP).

Data Owners:

Data Owners are the entity, group or individual that has ultimate responsibility for the creation and modification of information stored in a database or other system. The data owner is responsible for ensuring that the System Owner has implemented sufficient security in the system platform to safeguard the applications and data stored on that server. Data Owners will be so designated on their SVCC Employee Work Profiles (EWP).

Information Technology Security Policies

The SVCC Security Plan requires that good management practices be followed to implement information technology security safeguards based on the SVCC IT Risk Assessment and Business Impact Analysis. During the BIA and RA processes, data sensitivity, hardware and software resources, categorization and classification of data, and associated potential damages are addressed. Also, mission critical systems, allowable downtimes, manual processes and responsible personnel are identified. (Sections B2-B5, SVCC Security Plan) SVCC requires the participation of the System Owners and Data Owners in the development of the Business Impact Analysis. It is the responsibility of the System and /or Data Owners to provide accurate and detailed information for the specific business processes within their particular business unit.

The SVCC Security Plan and associated policies is a dynamic document which must be reviewed at least annually and updated every three years. The following is a list of requirements for all information systems maintained at SVCC.

Purpose:

Maintain compliance with the COV ITRM Standard SEC501-01 and applicable VCCS IT Security standards.

Scope:

Enforcement:

Enforcement of SVCC Security Policy shall be performed as specified in the Enforcement Procedure section of the VCCS Personnel Security, Acceptable Use Standard.

1.1     Exemptions from Applicability:

The following are explicitly exempt from complying with the requirements defined in this document: (as per COV ITRM Standard SEC501-01, Section 1.6, July 1, 2007 Revision 3)

• Systems under development and/or experimental systems that do not create additional risk to production systems
• Surplus and retired systems
• Academic instruction or research systems (This exemption, however, does not relieve these academic instruction or research systems from meeting the requirements of any other state or federal Law or Act to which they are subject.) (This was removed in the Jan 2009 Revision)

Definitions:

Sensitive data: Personal Health Information (PHI) or Personally Identifiable Information (PII) (a combination of a first name, or first initial, last name, and any of the following, financial account number, credit or debit card number and/or the corresponding password, security, or access code)

VITA definition of sensitive data may be found at: http://www.vita.virginia.gov/security/default.aspx?id=327

Academic Instruction and Research Systems: Those systems used by institutions of higher education for the purpose of providing instruction to students and/or by students and/or faculty for the purpose of conducting research.

VCCS Position:

The VCCS is defining “Academic Instruction and Research Systems” as those used in the classroom by students and/or faculty for instructional purposes, and those systems used in a lab environment by students and/or faculty for the purpose of research in support of instruction. Further defined as those systems, applications, services, and related IT infrastructure that support the classrooms, student labs, and other instructional space for the purpose of instruction or research in the aid of instruction which are not used to access and/or store college administrative information. These exceptions do not apply to administrative systems (systems that access, process, or store college administrative information) that are used in the business operation of the college. It is important for the VCCS to define a separation of academic and administrative systems to ensure the highest level of security for the college and the VCCS enterprise while enabling the needs of instruction since the VCCS as an institution falls under the scope of applicability of the SEC501-01 Standard. 

2.1     Continuity of Operations:

SVCC shall address the development, implementation, exercise, and maintenance of the Continuity of Operations Plan as it relates to IT systems and data. The plan must be reviewed and updated annually, and identify the employees responsible for the plan. (Section C1, SVCC COOP Plan, Recovery Strategies)

3.1     Disaster Recovery Plan:

SVCC must establish and document a Disaster Recovery Plan relating to its IT systems and related applications. (Section C 2, SVCC Disaster Recovery Plan, SVCC Emergency Procedures) The plan should address the following issues:

• Identify and include manual operating procedures for mission critical business functions.
• State an order of restoration for mission critical business functions, including the technical procedures for implementation and returning to normal operations.
• Identify alternate site locations.
• List recovery team members and responsibilities.

4.1     IT Systems Security:

SVCC shall apply appropriate baseline security configurations to all IT systems. (Systems Hardening) SVCC IT Network Administrators are tasked with developing, implementing, maintaining, and documenting for audit purposes all security configurations. For IT systems that have been identified as high risk or that contain sensitive and confidential data, security configurations should be more restrictive. All security configurations must be reviewed annually by the SVCC IT staff and SVCC Security Committee. Review results will be documented and maintained by the college ISO.

A Firewall should be placed between each campus network and the Verizon / VCCS WAN which provides SVCC with Internet access. Security logging shall be enabled on the firewall.  At least once per year, a vulnerability scan will be done from outside the firewall.  Results of the scan shall be documented by SVCC IT staff and forwarded to the College ISO.

Where possible, individuals shall use only encrypted means of access across the Internet.  Where this is not possible, individuals shall not pass sensitive college information.  Encryption methods shall use at least 128 bit encryption keys, with large encryption keys preferred. 

Dial-in access to the SVCC network shall be strictly controlled.  A list of all modems connected to the SVCC network shall be kept by SVCC IT Network Services.  No modems shall be connected to the SVCC network without prior approval of the SVCC IT Network Administrators.  The list of modems shall also specify which modems are granted dial-in access. 

4.1.1     Phone System Security:

The phone system is meant primarily to handle the business needs of SVCC.  To this end, personal use of the college phone system should not interfere with the business operations of SVCC

4.1.2     Wireless Security:

All SVCC wireless networking will be installed, maintained and monitored by the SVCC Information Technology Network Services department. No wireless networking equipment shall be installed by anyone other than these personnel, unless prior written approval is received from the IT Network Administrator.  Monitoring shall be done to ensure that no rogue access points are installed.  Any wireless equipment found that was not installed by Network Services, shall be removed immediately by Network Services staff. Access to the SVCC network through wireless equipment will be done using the authentication mechanisms comparable to that of the wired network.

Non-COV owned devices shall not connect to the SVCC wireless production network. Access to the SVCC WLAN will be granted following the SVCC WLAN Access Procedure.

4.1.3     Legal Disclaimers:

Legal disclaimer shall be placed on all network access points.  Disclaimers shall be set up as a logon banner upon network logon and as a link on the SVCC website home page.

Workstation/Server Logon Banner:

Clicking “OK” below indicates you have read and agree to the terms of the Information Technology Ethics Agreement and further consent to monitoring of your activities by technical support personnel during routine diagnostics of college-owned equipment. You can view the Acceptable Use Agreement from the of the College’s home page at:

http://www.southside.edu/student/infosecurity/compethics.asp

Web Disclaimer :

Should any SVCC web site user discover something out of date, please contact the individual author at the email address given at the web site. If a user notices something in conflict with SVCC or VCCS policy, regulations or statutes of the Commonwealth of Virginia, or federal policy or law, please contact the College Webmaster and the individual author. Please see disclaimer at:

http://www.southside.edu/privacy.as

Router Logon Banner:

“State law (article 7.1 of title 18.2 of the Code of Virginia) classifies damage to computer hardware or software (18.2-152.4), unauthorized examination (18.2-152.5) or unauthorized use (18.2-152.6) of computer systems as (misdemeanor) crimes. Computer fraud (18.2-152.3) and use of a computer as an instrument of forgery (18.2-152.14) can be felonies. The VCCS’ internal procedures for enforcement of its policy are independent of possible prosecution under the law.”

 4.1.4     Malicious Code Protection:

SVCC will inform employees of their responsibility concerning malicious programs via security awareness and training and explicitly prohibit: Intentional development or experimentation with malicious programs, and the intentional propagation of malicious programs. This may be distributed via syllabus, signage, VCCS email accounts, or College web sites. 

 SVCC will strive to provide protection against malicious programs by using detection, protection, elimination, logging, and reporting capabilities.

4.1.5     Systems Interoperability:

SVCC shall require security agreements for sharing system information with other systems or data owners. A system interconnection may be defined as the direct connection of IT systems for the purpose of sharing data.  This does not include instances where data is shared via tape or file exchanges.

Note: SVCC only connects to enterprise systems and applications owned by the VCCS; no other system interoperability is required.

4.1.6     IT Systems Development Life Cycle:

In accordance with the COV ITRM 501-01, SVCC should document the security related activities that must be adhered to in each phase of the development life cycle for College IT systems.

Best practices for system development life cycle security are listed in Section D 4 of the SVCC Security Plan to assist in guiding the System Office and Colleges from project definition through disposal of IT application systems.

4.1.7     IT System Audits:

In compliance with the COV ITRM SEC-501-01 standards, certain aspects of the SVCC Security Plan must be reviewed, evaluated, and /or updated on an annual basis. The completion of these tasks collectively will be considered the SVCC internal audit of its Information Technology Security Plan. A list of these annual events, deliverables, completion dates, and personnel responsible is given in the SVCC Security Plan, Section B6, IT Security Audits.

4.2     IT System Security Plans:

Each System Owner of a Sensitive IT system shall:

• Document an IT System Security Plan for the IT system based on the results of the risk

           assessment. This documentation shall include a description of:

           a. All IT existing and planned IT security controls for the IT system, including a

               schedule for implementing planned controls;

           b. How these controls provide adequate mitigation of risks to which the IT system is

               subject.

• Submit the IT System Security Plan to the Agency Head or designated ISO for approval.

• Plan and document additional IT security controls for the IT system if the Agency   

           Head or designated ISO disapproves the IT System Security Plan, and resubmit the     

           IT System  Security Plan to the Agency Head or designated ISO for approval.

• Update the IT System Security Plan every three years, or more often if necessary, and resubmit the IT System Security Plan to the Agency Head or designated ISO for approval.

5.1     Logical Access Control:

Southside Virginia Community College (SVCC) may provide user accounts for all faculty, staff, adjuncts and part time employees of the college as necessary and proper. Accounts issued to users are for college use only and will be audited for misuse. 

Access to all SVCC network servers, including but not limited to; domain controllers, phone system servers, voice mail servers, email servers, file servers, web servers, ftp servers, terminal servers, print servers and any general purpose server or workstation, and network hardware shall require a username and password, with the following exception:

• SVCC web servers may allow anonymous access to information that is for public use.

All SVCC systems will be configured to allow least privilege access to users. NTFS permissions will be used to ensure that users will not have access to any system which is not part of their job function.

5.1.1     Remote Access:

Simply stated, remote access is the ability to get access to a computer or a network from a remote distance.  Security measures for remote access shall be implemented by SVCC IT Network Service staff based on sensitivity and risk to System Office or College IT systems and data.

• SVCC procedures shall document user requirements for use of remote access and the need for remote access to sensitive data. Procedure for Granting Access, Section H 1, Attachment H 1.1, SVCC Security Plan.

• The security of remote access to the College IT systems and data must be in compliance with the Data Protection, Encryption Standard.

• SVCC IT Network Staff must document the requirements for physical and logical hardening of remote access devices.
• Remote access account records must be maintained for audit purposes in accordance with current College policies.

5.1.2     Authentication:

The identity of each individual who accesses college information, must be verified before access is given to the information.  This identification process is normally performed using the user ID/password process.  The user ID determines who the user is claiming to be.  The submission of a correct password is taken to mean that the person is actually who the user ID claims them to be.

• Use of shared user ID’s shall be limited to workstations allowing only single function use (such as workstations secured so that they can only be used to browse the web). Temporary logical access may be granted on an ad-hoc basis by SVCC IT Network Administrators for contractors (i.e., non-state personnel) working for or on behalf of SVCC with removal of said access immediately upon completion of the related task.

• All users must be authenticated with the exception of the above conditions and users shall be forced to change their passwords every 90 days.

• SVCC Systems shall be set to lock out further logon attempts after 3 failed attempts have occurred.

5.1.3     Passwords Policy :

Initial passwords will be securely disseminated to users by SVCC IT Networks Services staff. All password documentation will be maintained by SVCC IT Network Services staff for audit purposes. At first logon, the user will be required to choose a new password using the following format:

• Passwords must be at least eight characters long.
• Password History should be set to 4 passwords remembered
• Maximum password age should be set to 42 days. (Jan 2009 Revision).
• Minimum password age should be set to 5 days.
• Reversible encryption of passwords should be disabled
• Passwords must support the display masking feature.
• Passwords may not contain your user name, any part of your full name or any common dictionary word or phrase.
• Passwords must contain characters from at least three of the following four classes:

In addition, to maintain good security, individual passwords should not have any relationship to other passwords in use.  That way if an attacker obtains one password, they will not be able to gain access to other passwords maintained by the same person.  Passwords should not be accessible by anyone except by the owner of the password.  Passwords should be changed regularly.

• Passwords should not be cyclical. When a password expires, do not name the new password as an identifiable iteration of the last password (i.e., pass1, pass2, pass3, etc.)

• Passwords used in the college should not be used on systems outside the college
• Require passwords on mobile devices such as PDA’s and smart phones. For mobile phones, use a 4 to 5 digit pin number. (Jan 2009 Revision)

• Password protected screen-savers shall be implemented. Lockout period after 30 minutes inactivity for COV devices. COV devices with access to sensitive systems or those devices in less physically secure environments must have a lower time out interval documented and enforced. (Jan 2009 Revision)

• Guest accounts are prohibited.
• Passwords must not be stored in readable form in batch files or other locations unless sufficient security precautions are taken to ensure the security of the password.
• All vendor default passwords must be changed upon system installation.
• If a suspected disclosure of passwords has occurred, all involved passwords shall be immediately changed.
• All failed logon attempt must be logged; accounts will be locked after 3 unsuccessful logon attempts; proof of identity is required to have a password reset.
• New passwords will be issued in a state that requires immediately changing the first time the user logs on.

5.1.4     Account Creation / Authorization:

• All users requesting VCCS Enterprise Application (peoplesoft, SIS etc.) or LAN accounts on the SVCC network MUST submit the SVCC Applications Account Request Form prior to receiving their account. This may include, but is not limited to; Faculty, Staff, Adjuncts and Part Time Employees. No account should be issued until the request form has been approved and submitted to all appropriate access granting personnel.  The appropriate supervisors will conduct annual reviews of all employee account access and authorization to ensure that they remain appropriate and will document the same on the Employee Work Profile (EWP). The form must be filled out completely and signed by the new users supervisor, and all appropriate access granting personnel.

  Procedure for Granting Access, Section H 1, Attachment H 1.1, SVCC Security Plan.

• Access to VCCS Enterprise Applications and SVCC LAN: Employees who seek access to the VCCS Enterprise Applications or SVCC LAN accounts should make a request to their respective supervisor using the Applications Account Request Form. Once the supervisor approves and signs the request it is to be sent to the appropriate access granting personnel as given on the form for approval. Logical access will be given after the request has been approved by all access granting personnel and upon completion of the process. The completed form will be maintained for audit purposes in the employees personnel file by the Human Resources Department. Three to five working days should be allowed for processing to be completed.
• Adding or Changing VCCS Enterprise Account Access: Employees requesting a change in logical access due to a role / job assignment change should complete the Applications Account Request Form. have their supervisor approve, sign, and give to the Peoplesoft / Security Administrator. When the form is received by the Peoplesoft / Security Administrator, this person will approve the request and if approved, makes the requested additions or changes for logical access to the employee's USER-ID. All other access granting personnel must be informed of the change in status of the employee, and approve the changes as given on the form. It is the responsibility of the employee’s supervisor to confirm that this task is completed. Three to five working days should be allowed for processing to be completed.
• Deleting VCCS Enterprise Application or SVCC IT Resource Access: Employees requesting deletions of VCCS Enterprise Application access should complete the Applications Account Request Form, have their supervisor approve, sign, and give the form to the Peoplesoft / Security Administrator. When the request form is received by the Peoplesoft / Security Administrator, this person deletes the account access from the employee's USER-ID. At such time an employee no longer requires logical access to IT resources, (i.e. resigning from the College), the employee’s supervisor should complete the Applications Account Request Form to have the employee’s VCCS enterprise application and SVCC logical access deleted. All other access granting personnel must be informed of the change in status of the employee, and approve the changes as given on the form. It is the responsibility of the employee’s supervisor to confirm that this task is completed. Access to all SVCC IT resources for a person no longer employed by SVCC will be terminated at the close of business on the date of termination.

• Each new user must complete the Security Awareness Training provided by SVCC within 30 days of receiving their SVCC account.  If the user has not completed the Security Awareness Training within 30 days, the user’s account will be disabled until the training is complete.
• All inactive accounts shall be deactivated after a period of 90 days; if it is determined that the account is unneeded, it shall be deleted.
• All SVCC accounts will be configured to allow least privilege access to users.  NTFS permissions will be used to ensure that users will not have access to any system which is not part of their job function.
• Employee logical access will be evaluated annually by their supervisors to ensure that the employee access consistent with the concept of least privilege. The supervisor will document the same on the Employee Work Profile (EWP).
• SVCC must document termination, transfer, or role change with respect to logical access using the Applications Account Request Form and the Procedure for Granting Access, Section H 1, Attachment H 1.1, SVCC Security Plan.
• Temporary logical access may be granted on an ad-hoc basis by SVCC IT Network Administrators for contractors (i.e., non-state personnel) working for or on behalf of SVCC with removal of said access immediately upon completion of the related task. The IT Network Administrator granting the access must document the access on the SVCC Applications Account Request form. The form will kept on file by the college ISO.
• Unusual account activities will be investigated by IT Network Services staff.
• Configure applications to clear cached data and temporary files upon exit of the application or logoff of the system.  (Jan 2009 Revision)

6.1     Data Protection:

All sensitive information shall be labeled either [confidential] or [internal use only] in the document containing the sensitive information; confidential and internal use only documents are not accessible to the general public. Data Custodians are individuals or organizations in physical or logical possession of data for Data Owners.  All SVCC employees will be the Data Custodians responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage.

• All personal data shall be treated as confidential information.
• All storage medium shall be classified to highest level of information they may contain.

• SVCC prohibits the posting of any classified or sensitive data based on confidentiality on any public web site. (Jan 2009 Revision)

• All storage medium must be destroyed or securely erased, using approved methods in accordance with COV ITRM Standard SEC514-03, before disposal.
• Controls must be in place to prevent sensitive data from leaving the campus SVCC Data Storage Media Protection, Mobile Device Protection, Mobile Device Security form, Section F 1, Attachment F 1.1, SVCC Security Plan.
• Security agreements must be in place prior to sharing system information with other systems (non-VCCS) and / or data owners.
• SVCC prohibits the auto forwarding of emails. (Jan 2009 Revision)

• Sensitive data should not be stored on any non-network storage device or media, mobile storage media, including laptops, desktops and mobile workstations, as well as any non-network drive, USB Drives and CD’s, except for backup media, unless the data is encrypted and there is a written exception approved by the Agency Head. (Jan 2009 Revision)

• SVCC must prohibit the connection of any non-COV owned data storage media or device to a COV-owned network, unless the connection is to a segmented guest network. SVCC must prohibit the storage of COV data on any mobile data storage media not owned by the COV. This prohibition, at the agency’s discretion, need not apply to an approved vendor providing operational IT support services under contract

Note: Such media include, but are not limited to, laptops, desktops and mobile workstations USB drives, cell phones, CD’s, personal digital assistants, and digital music players owned by employees, contractors, and students. (Jan 2009 Revision)

VCCS allows flexibility in meeting this requirement based on approval from Tech Council.  Colleges who have a legitimate need for flexibility in complying with this requirement must complete form VCCSITSEC002 providing the justification.

6.1.1     Redundancy and Tape Backups:

• All college data shall be stored in at least two separate locations. The off-site location must be geographically/separately distinct from the primary location. (Jan 2009 Revision)

• Procedures must be implemented and documented to safeguard handling of all backup media containing sensitive data. Encryption of backup media shall be considered where the data is Personal Health Information (PHI) or Personally Identifiable Information (PII). Where encryption is not a viable option, mitigating controls and procedures must be implemented and documented. (Jan 2009 Revision)Personal Health Information (PHI) or Personally Identifiable Information (PII) (a combination of a first name, or first initial, last name, and any of the following, financial account number, credit or debit card number and/or the corresponding password, security, or access code)
• Where possible, the SVCC network shall be set up to limit the number of single points of failure in the system.
• Weekly full backups shall be stored offsite, and be maintained for a maximum of 3 months.
• The transfer of backup media off site must be authorized, logged, documented, and maintained by approved access personnel. (Storage Media Log Sheet, Section F1, Attachment F1.1, SVCC Security Plan.)
• Electronic media must be managed so it may reproduced in a timely and complete manner when necessary (such as during a legal proceeding).
• Data retention should reference the Library of VA “Records Retention and Disposition Schedule 101. (SVCC Security Plan, Section F1)
• IT System Backup and Restoration

6.1.2     Encryption:

• Where possible, individuals shall use only encrypted means of access for data that is sensitive relative to confidentiality and integrity via a public WAN such as the Internet. Where this is not possible, individuals shall not transmit sensitive college information. Encryption methods shall use at least 128 bit encryption keys, with large encryption keys preferred. (Jan 2009 Revision)

  Sensitive data is: Personal Health Information (PHI) or Personally Identifiable Information (PII) (a combination of a first name, or first initial, last name, and any of the following, financial account number, credit or debit card number and/or the corresponding password, security, or access code)
• SVCC IT Network Administrators should define and document practices for selecting and deploying encryption technologies, and provide technical training for IT staff.
• SVCC IT Network Administrators will be responsible for administration and distribution of encryption keys via a secure key management system.
• Encryption keys should only be generated through an approved encryption package as defined in requirement two above.

7.1     Facilities Security:

• All COV IT equipment including network servers and ancillary devices shall be in a locked room or secured in a locked enclosure. All critical physical security points must be identified and secured by the use of locks, cameras, or other reasonable and proper means.  SVCC Management will allow, deny, or terminate physical access to critical security points. SVCC Management will approve and provide appropriate levels access and documentation of said access to critical security points as per section 2.12, Keys of the SVCC Faculty-Staff Handbook.

• All network server rooms shall have CO2 based fire extinguishers located within the room. Network Technicians shall be aware of the location of the closest fire alarm. 

• The network server room should be monitored for temperature and humidity.
• All network servers shall be run on an uninterruptible power supply (UPS).
• Water detection systems may be installed with the UPS systems to notify of the presence of water on the server room floor in order to prevent damage to the server equipment
• A list of authorized access personnel that are approved access to the server rooms or wiring / phone closets shall be maintained, reviewed annually, and kept current by the college ISO. Access to mission critical areas is based on the concept of least privilege.  A visitor log sheet shall be set up at the receptionist’s desk to document any visitors to the server rooms or wiring / phone closets not on the approved access list.  All visitors to the server rooms or wiring / phone closets shall be escorted at all times.
• Controls shall exist to ensure that physical objects (badges, keys, etc) are returned after termination or transfer. (Faculty-staff Handbook Section 3.16, Employee Checkout Sheet)
• Sensitive information shall not be stored on portable computers that are taken outside of secured areas.
• Do not leave confidential information on desks after working hours or in rooms that are un-attended.  All media should be clearly marked as to their classification.
• When dealing with confidential information, ensure that no one is watching over your shoulder.  This precaution should also be taken when typing in passwords.

8.1     Personnel Security:

Existing state law and regulations impose significant responsibilities on employees for the security of information.  If deemed necessary, SVCC will take personnel action based on the following state laws and regulations:

1.      The Virginia Employee Standards of Conduct and Performance specifically includes unauthorized use or misuse of state records, falsification of records, the willful or negligent damage or defacing of records and records theft as violations.

2.      The Government Data Collection and Dissemination Practices Act (formerly the Virginia Privacy Protection Act of 1976) specifically requires that State agencies and institutions take affirmative action to establish rules of conduct and to inform employees involved in the design, development, operation or maintenance of an information system that misuse of personal information, or failure to take steps to ensure that information is accurate and reliable, may result in the individual employee being subject to injunction and assessed the costs of court action.

3.      The Virginia Computer Crimes Act (Code of Virginia § 18.2) imposes both misdemeanor and felony violations for the unauthorized viewing, copying, alteration or destruction of computer data, software or programs.

Therefore, SVCC has the following personnel security measures in place:

• All Prospective new employees will have background checks done as part of the hiring process. The SVCC Human Resources department will maintain all associated documentation as a part of said process. Existing employees may be grandfathered under the policy and may not be required to have background investigations (Jan 2009 Revision)

• All individuals with access to sensitive data must be familiar with SVCC policies and procedures relating to sensitive data. Employee job descriptions must accurately reflect assigned duties and responsibilities in order to define required IT system access.
• Technical support personnel will be cross-trained so that procedures can be followed unaffected by the absence of any one key individual.
• Access to sensitive areas / information is granted on the basis of least privilege. Access may be granted (or terminated when no longer required), temporarily disable physical and logical access rights when personnel are out for prolonged period in excess of 30 days due to disability or other authorized purpose, Disable physical and logical access rights upon suspension of personnel for disciplinary purposes (Jan 2009 Revision) using the SVCC Applications Account Request Form and the Procedure for Granting Access, Section H 1, Attachment H 1.1, SVCC Security Plan,  Section 5.1 SVCC Faculty-Staff Handbook.

• All SVCC Employees are required to read and sign the VCCS Information Technology Employee Acceptable Use Agreement.

• All SVCC Employees are required to read and comply with the VCCS  Information Technology Acceptable Use Standard.

8.1.1     Security Awareness and Training:

All SVCC employees involved with information technology must be aware of their security responsibilities and know how to fulfill them.  Accordingly, SVCC has set up the SVCC Security Awareness and Training program. The program is implemented by using the Managed Ongoing Awareness Tools (M.O.A.T.) program.  All employees at SVCC shall receive security awareness training.  New employees must complete this training within 30 days from initial reporting date. If after 30 days, the user has not completed the training; their account will be disabled until the training is completed.   All employees will be required to receive refresher training at least once per year. Users will be notified via email when they need to take the refresher training.  After notification, users will have 30 days to complete the Security Awareness Training.  If after 30 days, the user has not completed the training; their account will be disabled until the training is completed. All employee progress and certification status is monitored and tracked by the M.O.A.T. application which can generate reports based on various search criteria. The employee must also verify electronically that they have completed the training course. Upon successful completion of the course, the employee may print a hard copy of a program completion certificate.

• The SVCC Information Security Officer shall be responsible for documenting and maintaining security training records.
• A user may be exempt from security awareness training if documented and approved by the SVCC President. (Security Awareness Training Exemption form)
•  SVCC will make available specialized or advanced training and information technology security training programs that are commensurate with the level of expertise required for the system components and information resources for which the college personnel are responsible. These requirements are met by using training opportunities afforded SVCC by the VCCS, Virginia Tech, VA SCAN, the SANS institute, and other applicable training providers. It will be the responsibility of the individual employee’s supervisor to ensure compliance with this requirement.
• Third parties / consultants working on behalf of the college must read and sign the VCCS Security Awareness and Training document as listed in the SVCC Security Plan, Section H2.

9.1     Network Usage Policy

• Any software adversely affecting SVCC information systems may be removed at the discretion of the SVCC IT Network Administrator. Programs may be considered to adversely affect SVCC information systems by consuming excessive processor time, disk space, processor memory, or network bandwidth.

• Personal use of the SVCC network must not interfere with normal business activities.  It must not involve solicitations or be associated with any for-profit outside business activity.
• Peer-to-Peer file sharing (P2P) is prohibited on the campus network. P2P applications are considered security risks because they use direct communications between computers (or "peers") to share or transfer data. Users of the SVCC network may not use peer-to-peer file sharing programs, including, but not limited to, Limewire, eDonkey, KaZaA, Gnutella, Morpheus, Audiogalaxy, WinMX and BitTorrent. For the purposes of this policy, a Peer-to-peer file sharing application is any application that transforms a personal computer into a server that distributes data simultaneously to other computers. Please note that copyrighted materials cannot be shared by any means without proper permission. This includes sharing via network file shares, the web, or any other means and is not limited to peer-to-peer programs.
• The COV reserves the right (with or without cause) to monitor, access and disclose all data created, sent, received, processed, or stored on COV systems.
• Local Administrator rights (or the equivalent on non-Microsoft Windows-based IT systems) shall be limited to only authorized IT staff.
• Connecting non-COV-owned devices to a COV IT system or network, such as personal computers, laptops, and hand-held devices is prohibited (except in accordance with COV ITRM Use of non-COV devices to Telework standard SEC-511-00.)
• All network usage must comply with the VCCS Information Technology Acceptable Use standard.
• IT system users shall not perform any of the following operations on COV owned equipment:
• Install personal software;
• Install, remove, modify hardware or software;
• Install or use proprietary encryption hardware or software;
• Modify security controls on workstations;
• Connect unauthorized devices.

9.1.1     Privacy:

• It is the policy of the Commonwealth of Virginia that personal information about citizens will be collected only to the extent necessary to provide the service or benefit desired; that only appropriate information will be collected; that the citizen shall understand the reason the information is collected and be able to examine their personal record which is maintained by a public body. The complete SVCC privacy statement is available at http://www.southside.edu/privacy.asp.

9.1.2     Email Communications:

• Unsecured email shall not be used to send sensitive data if there is no encryption. An email disclaimer will either be prepended or appended to emails. These statements are frequently used to create awareness of how to treat the data in the email. (Jan 2009 Revision)

10.1     Threat Management:

10.1.1     Virus Protection:

• It is the responsibility of each individual to scan their documents for viruses before sharing them with other people.

• Anti-Virus software should be configured to automatically update its virus definition files.
• It is the responsibility of each individual to immediately notify the SVCC IT Network Services department if a virus is detected.
• The Anti-Virus system implemented at SVCC shall scan attached files while in the email client inbox.
• The virus protection system shall scan files immediately upon their being saving to a file server or workstation.

• SVCC shall have a plan which includes the development, acquisition, testing, training, maintenance of threat detection activities, and the personnel responsible for each aspect of the same. See the SVCC Threat Detection Plan Section I 1, Attachment I 1.1, SVCC Security Plan.

10.1.2     Security Monitoring and Logging:

All actions relative to system security must be documented by SVCC IT Network Administrators. SVCC information systems will meet the following requirements:

• System security logs shall list logon and logoff times and all other relevant security events such as failed logon and access attempts in order to support security audits. Such documentation must be reviewed by SVCC IT Network Administrators weekly.

• SVCC must enable logging capabilities on IT systems and applications where practicable and does not impede the performance of the IT system or otherwise impact the Systems Office or College business practices.
• Event logs should be monitored so that quick reactions to an attack are implemented.  SVCC must specify the type of actions a particular program can take, based on the possible security implications, when suspicious or malicious traffic is detected. The SVCC IT Staff will maintain documentation with specific information as to the nature of the suspicious traffic, the mechanism by which it was detected, and the actions taken by the detecting device(s) upon such detection.
• All event logs must be stored for a minimum of 4 weeks.
• The use of keystroke logging, except when required for security investigations and approved in writing by the Agency Head, is prohibited.
• All security related logs shall be reviewed on a consistent basis by the SVCC IT Network Administrators to ensure that SVCC security is not being compromised.
• IT Network Administrators must take reasonable precautions in order to insure that SVCC has accurate security information in the security log.
• All security violations must be reported to management and investigated by IT Network Services.

10.1.3     Threat Detection/Incident Handling:

In accordance with the COV ITRM 501-01, incident handling is necessary to detect incidents, minimize loss, mitigate weaknesses and restore System Office and College resources promptly and efficiently. . Each agency shall document IT security incident handling practices and where appropriate the agency shall incorporate its service provider’s procedures for incident handling. (Jan 2009 Revision) Incident handling involves having the necessary tools and resources in place to appropriately handle an incident.  The SANS Institute defines an incident as “An adverse event in an information system and/or network, or the threat of the occurrence of such an event.  Incident implies harm or the intent to do harm.”

• It is mandatory that all employees of SVCC report all suspected security incidents to the SVCC Information Security Officer.  They may do so by calling the SVCC help desk or calling the SVCC Information Security Officer directly.  All reported security incidents must be investigated by the appropriate personnel. See Guidance on Reporting Incidents, IT Security Threat Management Guideline, Section I, Attachment I 2.1 SVCC Security Plan.
• SVCC must have a plan which defines controls that manage problems and handle incidents as required by the COV ITRM 501-01.  See the SVCC Incident Response Plan, Incident Handling Procedures, Incident Reporting form, Section I, Attachment I 2.1 SVCC Security Plan.

10.1.4     Incident Response Team :

SVCC must designate an Incident Response Team that includes personnel with the appropriate expertise and authority to respond to each phase of an incident report. 

The SVCC team consists of the following personnel:

Lydia Ramsey , IT Network Administrator: Daniel Campus

Marysue Lewis , IT Network Administrator: Christanna Campus

Dale Wooding, Buildings and Grounds Supervisor: Daniel Campus

Roger Wray, Buildings and Grounds Supervisor: Christanna Campus

Peter Hunt, VP of Finance and Administrative Services

Christie Hales, Public Relations Officer

Will Hamilton, ISO

*Any other personnel as necessary

10.1.5     Data Breach Notification:

When unencrypted COV personally identifiable information (PII) is subject to a breach in

security resulting in unauthorized disclosure, the data owning agency shall provide

appropriate notice to affected individuals. This notice should occur without unreasonable

delay as soon as verification of a breach is made, consistent with the investigative needs of both COV CIRT and law enforcement entities.

Each agency shall:

1. Identify all agency systems, processes, and logical and physical data storage locations (whether held by the agency or a third party) that contain Personally Identifiable Information (PII) which means a combination of a first name, or first initial, last name and any of the following: (Jan 2009 Revision)

a. Social Security Number

b. Drivers license or Identification card number

c. Financial account number, credit or debit card number and/or the corresponding       

    password, security, or access codes. (Jan 2009 Revision)

d. Other personal identifying information, such as insurance data or date of birth.

The individual Business Units at SVCC will be responsible for satisfying all the requirements of the IT Security Standard ITRM SEC501-01, section 9.5 as indicated in the SVCC Incident Handling document, Section I 2 of the SVCC Security Plan. The System and or Data Owners for each Business Unit will be responsible for the identification, resolution, and documentation of all compliance issues as given in the standard.

The Business Units for SVCC are as follows:

• Academic & Student Affairs
• Administrative and Facilities Management
• Adult Education 
• Dual Enrollment 
• Enrollment Management 
• Financial Aid 
• Information Technology 
• Institutional Advancement
• Institutional Effectiveness
• Library, Learning Resources 
• Middle College 
• Off Campus Instruction 
• President’s Office 

• Southern Virginia Higher Education Center

• Student Services
• Workforce Development & Continuing Education 

11.1     IT Asset Management

11.1.1     Software Licensing:

• SVCC must have documentation proving compliance with software license agreements. SVCC IT Network staff will maintain proper documentation for all software installed on COV equipment.

• SVCC will obey all intellectual property laws such as the U.S. copyright law as it relates to electronic information and copyrights.

• IT Staff will assess that all software currently in use is used as per its respective license agreements annually, prior to June 15, and document the same. The Approved Software List will be reviewed by the IT Network Administrators and ISO.
• Installation of all approved software must be done by SVCC IT Network Services staff. Software is to be approved by SVCC IT staff. All other software installation is prohibited.

Exceptions: Legacy software used for instructional and/or testing purposes may be exempt from the requirements of the SEC-501 standard if:

• The software is installed on a standalone computer or on systems that are securely segmented from the administrative network.
• If installed for other than testing purposes, the software must be documented as per above requirements for approving new software.

11.1.2     IT Asset Control:

Commonwealth of Virginia policies and procedures for asset management are already a requirement and the System Office and Colleges may have an individual assigned to this duty for overall asset management. The VP of Finance and Administrative Services is tasked with this responsibility (See section 4.4, SVCC Faculty-Staff Handbook). A list of all agency hardware and software will be created and reviewed annually.

 Commonwealth of Virginia assets including hardware and software shall not be removed from the campus without completion of the Equipment Check-Out form and proper authorization.

SVCC IT Network Services staff shall provide, and maintain documentation for, a general description of system architecture and functionality. Indicate the operating environment, physical location of all campuses, building plans indicating general location of users, and partnerships with external organizations/systems.

SVCC Network Services staff shall provide a network diagram of the architecture, including security controls and telecommunications connections. This document shall be maintained and kept current by SVCC IT Networks Services staff.

SVCC specifies that personal IT assets (assets not owned by COV) may be allowed on the premises. These devices include, but are not limited to, laptop computers, USB drives, PDA’s, cell phones, digital music players owned by employees, contractors, and students. These devices collectively referred to as mobile storage media may not be connected to any COV system. Also, data owned by the COV may not be stored on these devices.

11.1.3     Change Management:

SVCC must have controls in place for developing, testing, authorizing, accepting, and documenting changes and configurations. See SVCC Change Control Procedure, Change Request form, Section J 3, SVCC Security Plan.

• Changes to college enterprise edge devices must be coordinated through VCCS Information Technology services.
• In emergency situations, the SVCC Change Control Procedure may be circumvented as deemed necessary and proper by the IT Network Administrator, or SVCC senior management. The changes will be reviewed and approved after the problem is resolved.

11.1.4     Surplus Equipment:

• In accordance with COV ITRM Standard SEC514-03 prior to the surplus, transfer, trade, replacement or disposal, of all computer hard drives and electronic storage media, all Commonwealth of Virginia data must be eradicated. The approved methods of cleaning are detailed in COV ITRM Standard SEC514-03 Detailed steps are given in the Procedure for removal of data from surplus computer hard drives and electronic media document, Section J, Attachment J 1.1 SVCC Security Plan.

11.1.5     Security Forms:

• IT Security Plan Approval form

• Recovery Strategy Evaluation form

• Recovery Plan Evaluation form

• Recovery Plan Review form

• Recovery Plan Approval form

• Systems Interoperability Logging form 

• Application Account Request form

• Employee Checkout Sheet 

• Mobile Device Security form 

• Storage Media Log Sheet 

• Visitor Registration Sheet

• Emergency Access Authorization form 
• VCCS Security Awareness and Training for third parties form

• Security Awareness Compliance form 

• Security Awareness Compliance Exemption form

• Computer Incident Reporting form 

• Incident Handling Procedure
• Incident Handling Contact Information form
• Incident Detection Sheet

• System Detail Sheet

• Incident Containment Sheet

• Preliminary Investigation Sheet

• Incident Eradication Sheet

• Chain of Custody Sheet

• Incident Response Strategies Evaluation form
• Equipment Checkout Record

• Addition to Approved Software List form

• Configuration Change Request form

• SVCC COOP and DRP Plan Testing approval form