SOUTHSIDE VIRGINIA COMMUNITY COLLEGE

INFORMATION TECHNOLOGY

SECURITY POLICIES

2012

Status: Approved 11-19-09

Introduction:

The SVCC IT Security Plan will meet the following objectives:

• Maintain compliance with the VCCS security standard.

• Make employees aware of the security procedures required to ensure protection of information technology systems at SVCC.
• Define and explain employee responsibilities and duties with respect to the protection of information resources.
• Ensure that information resources are properly and consistently protected, regardless of their location, form, or supporting technologies.
• Enlist upper management support for the SVCC Information Security Plan.
• Enforce disciplinary actions when required to protect SVCC and COV information assets.
• Empower managers and other workers to make decisions about information security which are in keeping with standard policies and procedures, as are necessary and proper for each situation.
• Provide information system security audits and reviews.

SVCC must take appropriate steps to ensure its information systems are properly protected.  All SVCC information systems shall be protected, regardless of storage or transmission medium.

The SVCC Security Plan is predicated on the following concepts:

1.        Information security is the responsibility of each individual employee.

2.     All information access is granted on the basis of “least privilege” only.

The security policies and procedures given in this document were promulgated based on the concepts given above.

SVCC IT Security Roles:

In compliance with VCCS Standard, 8.1, Human Resource Security, information technology security roles are assigned to individuals to ensure accountability and compliance among the information technology processes.  The role or working title and assignment of personnel for each security role may differ at each college however it is critical that each function be identified and the individuals assigned have the appropriate skill sets.  Individuals may be assigned multiple roles, as long as the multiple role assignments provide adequate separation of duties, provide adequate protection against the possibility of fraud, and do not lead to a conflict of interests. All roles are designated and approved by SVCC management as part of the Business Impact Analysis and Risk Assessment processes. Each employee’s IT security role will be reviewed and evaluated for accuracy, and updated annually on the Employee Work Profile (EWP) by the appropriate supervisors.

SVCC Information Security Officer:

The SVCC ISO shall:

• Recommend to SVCC administration a college IT security program that meets or exceeds the requirements of VCCS and COV IT security policies and standards in a manner commensurate with risk. All aspects of the program are subject to the written approval of SVCC administration.

• Develop and maintain an IT security awareness and training program for the college staff, including contractors and IT service providers.

• Coordinate and provide IT security information to the VCCS ISO as required.

• Recommend to SVCC President’s Staff  a course of action to implement and maintain the appropriate balance of protective, detective and corrective controls for college and VCCS IT systems commensurate with data sensitivity, risk and systems criticality. All aspects of the program are subject to the written approval of SVCC administration.

• Mitigate and report all IT security incidents in accordance with related VCCS requirements and take appropriate actions to prevent recurrence.

• Maintain liaison with the VCCS ISO.

Other Security Roles:

System Administrators:

The System Administrator is an analyst, engineer, or technician who implements, manages, and/or operates a system or systems.  The System Administrator assists College and System Office management in the day-to-day administration of the IT systems, and implements security controls and other requirements of the local IT security program on IT systems for which the System Administrator have been assigned responsibility. System administrators will be so designated on their SVCC Employee Work Profiles (EWP).

 Security Administrator:

The Security Administrator manages security controls over networks and systems to prevent improper or unauthorized use of data. Security administrators will be so designated on their SVCC Employee Work Profiles (EWP).

Super User:

As a part of the AIS and SIS security model VCCS provides a special set of permissions, often described as the "Super User" role, which has access to all panels (navigations) available in the system except those supporting security administration and the “Enrollment” panel. The role as defined also permits those who are assigned this role full authority to read, change, and delete the information stored in the associated databases. Superusers will be so designated on their SVCC Employee Work Profiles (EWP).

IT System Users:

System users will be so designated on their SVCC Employee Work Profiles (EWP). Users are defined as COV employees having access to an information system or its data and not specifically given any other IT security role.

Privacy Officer:

An agency must have a Privacy Officer if required by law or regulation, such as the Health Insurance Portability and Accountability Act (HIPAA), and may choose to have one where not required. The Privacy Officer provides guidance on:

 a. The requirements of state and federal Privacy laws.

 b. Disclosure of and access to sensitive data.

 c. Security and protection requirements in conjunction with IT systems when there is    

     some overlap among sensitivity, disclosure, privacy, and security issues.

System Owner:

The System Owner is the manager responsible for operation and maintenance of an IT system. System Owners will be so designated on their SVCC Employee Work Profiles (EWP).

Data Owners:

Data Owners are the entity, group or individual that has ultimate responsibility for the creation and modification of information stored in a database or other system. The data owner is responsible for ensuring that the System Owner has implemented sufficient security in the system platform to safeguard the applications and data stored on that server. Data Owners will be so designated on their SVCC Employee Work Profiles (EWP).

Information Technology Security Policies

The SVCC Security Plan requires that good management practices be followed to implement information technology security safeguards based on the SVCC IT Risk Assessment and Business Impact Analysis. During the BIA (VCCS Security Guideline 14.1.1) and RA (VCCS Security Standard 4.1) processes, data sensitivity, hardware and software resources, categorization and classification of data, and associated potential damages are addressed. Also, mission critical systems, allowable downtimes, manual processes and responsible personnel are identified. (Sections B2-B5, SVCC Security Plan) SVCC requires the participation of the System Owners and Data Owners in the development of the Business Impact Analysis. It is the responsibility of the System and /or Data Owners to provide accurate and detailed information for the specific business processes within their particular business unit.

The SVCC Security Plan and associated policies is a dynamic document which must be reviewed at least annually and updated every three years. The following is a list of requirements for all information systems maintained at SVCC.

Purpose:

Maintain compliance with applicable VCCS IT security standards.

Scope:

Enforcement:

Enforcement of SVCC Security Policy shall be performed as specified in the Enforcement Procedure section of the VCCS Personnel Security, Acceptable Use Standard.

1.1     Exemptions from Applicability:

The following are explicitly exempt from complying with the requirements defined in this document:

• Systems under development and/or experimental systems that do not create additional risk to production systems
• Surplus and retired systems
• Academic instruction or research systems (This exemption, however, does not relieve these academic instruction or research systems from meeting the requirements of any other state or federal Law or Act to which they are subject.)

Definitions:

Sensitive data: Personal Health Information (PHI) or Personally Identifiable Information (PII) (a combination of a first name, or first initial, last name, and any of the following: financial account number, credit or debit card number and/or the corresponding password, security, or access code, social security number, drivers license number, identification card number, insurance data, or date of birth.)

VITA definition of sensitive data may be found at: http://www.vita.virginia.gov/security/default.aspx?id=327

Academic Instruction and Research Systems: Those systems used by institutions of higher education for the purpose of providing instruction to students and/or by students and/or faculty for the purpose of conducting research.

VCCS Position:

The VCCS is defining “Academic Instruction and Research Systems” as those used in the classroom by students and/or faculty for instructional purposes, and those systems used in a lab environment by students and/or faculty for the purpose of research in support of instruction. Further defined as those systems, applications, services, and related IT infrastructure that support the classrooms, student labs, and other instructional space for the purpose of instruction or research in the aid of instruction which are not used to access and/or store college administrative information. These exceptions do not apply to administrative systems (systems that access, process, or store college administrative information) that are used in the business operation of the college. It is important for the VCCS to define a separation of academic and administrative systems to ensure the highest level of security for the college and the VCCS enterprise while enabling the needs of instruction since the VCCS as an institution falls under the scope of applicability of the ISO27002 Security framework.

. 

2.1     Continuity of Operations: 

In accordance with VCCS Security Standard 14.1, Business Continuity Management, SVCC shall address the development, implementation, exercise, and maintenance of the Continuity of Operations Plan as it relates to IT systems and data. The plan must be reviewed and updated annually, and identify the employees responsible for the plan.

3.1     Disaster Recovery Plan:

In accordance with VCCS Security Standard 14.1, Business Continuity Management, SVCC must establish and document a Disaster Recovery Plan relating to its IT systems and related applications. Section C 2, SVCC Disaster Recovery Plan, SVCC Emergency Procedures. The plan should address the following issues:

• Identify and include manual operating procedures for mission critical business functions.
• State an order of restoration for mission critical business functions, including the technical procedures for implementation and returning to normal operations.
• Identify alternate site locations.
• List recovery team members and responsibilities.

4.1     IT Systems Security:

In accordance with VCCS Security Standards 11.4, Network Access Control, 11.5 Operating System Access Control, and 11.6 Application and Information Access Control, SVCC shall apply appropriate baseline security configurations to all IT systems.  SVCC IT Network Administrators are tasked with developing, implementing, maintaining, monitoring systems for security baselines and policy compliance, and documenting for audit purposes all device configurations. For IT systems that have been identified as high risk or that contain sensitive and confidential data, security configurations should be more restrictive.

When a sensitive system is to run in a shared environment, the additional risks imposed on the sensitive system by the applications systems with which it will share resources, should be identified via a risk assessment. The sensitive applications data owners should be made aware of the additional risks and must accept these risks before the shared computing environment is established.  Enterprise applications will be managed by the VCCS.

For high risk systems and sensitive data, the Systems Office and Colleges should improve security by limiting the time period that system access is available. When employing this control the following should be considered:

• Scheduling set time periods for transmitting batch files, or other short duration interactive sessions;
• Restricting system access to normal office hours whenever feasible;
• Re-authenticate users at timed intervals. 

All security configurations must be reviewed annually by the SVCC IT staff.

Any remote diagnostic or configuration facility for use by maintenance engineers, installed on computer systems, network systems, and communication systems will be disabled as only local access is permitted. Prior arrangement between the network manager and the hardware/software support personnel requiring access is required.

A Firewall should be placed between each campus network and the Verizon / VCCS WAN which provides SVCC with Internet access. Security logging shall be enabled on the firewall as given in SVCC Security Standard 11.4.5, Segregation in Networks. At least once per year, a vulnerability scan will be done from outside the firewall. Results of the scan shall be documented by SVCC IT staff and forwarded to the College ISO.

Routing controls should be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. Routing controls will be based on positive source and destination address checking mechanisms

Where possible, individuals shall use only encrypted means of access across the Internet. Where this is not possible, individuals shall not pass sensitive college information. Encryption methods shall use at least 128 bit encryption keys, with large encryption keys preferred.

4.1.1     Phone System Security:

The phone system is meant primarily to handle the business needs of SVCC.  To this end, personal use of the college phone system should not interfere with the business operations of SVCC

4.1.2     Wireless Security: 

In accordance with VCCS Security Standard 11.4, Network Access Control, all SVCC wireless networking will be installed, maintained and monitored by the SVCC Information Technology Network Services department. No wireless networking equipment shall be installed by anyone other than these personnel, unless prior written approval is received from the IT Network Administrator. Monitoring shall be done to ensure that no rogue access points are installed. Any wireless equipment found that was not installed by Network Services, shall be removed immediately by Network Services staff. Access to the SVCC production network through wireless equipment will be done using the authentication mechanisms comparable to that of the wired network.

Non-COV owned devices shall not connect to the SVCC wireless production network. These devices shall connect to a guest network, and shall not be subject to the requirements given for wireless production networks. Access to the SVCC WLAN will be granted following the SVCC WLAN Access Procedure. (SVCC Security Plan, Attachment D 7.1, Wireless Security)

4.1.3     Legal Disclaimers:

Legal disclaimer shall be placed on all network access points.  Disclaimers shall be set up as a logon banner upon network logon and as a link on the SVCC website home page.

Workstation / Server Logon Banner:

Clicking “OK” below indicates you have read and agree to the terms of the Information Technology Ethics Agreement and further consent to monitoring of your activities by technical support personnel during routine diagnostics of college-owned equipment. The Acceptable Use Agreement is given on the College’s home page at:

http://www.southside.edu/about/general/infosecurity/compethics.asp

Web Disclaimer :

Should any SVCC web site user discover something out of date, please contact the individual author at the email address given at the web site. If a user notices something in conflict with SVCC or VCCS policy, regulations or statutes of the Commonwealth of Virginia, or federal policy or law, please contact the College Webmaster and the individual author. Please see disclaimer at:

http://www.southside.edu/privacy.as

Router Logon Banner:

“State law (article 7.1 of title 18.2 of the Code of Virginia) classifies damage to computer hardware or software (18.2-152.4), unauthorized examination (18.2-152.5) or unauthorized use (18.2-152.6) of computer systems as (misdemeanor) crimes. Computer fraud (18.2-152.3) and use of a computer as an instrument of forgery (18.2-152.14) can be felonies. The VCCS’ internal procedures for enforcement of its policy are independent of possible prosecution under the law.”

 4.1.4     Malicious Code Protection:

The VCCS Security Standard 10.4, Protection Against Malicious Code, describe mobile code as software code which transfers from one computer to another computer and then executes automatically and performs a specific function with little or no user interaction and is associated with a number of middleware services.

SVCC will inform employees of their responsibility concerning malicious programs via security awareness and training and explicitly prohibit: Intentional development or experimentation with malicious programs, and the intentional propagation of malicious programs. This may be distributed via syllabus, signage, VCCS email accounts, or College web sites.

SVCC will strive to provide protection against malicious programs by using detection, protection, elimination, logging, and reporting capabilities.

4.1.5     Systems Interoperability:

SVCC shall require security agreements for sharing system information with other systems or data owners. A system interconnection may be defined as the direct connection of IT systems for the purpose of sharing data. This does not include instances where data is shared via tape or file exchanges.

As given in SVCC Security Standards 11.4, Network Access control, and 6.2, External Parties, routing controls should be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.

Routing controls will be based on positive source and destination address checking mechanisms.

Security gateways will be used to validate source and destination addresses at internal and external network control points if proxy and/or network address translation technologies are employed.

Implementers will consider the strength and shortcomings of any mechanisms deployed. The requirements for network routing control will be based on the access control policy.

Shared networks, especially those extending across organizational boundaries, may require additional routing controls. This particularly applies where networks are shared with third party users.  Any additional routing controls will be identified as part of the risk assessment for the shared network.

4.1.6     IT Systems Development Life Cycle:

In accordance with the COV ITRM 501-01, SVCC should document the security related activities that must be adhered to in each phase of the development life cycle for College IT systems.

Best practices for system development life cycle security are listed in Section D 4 of the SVCC Security Plan to assist in guiding the System Office and Colleges from project definition through disposal of IT application systems.

4.1.7     IT System Audits:

In compliance with the VCCS Security Standard 6.1, Internal Organization, certain aspects of the VCCS Security Plan must be reviewed, evaluated, and /or updated.

4.1.8    Application Security:

In accordance with VCCS Security Standards 11.5 Operating System Access Control,11.6 Application and Information Access Control, 12.1 Security Requirements of Information Systems,12.2 Correct Processing in Applications and 12.4 Security of System Files application security requirements define the high-level specifications for securely developing and deploying Commonwealth applications. (SVCC Security Plan, Section D 6, Application Security)  With the exception of all VCCS enterprise and validated off-the-shelf applications and / or operating systems, the SVCC IT Network Administrator along with the Data Owner will be responsible for satisfying the requirements of this standard and maintaining auditable documentation for the same.

Access to program source code will be restricted to the SVCC IT Network Administrator, his designee, and/or agency approved programmer.

4.1.9     Patch Management:

All operating system and application software patches and /or upgrades must be performed by, documented, and monitored for compliance by SVCC IT network staff only. These changes will be done as per the requirements of the SVCC Software Licensing 11.1.1, and Change Management 11.1.3 security policies and SVCC Security Standard 12.6, Technical Vulnerability Management.

4.2     IT System Security Plans:

Each System Owner of a Sensitive IT system shall:

• Document an IT System Security Plan for the IT system based on the results of the risk

           assessment. This documentation shall include a description of:

           a. All IT existing and planned IT security controls for the IT system, including a

               schedule for implementing planned controls;

           b. How these controls provide adequate mitigation of risks to which the IT system is

               subject.

• Submit the IT System Security Plan to the Agency Head or designated ISO for approval.

• Plan and document additional IT security controls for the IT system if the Agency   

           Head or designated ISO disapproves the IT System Security Plan, and resubmit the     

           IT System  Security Plan to the Agency Head or designated ISO for approval.

• Update the IT System Security Plan every three years, or more often if necessary, and resubmit the IT System Security Plan to the Agency Head or designated ISO for approval.

5.1     Logical Access Control:

In accordance with VCCS Security standard 11.1 Business Requirements for Access Control, Southside Virginia Community College (SVCC) may provide user accounts for all faculty, staff, adjuncts and part time employees of the college as necessary and proper. Accounts issued to users are for college use only and will be audited for misuse.

Access to all SVCC network servers, including but not limited to; domain controllers, phone system servers, voice mail servers, email servers, file servers, web servers, ftp servers, terminal servers, print servers and any general purpose server or workstation, and network hardware shall require a username and password, with the following exception:

• SVCC web servers may allow anonymous access to information that is for public use.

All SVCC systems will be configured to allow least privilege access to users. NTFS permissions will be used to ensure that users will not have access to any system which is not part of their job function.

5.1.1     Remote Access:

Simply stated, remote access is the ability to get access to a computer or a network from a remote distance. Security measures for remote access shall be implemented by SVCC IT Network Service staff based on sensitivity and risk to System Office or College IT systems and data. In accordance with VCCS Security Standards 11.4, Network Access Control,

• SVCC procedures shall document user requirements for use of remote access and the need for remote access to sensitive data. Procedure for Granting Access, Section H 1, Attachment H 1.1, SVCC Security Plan.
• The security of remote access to the College IT systems and data must be in compliance with the with VCCS Standard 12.3, Cryptographic Controls.

• SVCC IT Network Staff must document the requirements for physical and logical hardening of remote access devices.
• Remote access account records must be maintained for audit purposes in accordance with current College policies.

• Mobile computing and communication facilities require remote access via VPN

5.1.1 (a)  Mobile Computing:

In accordance with VCCS Security Standard 11.7 Mobile Computing, VCCS should ensure that the protection required is commensurate with the risks that mobile computing and teleworking causes.  When using mobile computing, the risks of working in an unprotected environment will be considered and appropriate protection applied.  In the case of teleworking VCCS will apply protection to the teleworking site (location) and ensure that suitable arrangements are in place for this way of working.

5.1.2     Authentication:

The identity of each individual who accesses college information, must be verified before access is given to the information.  This identification process is normally performed using the user ID / password process.  The user ID determines who the user is claiming to be.  The submission of a correct password is taken to mean that the person is actually who the user ID claims them to be.

• Use of shared user ID’s shall be limited to workstations allowing only single function use (such as workstations secured so that they can only be used to browse the web). Temporary logical access may be granted on an ad-hoc basis by SVCC IT Network Administrators for contractors (i.e., non-state personnel) working for or on behalf of SVCC with removal of said access immediately upon completion of the related task.

• All users must be authenticated with the exception of the above conditions and users shall be forced to change their passwords every 90 days.

• SVCC Systems shall be set to lock out further logon attempts after 3 failed attempts have occurred.

5.1.3     Passwords Policy :

As given in VCCS Security Standards 11.2 User Access Management, 11.3 User Responsibilities, and 11.5 Operating System Access Control, initial passwords will be securely disseminated to users by SVCC IT Networks Services staff. All password documentation will be maintained by SVCC IT Network Services staff for audit purposes. At first logon, the user will be required to choose a new password using the following format:

• Passwords must be at least eight characters long.
• Password History should be set to 12 passwords remembered
• Maximum password age should be set to 90 days.
• Minimum password age should be set to 5 days.
• Reversible encryption of passwords should be disabled
• Passwords must support the display masking feature.
• Passwords may not contain your user name, any part of your full name or any common dictionary word or phrase.
• Passwords must contain characters from at least three of the following four classes:

In addition, to maintain good security, individual passwords should not have any relationship to other passwords in use.  That way if an attacker obtains one password, they will not be able to gain access to other passwords maintained by the same person.  Passwords should not be accessible by anyone except by the owner of the password.  Passwords should be changed regularly.

• Passwords should not be cyclical. When a password expires, do not name the new password as an identifiable iteration of the last password (i.e., pass1, pass2, pass3, etc.)

• Passwords used in the college should not be used on systems outside the college
• Require passwords on mobile devices such as PDA’s and smart phones. For mobile phones, use a 4 to 5 digit pin number.

• Password protected screen-savers shall be implemented. Lockout period after 30 minutes inactivity for COV devices. COV devices located in classrooms or public use areas would be exempt from the screen saver lockout.

• Guest accounts are prohibited. Shared passwords shall not be used on any IT systems.

• Require passwords be set on device management user interfaces for all network connected devices.

• Set an account lock out threshold of not greater than 5 invalid attempts and the lockout duration for at least 15 minutes.
• Passwords must not be stored in readable form in batch files or other locations unless sufficient security precautions are taken to ensure the security of the password.
• All vendor default passwords must be changed upon system installation.
• If a suspected disclosure of passwords has occurred, all involved passwords shall be immediately changed.
• All failed logon attempt must be logged; accounts will be locked after 3 unsuccessful logon attempts; proof of identity is required to have a password reset.
• New passwords will be issued in a state that requires immediately changing the first time the user logs on.

5.1.4     Account Creation / Authorization:

As given in VCCS Security Standards 11.2 User Access Management, 11.4, Network Access Control, 11.5 Operating System Access Control, 11.6 Application and Information Access Control, and 8.3 Human Resource Security, the following controls have been adopted.

• All users requesting VCCS Enterprise Application (peoplesoft, SIS etc.) or LAN accounts on the SVCC network MUST have the Procedure for Granting Access completed by their supervisors prior to receiving their account. This may include, but is not limited to; Faculty, Staff, Adjuncts and Part Time Employees. No account should be issued until the request in IssueTrak has been approved and submitted to all appropriate access granting personnel.  The appropriate supervisors will conduct annual reviews of all employee account access and authorization to ensure that they remain appropriate and will document the same on the Employee Work Profile (EWP). The process for granting or removing access must be completed and electronically signed in IssueTrak by the new user’s supervisor, and all appropriate access granting personnel.

  Procedure for Granting Access, Section H 1, Attachment H 1.1, SVCC Security Plan.

• Access to VCCS Enterprise Applications and SVCC LAN: Employees who seek access to the VCCS Enterprise Applications or SVCC LAN accounts should make a request to their respective supervisor. Once the supervisor approves the request it is to be sent to the appropriate access granting personnel using the the IssueTrak procedure for granting or removing access for approval. Logical access will be given after the request has been approved by all access granting personnel and upon completion of the process. The completed process will be maintained for audit purposes on the IssueTrak application server. Three to five working days should be allowed for processing to be completed.
• Adding or Changing VCCS Enterprise Account Access: Employees requesting a change in logical access due to a role / job assignment change should have their supervisor complete the IssueTrak procedure for granting or removing access . Three to five working days should be allowed for processing to be completed.
• Deleting VCCS Enterprise Application or SVCC IT Resource Access: Employees requesting deletions of VCCS Enterprise Application access should have their supervisors complete the the procedure for granting or removing access via IssueTrak. When the request is received by the Peoplesoft / Security Administrator, this person deletes the account access from the employee's USER-ID. At such time an employee no longer requires logical access to IT resources, (i.e. resigning from the College), the employee’s supervisor should complete the IssueTrak procedure for granting or removing access to have the employee’s VCCS enterprise application and SVCC logical access deleted. All other access granting personnel must be informed of the change in status of the employee, and approve the changes as given via the IssueTrak application. It is the responsibility of the employee’s supervisor to confirm that this task is completed. Access to all SVCC IT resources for a person no longer employed by SVCC will be terminated at the close of business on the date of termination.

• Each new user must complete the Security Awareness Training provided by SVCC within 30 days of receiving their SVCC account.  If the user has not completed the Security Awareness Training within 30 days, the user’s account will be disabled until the training is complete.
• All inactive accounts shall be deactivated after a period of 90 days; if it is determined that the account is unneeded, it shall be deleted.
• All SVCC accounts will be configured to allow least privilege access to users.  NTFS permissions will be used to ensure that users will not have access to any system which is not part of their job function.
• Employee logical access will be evaluated annually by their supervisors to ensure that the employee access consistent with the concept of least privilege. The supervisor will document the same on the Employee Work Profile (EWP).
• SVCC must document termination, transfer, or role change with respect to logical access using the Procedure for Granting Access, Section H 1, Attachment H 1.1, SVCC Security Plan.
• Temporary logical access may be granted on an ad-hoc basis by SVCC IT Network Administrators for contractors (i.e., non-state personnel) working for or on behalf of SVCC with removal of said access immediately upon completion of the related task. The IT Network Administrator granting the access must document the access using the Procedure for Granting Access.
• The Third-Party Non-disclosure Agreement is to be used when a third-party will be given access to sensitive IT systems and/or data for which there is a risk associated with data disclosure.
• Unusual account activities will be investigated by IT Network Services staff.

• IT Network Administrators shall have both an administrative account and at least one user account which they use their administrative accounts only when performing tasks that require administrative privileges.

• Configure applications to clear cached data and temporary files upon exit of the application or logoff of the system.

6.1     Data Protection:

In accordance with VCCS Security Standards 10.7 Media Handling and 10.8 Exchange of Information, all sensitive information shall be labeled either [confidential] or [internal use only] in the document containing the sensitive information; confidential and internal use only documents are not accessible to the general public. Data Custodians are individuals or organizations in physical or logical possession of data for Data Owners.  All SVCC employees will be the Data Custodians responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage.

• All personal data shall be treated as confidential information.
• All storage medium shall be classified to highest level of information they may contain.
• SVCC prohibits the posting of any classified or sensitive data based on confidentiality on any public web site.
• All storage medium must be destroyed or securely erased, using approved methods before disposal.
• Controls must be in place to prevent sensitive data from leaving the campus
• The VCCS System Office and Colleges will protect media containing sensitive or confidential information against unauthorized access, misuse, or corruption during transportation beyond the System Office or College physical boundaries. Information can be vulnerable to unauthorized access, misuse, or corruption during physical transport, for instance when sending media via the postal service or via courier.
• Security agreements must be in place prior to sharing system information with other systems (non-VCCS) and / or data owners.
• SVCC does not recommend the auto forwarding of emails.
• Prohibit Storing of any Commonwealth data on non-COV owned or leased computing devices is prohibited due to records retention and Freedom of Information Act (FOIA) complexities, as well as the associated information security risks
• Sensitive data should not be stored on any non-network storage device or media, mobile storage media, including laptops, desktops and mobile workstations, as well as any non-network drive, USB Drives and CD’s, except for backup media, unless the data is encrypted.

Note: Non-network storage device or media, includes removable data storage media and the fixed disk drives of all desktops and mobile workstations, such as laptop and tablet computers, USB drives, CDs, etc.

• SVCC must prohibit the connection of any non-COV owned data storage media or device to a COV-owned network, unless the connection is to a segmented network. SVCC must prohibit the storage of COV data on any mobile data storage media not owned by the COV. This prohibition, at the agency’s discretion, need not apply to an approved vendor providing operational IT support services under contract.

Note: Such media include, but are not limited to, laptops, desktops and mobile workstations USB drives, cell phones, CD’s, personal digital assistants, and digital music players owned by employees, contractors, and students.

6.1.1     Redundancy and Tape Backups:

In accordance with VCCS Security Standard 10.5 Backup, the following controls have been adopted:

• All college back-up data shall be stored in at least two separate locations. The off-site location must be geographically/separately distinct from the primary location.

• Procedures must be implemented and documented to safeguard handling of all backup media containing sensitive data. Encryption of backup media shall be considered where the data is Personal Health Information (PHI) or Personally Identifiable Information (PII). Where encryption is not a viable option, mitigating controls and procedures must be implemented and documented. Personal Health Information (PHI) or Personally Identifiable Information (PII) (a combination of a first name, or first initial, last name, and any of the following, financial account number, credit or debit card number and/or the corresponding password, security, or access code, social security number, drivers license number, state ID number,insurance data, or date of birth. )
• Where possible, the SVCC network shall be set up to limit the number of single points of failure in the system.
• Weekly full backups shall be stored offsite, and be maintained for a maximum of 3 months.
• Electronic media must be managed so it may reproduced in a timely and complete manner when necessary (such as during a legal proceeding).

• Document and exercise a strategy for testing disaster recovery procedures and that IT system and data backups are functioning as expected and the data is present in a usable form.

• The retention period for essential business information, and any requirement for archive copies to be permanently retained should be determined in accordance with Library of Virginia retention schedules for both physical and virtual records as well as the timely destruction of records per Virginia Code §42.1-86.1 Disposition of Public Records.

6.1.2     Encryption:

In accordance with VCCS Security Standards 12.2 Correct Processing in Applications and 12.3 Cryptographic Controls, where possible, individuals shall use only encrypted means of access for data that is sensitive relative to confidentiality and integrity via non-Commonwealth networks or public WAN such as the Internet. Where this is not possible, individuals shall not transmit sensitive college information. Encryption methods shall use at least 128 bit encryption keys, with large encryption keys preferred.

• Sensitive data: Personal Health Information (PHI) or Personally Identifiable Information (PII) (a combination of a first name, or first initial, last name, and any of the following, financial account number, credit or debit card number and/or the corresponding password, security, or access codesocial security number, drivers license number, state ID number, insurance data, or date of birth.)
• SVCC IT Network Administrators should define and document practices for selecting and deploying encryption technologies, and provide technical training for IT staff.
• SVCC IT Network Administrators will be responsible for administration and distribution of encryption keys via a secure key management system.
• Encryption keys should only be generated through an approved encryption package as defined in VCCS Standard 12.3 Cryptographic Controls.

6.1.3     Protection of Sensitive Information on Non- Electronic Media:

As given in VCCS Security Standards 10.5 Backup, 10.7 Mobile Computing, and 11.3 User Responsibilities, this section outlines the best practice steps that should be taken to protect sensitive Commonwealth information that may be stored on non-electronic media such as, the spoken word, paper documents, white or black boards, photographs, etc. A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities have been adopted.

This clear desk and clear screen policy VCCS Security Policy, 11.3.3 takes into consideration the information classifications, legal and contractual requirements, and the corresponding risks and cultural aspects of VCCS. In defining this policy VCCS considered the following:

• Sensitive or critical business information, e.g. on paper or on electronic storage media, will be locked away when not required, especially when the office is vacated;
• Incoming and outgoing mail points and unattended facsimile machines will be protected;
• Unauthorized use of photocopiers and other reproduction technology (e.g., scanners, digital cameras) will be prevented; and Documents containing sensitive or classified information will be removed from printers.

Recommended Practices

These recommendations apply to non-electronic media:

1. While in use, limit access on a need to know basis by physically controlling access. For example, sensitive documents printed to a global printer should be retrieved without delay.

2. While not in use, store in a secure location with appropriate physical controls.

3. When no longer needed, securely destroy using appropriate destruction methods such as erasing whiteboards and shredding paper.

7.1     Facilities Security:

In accordance with VCCS Security Standards 9.1 Secure Access, 9.2 Equipment Security, and 11.3 User Responsibilities the following controls have been adopted.

• All COV IT equipment including network servers and ancillary devices shall be in a locked room or secured in a locked enclosure. All critical physical security points must be identified and secured by the use of locks, cameras, or other reasonable and proper means.  SVCC Management will allow, deny, or terminate physical access to critical security points. SVCC Management will approve and provide appropriate levels access and documentation of said access to critical security points as per section 2.12, Keys of the SVCC Faculty-Staff Handbook.

• All network server rooms shall have CO2 based fire extinguishers located within the room. Network Technicians shall be aware of the location of the closest fire alarm. 

• The network server room should be monitored for temperature and humidity.
• All network servers shall be run on an uninterruptible power supply (UPS).
• Water detection systems may be installed with the UPS systems to notify of the presence of water on the server room floor in order to prevent damage to the server equipment
• A list of authorized access personnel that are approved access to the server rooms or wiring / phone closets shall be maintained, reviewed annually, and kept current by the college ISO. Access to mission critical areas is based on the concept of least privilege.  A visitor log sheet shall be maintained by IT Network services to document any visitors to the server rooms or wiring / phone closets not on the approved access list.  All visitors to the server rooms or wiring / phone closets shall be escorted at all times.
• Controls shall exist to ensure that physical objects (badges, keys, etc) are returned after termination or transfer.(Faculty-staff Handbook Section 3.18, Employee Checkout Sheet)

• Terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver.
• Log-off mainframe computers, servers, and office PCs when the session is finished.
• Secure PCs or terminals from unauthorized use by a key lock or an equivalent control,e.g. hard disk encryption password access, when not in use.

8.1     Personnel Security:

In accordance with VCCS Security Standards 8.1, 8.2, and 8.3 Human Resources Security existing state law and regulations impose significant responsibilities on employees for the security of information. If deemed necessary, SVCC will take personnel action based on the following state laws and regulations:

1.      The Virginia Employee Standards of Conduct and Performance specifically includes unauthorized use or misuse of state records, falsification of records, the willful or negligent damage or defacing of records and records theft as violations. The formal disciplinary process will ensure correct and fair treatment for employees who are suspected of committing breaches of security and will follow the guidelines for Group III offenses as defined in Human Resource Policy & Law - Standards of Conduct #1.60

2.      The Government Data Collection and Dissemination Practices Act (formerly the Virginia Privacy Protection Act of 1976) specifically requires that State agencies and institutions take affirmative action to establish rules of conduct and to inform employees involved in the design, development, operation or maintenance of an information system that misuse of personal information, or failure to take steps to ensure that information is accurate and reliable, may result in the individual employee being subject to injunction and assessed the costs of court action.

3.      The Virginia Computer Crimes Act (Code of Virginia § 18.2) imposes both misdemeanor and felony violations for the unauthorized viewing, copying, alteration or destruction of computer data, software or programs.

Therefore, SVCC has the following personnel security measures in place:

• All Prospective new employees will have background checks done as part of the hiring process. The SVCC Human Resources department will maintain all associated documentation as a part of said process.

• All individuals with access to sensitive data must be familiar with SVCC policies and procedures relating to sensitive data. Employee job descriptions must accurately reflect assigned duties and responsibilities in order to define required IT system access.
• Technical support personnel will be cross-trained so that procedures can be followed unaffected by the absence of any one key individual.
• Access to sensitive areas / information is granted on the basis of least privilege. Access may be granted (or terminated when no longer required), temporarily disable physical and logical access rights when personnel are out for prolonged period in excess of 30 days due to disability or other authorized purpose, Disable physical and logical access rights upon suspension of personnel for disciplinary purposes.

• All SVCC Employees are required to read and sign the VCCS Information Technology Employee Acceptable Use Agreement.

• All SVCC Employees are required to read and comply with the VCCS Information Technology Acceptable Use Standard.

8.1.1     Security Awareness and Training:

In compliance with VCCS Security Standards 8.2 Human Resources Security, and 10.4 Malicious Code Protection all SVCC employees involved with information technology must be aware of their security responsibilities and know how to fulfill them.  Accordingly, SVCC has set up the SVCC Security Awareness and Training program. The program is implemented by using the Managed Ongoing Awareness Tools (M.O.A.T.) program.  All employees at SVCC shall receive security awareness training.  New employees must complete this training within 30 days from initial reporting date. If after 30 days, the user has not completed the training; their account will be disabled until the training is completed.   All employees will be required to receive refresher training at least once per year. Users will be notified via email when they need to take the refresher training.  After notification, users will have 30 days to complete the Security Awareness Training.  If after 30 days, the user has not completed the training; their account will be disabled until the training is completed. All employee progress and certification status is monitored and tracked by the M.O.A.T. application which can generate reports based on various search criteria. The employee must also verify electronically that they have completed the training course. Upon successful completion of the course, the employee may print a hard copy of a program completion certificate.

• The SVCC Information Security Officer shall be responsible for documenting and maintaining security training records for the Managed Ongoing Awareness Training (M.O.A.T.) program. All other security awareness training will be documented by the appropriated supervisor and / or SVCC Human Resources department.
•  SVCC will make available specialized or advanced training and information technology security training programs that are commensurate with the level of expertise required for the system components and information resources for which the college personnel are responsible. These requirements are met by using training opportunities afforded SVCC by the VCCS, Virginia Tech, VA SCAN, the SANS institute, and other applicable training providers. It will be the responsibility of the individual employee’s supervisor to ensure compliance with this requirement.
• SVCC makes additional security awareness training available to all employees at the following locations:

           http://www.southside.edu/student/infosecurity/tipofmonth.asp

           http://inside.southside.edu/security/security_awareness.asp

       The Commonwealth Security Information Resource Center (CSIRC)

• Adjunct faculty, special needs employees, short term employees, and third parties / consultants working on behalf of the college must read and sign the VCCS Security Awareness and Training document as listed in the SVCC Security Plan, Section H2.

9.1     Network Usage Policy

In accordance with the VCCS Acceptable Use and Security Standards 11.4 Network Access Control,11.7 Mobile Computing, 10.6 Network Security Management,10.8 Exchange of Information, 10.9 E-Commerce Services, 6.2 External Parties, 7.1 Responsibility for Assets, and 8.1 Human Resources Security the following controls have been adopted.

• Any software adversely affecting SVCC information systems may be removed at the discretion of the SVCC IT Network Administrator. Programs may be considered to adversely affect SVCC information systems by consuming excessive processor time, disk space, processor memory, or network bandwidth.

• Students are required to comply with the VCCS Student / Patron Acceptable Use Agreement.

• Personal use of the SVCC network must not interfere with normal business activities.  It must not involve solicitations or be associated with any for-profit outside business activity.
• Peer-to-Peer file sharing (P2P) is prohibited on the campus network as given in the VCCS P2P File Sharing Disclosure standard. These applications are considered security risks because they use direct communications between computers (or "peers") to share or transfer data. Users of the SVCC network may not use peer-to-peer file sharing programs, including, but not limited to, Limewire, eDonkey, KaZaA, Gnutella, Morpheus, Audiogalaxy, WinMX and BitTorrent. For the purposes of this policy, a Peer-to-peer file sharing application is any application that transforms a personal computer into a server that distributes data simultaneously to other computers. Please note that copyrighted materials cannot be shared by any means without proper permission. This includes sharing via network file shares, the web, or any other means and is not limited to peer-to-peer programs.
• Require acknowledgement that the COV reserves the right (with or without cause) to monitor, access and disclose all data created, sent, received, processed, or stored on COV systems.

• Direct the use of an authorized COV warning banner to communicate that IT systems and their use may be monitored and viewed by authorized personnel; and there is no expectation of privacy when using a Commonwealth IT system.

• Local Administrator rights (or the equivalent on non-Microsoft Windows-based IT systems) shall be limited to only authorized application and infrastructure IT staff.
• Connecting non-COV-owned devices to a COV IT production system or network, such as personal computers, laptops, and hand-held devices is prohibited (except in accordance with the Telework standards).

• All network usage must comply with the VCCS Information Technology Acceptable Use standard.

• IT system users shall not perform any of the following operations on COV owned equipment:
• Install personal software;
• Install, remove, modify hardware or software;
• Install or use proprietary encryption hardware or software;
• Modify security controls on workstations;
• Prohibit the transmission of unencrypted sensitive data over the Internet.

9.1.1     Privacy:

• It is the policy of the Commonwealth of Virginia that personal information about citizens will be collected only to the extent necessary to provide the service or benefit desired; that only appropriate information will be collected; that the citizen shall understand the reason the information is collected and be able to examine their personal record which is maintained by a public body. The complete SVCC privacy statement is available at http://www.southside.edu/privacy.asp.

9.1.2     Email Communications:

• Unsecured email shall not be used to send sensitive data relative to confidentiality or integrity if there is no encryption. An email disclaimer as approved by VCCS legal counsel will either be prepended or appended to emails. These statements are frequently used to create awareness of how to treat the data in the email.

9.1.3    Electronic Communications:

In accordance with VCCS Security Standard 10.8 Exchange of Information, the Virginia Community College System is committed to using available technology to communicate among members of the campus communities and recognizes an expanding reliance on electronic communication among all VCCS constituencies. The VCCS will define the proper use of electronic communications, and ensure that:

• The VCCS uses electronic communication systems in an ethical manner in compliance with all applicable laws and with rules for acceptable use established by VCCS.
• Computer users are alerted to concepts of privacy and security as they apply to email.
• The risks of disruptions to VCCS electronic communication system and other services and business activities are minimized.

10.1     Threat Management:

10.1.1     Virus Protection:

As given in VCCS Security Standard 10.4 Malicious Code Protection the following controls have been adopted

• VCCS and Colleges will protect information by implementing detection, prevention, and recovery controls against malicious code.
• Care will also be taken to protect against the introduction of malicious code during maintenance and emergency procedures, which may bypass normal malicious code protection controls.
• It is the responsibility of each individual to scan their documents for viruses before sharing them with other people.
• Anti-Virus software should be configured to automatically update its virus definition files.
• It is the responsibility of each individual to immediately notify the SVCC IT Network Services department if a virus is detected.
• The Anti-Virus system implemented at SVCC shall scan attached files while in the email client inbox.
• The virus protection system shall scan files immediately upon their being saving to a file server or workstation.

10.1.2     Security Monitoring and Logging:

As given in VCCS Security Standard 10.10 Monitoring,all actions relative to system security must be documented by SVCC IT Network Administrators or System Administrators. SVCC information systems will meet the following requirements:

• System security logs shall list logon and logoff times and all other relevant security events such as failed logon and access attempts in order to support security audits. Such documentation must be reviewed by SVCC IT Network Administrators weekly.

• SVCC must enable logging capabilities on all IT systems and applications where practicable and does not impede the performance of the IT system or otherwise impact the Systems Office or College business practices.

  At a minimum, logs will include:

      a. The user ID associated with the event.

       b. The time the event occurred.

• Event logs should be monitored so that quick reactions to an attack are implemented.  SVCC must specify the type of actions a particular program can take, based on the possible security implications, when suspicious or malicious traffic is detected. The SVCC IT Staff will maintain documentation with specific information as to the nature of the suspicious traffic, the mechanism by which it was detected, and the actions taken by the detecting device(s) upon such detection.
• All event logs must be stored for a minimum of 4 weeks.
• The use of keystroke logging, except when required for security investigations and approved in writing by the Agency Head, is prohibited.
• All security related logs shall be reviewed on a consistent basis by the SVCC IT Network Administrators to ensure that SVCC security is not being compromised.
• IT Network Administrators must take reasonable precautions in order to insure that SVCC has accurate security information in the security log.
• All security violations must be reported to management and investigated by IT Network Services.
• Prohibit the installation or use of unauthorized monitoring devices.

Note: For investigative purposes, the CISO or ISO has the responsibility to authorize monitoring or scanning activities for network traffic; application and information access; user commands; email and Internet usage; and message and information content for IT systems and data. As noted above, the use of key-stroke logging is prohibited, except when required for security investigations and a documented business case outlining the need and unmitigated risk has been approved in writing by the Agency Head. The CISO and the ISO shall notify each other when appropriate.

10.1.3     Threat Detection / Incident Handling:

In accordance with VCCS Security Standards13.1 Reporting Information Security Events, and 13.2 Management of Information Security Incidents, incident handling is necessary to detect incidents, minimize loss, mitigate weaknesses and restore System Office and College resources promptly and efficiently. Incident handling involves having the necessary tools and resources in place to appropriately handle an incident. The SANS Institute defines an incident as “An adverse event in an information system and/or network, or the threat of the occurrence of such an event. Incident implies harm or the intent to do harm.”

• It is mandatory that all employees of SVCC report all suspected security incidents to the SVCC Information Security Officer.  They may do so by calling the SVCC help desk or calling the SVCC Information Security Officer directly.  All reported security incidents must be investigated by the appropriate personnel. See Guidance on Reporting Incidents, Section I, Attachment I 2.1 SVCC Security Plan.
• SVCC shall have a plan which includes the development, acquisition, testing, training, maintenance of threat detection activities, and the personnel responsible for each aspect of the same. See the SVCC Incident Handling document Section I 1 SVCC Security Plan.

• Implement Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).

Note: The CISO, in conjunction with the Agency Head through the agency ISO or other Administration authorities as necessitated by circumstances, may authorize the confiscation and removal of any IT resource suspected to be the object of inappropriate use or violation of laws, regulations, policies or standards in order to preserve evidence that might be utilized in forensic analysis of a security incident.

10.1.4     Incident Response Team :

SVCC must designate an Incident Response Team that includes personnel with the appropriate expertise and authority to respond to each phase of an incident report. 

The SVCC team consists of the following personnel:

Jack Ancell, Dean of Information Services

Chad Wollenberg , IT Network Administrator

Eddie Bennett, Buildings and Grounds Supervisor: Daniel Campus

Roger Wray, Buildings and Grounds Supervisor: Christanna Campus

Peter Hunt, VP of Finance and Administrative Services

Bethany Harris, Human Resources Manager

Christie Hales, Public Relations Officer

Marysue Lewis, IT staff

Lydia Ramsey, IT Staff

Will Hamilton, ISO

*Any other personnel as necessary

10.1.5     Data Breach Notification:

In accordance with VCCS Security Standards13.1 Reporting Information Security Events, and 13.2 Management of Information Security Incidents when unencrypted COV personally identifiable information (PII) is subject to a breach in security resulting in unauthorized disclosure, the data owning agency shall provide appropriate notice to affected individuals. This notice should occur without unreasonable delay as soon as verification of a breach is made, consistent with the investigative needs of both COV CIRT and law enforcement entities. Where non-electronic records are involved or implied, the following are advisory in nature, but are strongly recommended:

Each agency shall:

1. Identify all agency systems, processes, and logical and physical data storage locations (whether held by the agency or a third party) that contain Personally Identifiable Information (PII) which means a combination of a first name, or first initial, last name and any of the following:

     a. Social Security Number

     b. Drivers license or Identification card number

     c. Financial account number, credit or debit card number and/or the corresponding

         password, security, or access codes.

     d. Other personal identifying information, such as insurance data or date of birth.

The individual Business Units at SVCC will be responsible for satisfying all the requirements of the VCCS Security Standards 13.1 and 13.2. The System and / or Data Owners for each Business Unit will be responsible for the identification, resolution, and documentation of all compliance issues as given in the standard.

The Business Units for SVCC are as follows:

• Academic & Student Affairs
• Administrative and Facilities Management
• Adult Education 
• Dual Enrollment 
• Enrollment Management 
• Financial Aid 
• Information Technology 
• Institutional Advancement
• Institutional Effectiveness
• Library, Learning Resources 
• Middle College 
• Off Campus Instruction 
• President’s Office 

• Southern Virginia Higher Education Center

• Student Services
• Workforce Development & Continuing Education 

11.1     IT Asset Management

11.1.1     Software Licensing:

In accordance with VCCS Security Standards 12.4 Security of System Files, 12.5 Security in Development of Support Processes, and 12.6 Technical Vulnerability Management, the following controls have been adopted.

• SVCC must have documentation proving compliance with software license agreements. SVCC IT Network staff will maintain proper documentation for all software installed on COV equipment.
• SVCC will obey all intellectual property laws such as the U.S. copyright law as it relates to electronic information and copyrights.
• IT Staff will assess that all software currently in use is used as per its respective license agreements annually, and document the same. The Approved Software List will be reviewed by the IT Network Administrators and ISO.
• Installation of all approved software must be done by SVCC IT Network Services staff. Software is to be approved by SVCC IT staff. All other software installation is prohibited.
• Require the use of only agency approved software and service provider approved systems management software on IT systems.
• VCCS and Colleges will ensure applications and operating system software is only implemented after successful testing of usability, security, and effects on other systems are carried out on separate nonproduction systems or environments.  

Exceptions: Legacy software used for instructional and/or testing purposes may be exempt from the requirements of the standard if:

• The software is installed on a standalone computer or on systems that are securely segmented from the administrative network.
• If installed for other than testing purposes, the software must be documented as per above requirements for approving new software.

11.1.2     IT Asset Control: 

In accordance with VCCS Security Standards 7.2, Information Classification and 9.2, Equipment Security Commonwealth of Virginia policies and procedures for asset management are already a requirement and the System Office and Colleges may have an individual assigned to this duty for overall asset management. The VP of Finance and Administrative Services is tasked with this responsibility (See section 4.4, SVCC Faculty-Staff Handbook). A list of all agency hardware and software will be created and reviewed annually.

 Commonwealth of Virginia assets including hardware and software shall not be removed from the campus without completion of the Equipment Check-Out record and proper authorization.

SVCC IT Network Services staff shall provide, and maintain documentation for, a general description of system architecture and functionality. Indicate the operating environment, physical location of all campuses, building plans indicating general location of users, and partnerships with external organizations / systems.

SVCC Network Services staff shall provide a network diagram of the architecture, including security controls and telecommunications connections. This document shall be maintained and kept current by SVCC IT Networks Services staff.

SVCC specifies that personal IT assets (assets not owned by COV) may be allowed on the premises. These devices include, but are not limited to, laptop computers, USB drives, PDA’s, cell phones, digital music players owned by employees, contractors, and students. These devices collectively referred to as mobile storage media may not be connected to any COV production system. Also, data owned by the COV may not be stored on these devices.

11.1.3     Change Management:

In accordance with VCCS Security Standards 10.1 Operational Procedures and Responsibilities, 10.3 System Planning and Acceptance, 12.1 Security Requirements of Information Systems,12.4 Security of System Files, and12.5 Security in Development of Support Processes, SVCC must have controls in place for developing, testing, authorizing, accepting, and documenting changes and configurations. See SVCC Change Control Procedure, Section J 3, SVCC Security Plan.

• Changes to college enterprise edge devices must be coordinated through VCCS Information Technology services.
• In emergency situations, the SVCC Change Control Procedure may be circumvented as deemed necessary and proper by the IT Network Administrator, or SVCC senior management. The changes will be reviewed and approved after the problem is resolved.

11.1.4     Surplus Equipment:

• In accordance with VCCS Security Standard 9.2, Equipment Security, 10.2 Third Party Service Delivery, and 10.7 Mobile Computing, prior to the surplus, transfer, trade, replacement or disposal, of all computer hard drives and electronic storage media, all Commonwealth of Virginia data must be eradicated.

11.1.5     Security Forms:

• Systems Interoperability Logging form
• Employee Checkout Sheet
• Equipment Checkout Record

• Visitor Registration Sheet
• Emergency Access Authorization form
• VCCS Security Awareness and Training for third parties form  
• Computer Incident Reporting form
• Incident Handling Procedure
• Incident Handling Contact Information form
• Incident Detection Sheet
• System Detail Sheet
• Incident Containment Sheet
• Preliminary Investigation Sheet
• Incident Eradication Sheet
• Malware Questionnaire