Safeguarding College Information Procedure - 61.13.01
College Policy Number/Title:
Howard Community College (HCC) is committed to ensuring the confidentiality, integrity and availability of student, faculty, staff, and organizational data. Sophisticated cybersecurity attacks on institutions of higher education are increasing on a daily basis. Data breaches can expose institutions to costly network remediation activities; potential government penalties, and erosion of public confidence.
Federal laws such as the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and others related to HCC’s educational mission require the college to implement security controls to safely use data.
This procedure establishes security controls to protect data hosted onsite, or by external information technology (IT) service providers from unauthorized access, damage, and destruction.
To prioritize data security activities, HCC conducted a security categorization of its data. Categorization took into account regulatory compliance, legal protections, ethical and privacy concerns, and proprietary value. Data is categorized as 1) Regulated, 2) Confidential, or 3) Public.
Regulated data examples include, but are not limited to, academic performance records, banking information, birth dates, counseling records, financial aid data, medical records, and social security numbers. This data is commonly referred to as personally identifiable information (PII).
Confidential data examples include, but are not limited to, employee evaluations, marketing plans, network information, and intellectual property.
Public data examples include, but are not limited to, board of trustees’ open meeting materials, college reports, course descriptions, directory information, marketing materials, newsletters, and web content. This data is generally accessible or available on request through the Maryland Public Information Act process.
Obtaining Access to and Handling Business Applications and PII Data
Access to business applications and PII data is dependent on a need established by supervisors, completion of required information security awareness, and role-based cybersecurity training. Access to business applications and PII data is limited to users authorized by their supervisor to perform specific duties, functions and transactions. Role-based authorization allow users only access to data necessary to accomplish business functions. Supervisors assign individual’s separate duties to reduce the risk of an insider threat. Employee permission to access data is then monitored and managed until it is no longer needed
Protecting Storage Media
Digital media includes but are not limited to compact discs, external hard drives, flash drives, mobile devices and cloud-based storage Non-digital media includes paper records. Employees must not store regulated or confidential data on personally-owned computers, digital media, mobile devices or cloud-based storage. Employees must securely store all non-digital media in a locked cabinet, drawer, or desk.
Employees must obtain supervisory permission before storing regulated or confidential data on digital media. Once approved, employees may contact the HCC Technology Service Center for assistance in storing encrypted data on HCC-provided technology. Supervisors must ensure that users maintain accountability of media and mobile devices on which regulated or confidential data is stored. When media is not in use, users securely store it in a locked cabinet, drawer, or desk. Lost digital media storing regulated or confidential data must be reported as an incident to the HCC Technology Service Center at (443) 518-4444 or via the Technology Service Center portal.
OneDrive is a convenient cloud-based storage system for college data files. HCC’s OneDrive has been approved for storage of all classifications of data files but supervisors must provide written approval for storage of regulated and confidential data. Although OneDrive is the endorsed cloud file sharing solution for the college, there are security practices that must be followed to ensure the safe handling and storage of files. If you do not have a college supplied device then it is your responsibility to ensure that any other device that accesses HCC’s OneDrive and data files:
- Have current and up-to-date malware detection installed
- Have current and up-to-date operating system
- Have current and up-to-date applications
- Device must be password protected and has a screen saver lock set to 15 minutes of inactivity
- Do not sync files from non-college devices to HCC’s OneDrive
Protecting Data in Transit
When data is being transferred between systems or system components, the data is in transit. The college transmission of data with the cloud service provider is secured using transport layer security (TLS). If the transmission is required to meet a specific government reporting mandate, it must be encrypted prior to transmission. Users may contact the HCC Technology Service Center for assistance in encrypting and transmitting data using HCC-provided technology.
Connecting to External IT Services
IT department authorization of external IT services that process, store, or transmit data, including cloud services (infrastructure as a service, platform as a service, or software as a service) is required prior to interconnection. This ensures the IT department has visibility over all interconnections with external networks and implements technical controls to verify the security of HCC data in transit.
Additionally, authorization verifies that the service provider has safeguards in operation that prevent the compromise, damage, or loss of HCC data. Examples of verification documents are third-party independent assessments, attestations, or other means determined by the IT department.
Reporting Data Security Incidents
Any member of the college community who becomes aware of a data security incident should immediately report it to the HCC Technology Service Center by calling (443) 518-4444, or via email at the Technology Service Center portal. The incident will be processed in accordance with the college incident response plan (IRP).
Effective Date: 05/14/21
President's Office Use: VPIT/VPSS