VIII.A. Information Security
VIII.A.1.1. Information Security Policy
The College preserves Information security, confidentiality, integrity, and availability. The College employs a risk management philosophy that ensures all Information is identified, valued, assessed for risk, and protected, consistent with the College’s needs. Improper Information disclosure, modification, or destruction may harm the College’s mission-supporting operations. The College therefore engages a hierarchical set of industry best practices and frameworks that help users and administrators define and mitigate risks, maintaining a trade-off between information value and the cost of risk mitigation.
Users are responsible for acceptable use. All users must abide by the College’s Information policies, procedures, and standards, as an access condition. Failure to do so may result in immediate and unconditional complete or partial access termination, without prior notice. The user may be subject to disciplinary actions and or criminal prosecution, where applicable. Section VIII controls as regards Information security, confidentiality, integrity, and availability.
VIII.A.1.2. Definitions
- Information means definable data stored in any manner recognized as valuable to the organization.
- User means the person accessing Information for the purposes of generating, sending, receiving, storing, viewing, controlling, managing, or otherwise processing the content of the Information.
- IT Systems means all computer systems, programs, networks, hardware, intellectual property, databases, operating systems, Internet websites, website content and links, and equipment used to process, store, maintain, and operate data, information and functions used in, intended to be used in, or held for use in the College’s day-to-day business.
VIII.A.1.3. Policy Scope
This Section covers all Information transmitted using the College’s resources. Transmission methods include the following non-exhaustive list: electronic media; social media; desktop and laptop computers; servers; network infrastructure; telephones; facsimiles; printers; and mobile computing devices. This policy applies to all individuals and processes that access, view, use, or control College Information. Covered individuals include, but are not limited to, faculty, staff, students, volunteers, contractors, university and K-12 partners, and any other groups, entities or individuals using College resources.
VIII.A.1.4. Prohibited Use
The College prohibits Users from engaging in the following when using College resources:
- Anonymous or forged email messages.
- Unauthorized attempts to access another person’s email or similar electronic communications; use of another’s name or email address; or sending unauthorized email or similar electronic communications. This includes when another person’s data is stored on LSC equipment or authorized data storage sources.
- Using College email or any other College-owned Information transmission method for commercial purposes or personal financial gain.
- Attempted or actual access to any restricted computing resource without authorization.
- Transmitting copyrighted materials without the written permission of the author or creator through College email or any other College-owned Information transmission method in violation of U.S. copyright law.
- Using College email or any other College-owned Information transmission method in a manner that disrupts the College’s work or educational mission, such as improper access and use of College global email address lists or other messaging.
- Using College computing resources to store, download, upload, display, print or email computer images that constitute obscene materials as defined by Texas Penal Code § 43.21, regardless of whether such information is related to or required for a specific educational course or research directly related to an educational program.
- Displaying or transmitting messages, images, cartoons, or other displays that are sexually explicit or demean a person on the basis of race, ethnicity, sex, national origin, disability, religion, or sexual orientation.
- Uploading or downloading confidential or proprietary College data or College-work product to an unauthorized cloud service is prohibited. Authorized cloud services are third party vendor services with which the College has entered into a contract.
- Sharing your individual account, password, or other authentication means.
- Attempted or actual access to compromise any College or external computer resource via unauthorized access and or in an unauthorized manner.
- Removing installed computer management software or security-related software (e.g., antivirus software). This includes installing software that conflicts with College-installed security software or overriding such software.
- Attempting to circumvent or subvert the College’s Information system’s security measures. This includes (1) password decrypting or cracking tools; (2) Denial of Service or Distributed Denial of Service; (3) harmful activities (e.g., IP spoofing, port scanning, disrupting services, damaging files, or intentional destruction of or damage to equipment, software, or data);(4) unauthorized access (e.g., using another user’s account, using a special purpose account, escalating own privileges); or (5) unauthorized monitoring (e.g., keyboard logging, network packet capturing). This does not preclude the use of security tools by appropriately authorized personnel.
VIII.A.1.5. User Responsibilities
The Office of Technology Services (OTS) creates security controls and procedures that appropriately and reasonably prevent, detect, contain, and identify risks to Information confidentiality, integrity, and availability. Users, however, are also responsible for protecting the College’s Information.
Specific Responsibilities. (1) Users must uphold Information confidentiality and integrity of all Information in their control; (2) Users are prohibited from accessing, copying, altering, or destroying anyone else’s information without proper authorization; (3) Users are individually responsible and accountable for any use of their account and password. (4) Uniquely identifiable information (i.e., passwords) should not be shared under any circumstances; (5) Users cannot run, or otherwise configure, software or hardware that intentionally allows unauthorized access to College Information resources; (6) any IT System created within the College environment must be reviewed by the College’s Information Security Officer (ISO) for security standards, data classification ranking, and by OTS Technical Service for hardware requirements, capacity planning, and ongoing support the hardware and application.
- Confidentiality. The College cannot guarantee the privacy or confidentiality of electronic documents, messages, or information. A person that requires such assurances should not communicate over unsecured, shared networks and or via the email system.
- Message Standards. Messages sent as electronic mail should meet the same standards for distribution, display, and retention as if they were tangible documents or instruments. As with all records maintained by the College, and to the extent required by law, files saved as College Information, including email, may be subject to public disclosure in response to a public information request.
- Overloading. The College may intercept and stop email messages, computer programs, or websites, which have the capacity to overload any computer resource. Overloading encompasses use of computational resources, such as bandwidth, disk space, or CPU time that adversely impact the College’s information assets.
- Electronic Signatures. A User authorizes use of their electronic signature by signing on to the College’s network with valid College credentials.
VIII.A.1.6. Email Privileges
Access to College Email is a privilege—not a right—generally extended to current employees, students, and former College retired employees that are in good standing. Email services may be revoked when employment ends, during administrative leave, for violating policies or procedures, or with the failure to re-enroll in a College educational program. The College may access the email system to engage in routine computer maintenance and housekeeping, carry out internal investigations, prepare responses to requests for public information, disclose messages, data, or files to law enforcement authorities, or for any other legitimate business purpose.
VIII.A.1.7. Logging Information
All access to networked systems must be logged. When determined to be critical to the College, transaction logging must be included regardless of the operating platform. Log data must be classified as sensitive. These logs must be retrievable through clearly defined procedures and must be maintained for time periods prescribed for audit, legal, and recovery purposes. As new applications, platforms, mediums, or other technical changes to system operations are made—and if practical and or technically affordable—logging requirements and availability must be considered. Requirements for logging data must be clearly established as system, architectural, technical, or network designs.
VIII.A.1.8. Safeguarding Information
The Chancellor, or designee, serves as the Information Security Officer (ISO). The ISO is responsible for assisting in governance, creating procedures, identifying roles and responsibilities, risk assessment, awareness, and communicating the Information security program. The ISO, through the Office of Technology Services, is responsible for establishing strategies for implementing and enforcing security policies and for advising on security-related issues.
- Business Continuity & Disaster Recovery. Disaster Recovery (DR) is comprised of plans and activities designed to recover technical infrastructure and restore critical business applications to an acceptable condition. DR is a component of Business Continuity Planning (BCP), which is the process of ensuring essential business functions continue to operate during and after a disaster. OTS is responsible for the College’s Disaster Recovery. Business Continuity Plans must be developed with requirements based on specific risks associated with the process or system. All staff must be made aware of the Business Continuity Plan and their own respective roles. Each college and administrative unit is responsible for their respective Business Continuity Plans.
- Incident Response. Incident Response is a predefined response process that establishes Information security requirements if an unplanned computer system event occurs, including network intrusions, denial of service, computer virus outbreaks, and other outages that negatively impact the availability of College systems, applications, and or information assets. Information security incident response procedures must include, but are not limited to, the following: (1) specific roles and responsibilities; (2) key contact information; and (3) high-level guidelines for investigating, documenting, and reporting security incidents.
- Third Party Access. Access to College Information systems by third parties (i.e., contractors, partners, vendors, lessees) requires appropriate controls. All third parties that have access to College Information must comply with College information security policies and may be required to show proof of such compliance at any time.
- Security Audits. The ISO conducts periodic reviews and revisions of security controls, policies, and procedures. Additionally, the ISO periodically assesses Information technology systems and processes to ensure that evolving risks are appropriately addressed.
- Privacy Officer. The General Counsel is the College’s Privacy Officer. The Privacy Officer issues guidelines regarding use of social security numbers, educational records, health care information, customer information, and other confidential information, in accordance with all applicable laws. Each college and administrative unit is responsible for adhering to these guidelines. The Privacy Officer will revise guidelines whenever necessary to conform to changes in applicable law or regulations.
- Training. The College shall ensure that employees are properly trained as regards Information security.
VIII.A.1.9. Policy Variance or Exception
OTS has a process for variances and exceptions.
VIII.A.1.10. Procedures
The College’s Chief Information Security Officer may effectuate this Policy via Chancellor Procedures.
LSCS Policy Manual Section adopted by the Board of Trustees on November 1, 2018