This is a principle, rather than a rule based policy. It presents guidelines for the campus community to follow when deciding how to handle information considered legally sensitive. A separate implementation guide will be made available for departments to address the mechanics necessary to carry out this policy. In collecting, assembling, reporting, retaining and disposing of legally sensitive information, the college will:
- Collect only the information that is required under the relevant laws or regulations. If we don't have the information, we can't lose or compromise it.
- Share the information only with the people and systems necessary to perform the tasks. The fewer people and places that have the information, the fewer opportunities for it to be compromised.
- Retain the information for as long as legally or operationally necessary, but no longer. If we don't have it, we can't lose it.
- Encrypt information that is transferred from central information system to local storage so that if a device is lost, stolen or otherwise compromised, the data cannot be recovered without use of a secret key. If paper records are used, equivalent physical access control systems will be maintained.
The following categories will be integral parts of the college's information security program:
Classification: Information and systems, physical asset locations and descriptions, will be properly classified into clearly delineated groupings, each requiring its own level of clearance to access.
- Inventory: A campus-wide inventory of such information will be produced resulting in a list of all information and their classification level.
- Risk Assessment: An analysis of the risks to the information in the inventory and appropriate recommendations will be made as to safeguards with the highest classification level receiving the most protection.
- Restricted Access: Individuals can only access information to which they have been granted clearance.
- Performance Driven: Access policies and clearance levels are integrated into individual employees' performance programs with a master list maintained by human resources.
- Internal Controls: The Information Security Program is integrated into the internal control policies of each division.
- Training: Each division shall engage in periodic training and awareness activities to ensure that all members are aware of and remain in compliance with the College's Information Security Program.
This policy will be updated, procedures developed and compliance will be reviewed annually.