1. Introduction

The primary goal of Kaskaskia College’s (KC) Information Security Policy is to ensure that all Confidential and Sensitive Information (CSI) maintained by the College is protected in a manner that follows all relevant legislation, industry best practices, and the College's values.

Other goals of the Information Security Policy are to:

• Define what information is considered to be confidential and sensitive.
• Define what information is considered to be public.
• Outline employee responsibilities when working with CSI.
• Provide a process for reporting security breaches or other suspicious activity related to CSI.
• Provide guidelines on how to communicate information security requirements to vendors.
• Summarize the laws and other guidelines that impact the Information Security Policy.

2. Definitions

• Authorization: involves determining a person's access rights to information or tasks.
• Availability: ensures that information is accessible and usable when needed.
• Confidentiality: involves maintaining the privacy and secrecy of information.
• Integrity: ensures that information remains accurate, complete, and consistent.
  
  

3. Information Security Program Coordinator

The Chief Information Officer (CIO), or their designee, is the coordinator of the Information Security Program at Kaskaskia College. The CIO, or designee, is responsible for working with Administrators from all areas of the College to implement information security practices in accordance with all legal requirements and industry best practices. The CIO reports to the President of the College. The President reports to the Kaskaskia College Board of Trustees. The Kaskaskia College Board of Trustees is ultimately responsible for all of Kaskaskia College's policies.

4. Purpose of The Information Security Policy

The purpose of the Information Security Policy is to define the guiding principles that all College employees must follow when working with Confidential and Sensitive Information. Each department that works with CSI will be required to implement department-specific procedures to ensure that they operate within the guidelines.

5. Classification of Information

Kaskaskia College owns or is entrusted with a vast amount of information about its students, employees, and other business partners. This information may be in electronic form, stored on network servers, PC workstations, or magnetic or optical storage media. It may also be in hard copy (paper) form stored in file cabinets.

6. Confidential and Sensitive Information (CSI)

The following types of information are considered by Kaskaskia College to be Confidential and Sensitive Information*:

1. Social Security Number (SSN)
2. Social Insurance Number
3. Date of birth
4. Driver’s license number
5. Customer identifiers
6. Debit/Credit card number (Personal account number, Expiration date, CVV code)
7. Bank account numbers
8. Tax ID
9. Passwords
10. Medical records
11. Doctor names
12. Insurance policy information (Insurance claim information)

* While all of these items are explicitly considered to be CSI, there may be other items which rise to the level of CSI.

7. Public Information

Public information, often called “Directory Information,” may be shared with the general public. Students wishing to have their Directory Information withheld from the public must submit a written request to the Registrar, and Employees must submit a written request to HR. Kaskaskia College considers the following information to be Directory Information:

1. Student Name
2. Enrollment Status (Full-time, Part-time)
3. Major Field of Study
4. Classification (freshman or sophomore)
5. Dates of Attendance
6. Degrees and Honors Earned and Dates
7. The most previous educational agency or institution attended prior to enrollment at Kaskaskia College
8. Participation in an officially recognized activity or sport and weight, height, and photos of members of athletic teams or student activities
9. Photo
   
   

8. Responsibilities

1. Classification of information/data for which person/persons is responsible accordingly.
2. Maintain “Principles of Least Privilege” to data.
3. Do not divulge, copy, release, sell, loan, alter, or destroy any college information without appropriate business purpose and authorization.
4. Protect the confidentiality, integrity and availability of college Information in a manner consistent with the information's classification.
5. Handle information in accordance with the applicable State and Federal laws for Illinois, and Policies and Procedures for Kaskaskia College.
6. Safeguard any physical key, key codes, applications, passwords, ID card, computer account, user account, or network account that allows one to access college Information.
7. Discard media containing Kaskaskia College information in a manner consistent with law including hard copies, electronic, magnetic, optical, and disk storage.
8. Contact the appropriate Kaskaskia College office prior to responding to requests for information from regulatory agencies, inspectors, examiners, and/or auditors.
   
   

9. Diligence

1. Concerning Credit Card Information

Kaskaskia College accepts credit card and debit card payments for tuition, donations, and other financial transactions. Any merchant that accepts credit card payments is subject to the security requirements outlined in the Payment Card Industry Data Security Standards (PCI-DSS). All KC employees who work with credit card transactions must adhere to security requirements expressed in the KC PCI Compliance Policy. These requirements include but are not limited to the following: Electronic Storage standards, Electronic Transmission standards, Hard Copy Storage standards, and Transportation and Destruction standards.

2. Identity Theft

The Red Flags Rules of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) require financial institutions to implement procedures to detect, prevent, and mitigate potential identity theft incidents. Procedures required to comply with the Red Flag Rules are outlined in the Kaskaskia College’s Identity Theft Pursuant to Red Flags Rule policy & procedure.

3. Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act, more commonly known as FERPA, is a federal law that declares the rights of students to view their personal educational records while protecting their privacy. This law applies to all public and private institutions that receive funding from the U.S. Department of Education. In short, failure to comply with FERPA regulations has both legal and funding implications for the College. Specific guidance to the application of FERPA guidelines at Kaskaskia College is covered in the Privacy of Student Records policy (FERPA policy), including student information maintenance and personally identifiable information.

10. Vendor Agreements

When negotiating contracts with third-party vendors, Kaskaskia College employees must consider whether or not the vendor will need access to any of the College’s CSI. Any vendor that will have access to CSI will be required to abide by this Information Security Policy and any subsequent procedures. Contract language must include acceptance of the Information Security Policy. In cases where vendors will provide services directly related to Confidential and Sensitive Information, they will be required to provide proof of their compliance with all applicable laws.

Pre-existing contracts with vendors should be reviewed as they need to be renewed. The reviewer will then follow the indications above for that contract renewal. Non-acceptance of this policy language by the vendor will prompt consultation with College legal counsel for appropriate next steps.

11. GLBA Compliance

This section outlines the institution’s commitment to complying with the Gramm-Leach-Bliley Act (GLBA) and its Safeguards Rule, which mandates the protection of nonpublic personal information (NPI) collected from students, employees, and other stakeholders while providing financial services. This applies to all institutional units, employees, contractors, and third-party service providers who access, process, or manage NPI as defined under GLBA.

1. Information Security Program The institution maintains a comprehensive, written Information Security Program designed to:
   • Ensure the security and confidentiality of NPI.
   • Protect against anticipated threats or hazards.
   • Prevent unauthorized access or use of such information.
2. Risk Assessment Regular risk assessments are conducted to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of NPI. These assessments inform the design and implementation of safeguards.
3. Access Controls Access to NPI is restricted based on job responsibilities. User access reviews are conducted quarterly to ensure appropriate access levels and to revoke access when no longer required.
4. Data Inventory and Classification The institution maintains a current inventory of systems and data repositories containing NPI. Data is classified based on sensitivity and regulatory requirements, and appropriate controls are applied accordingly.
5. Third-Party Oversight Contracts with third-party service providers that handle NPI include provisions requiring them to implement and maintain appropriate safeguards. The institution evaluates and monitors these providers on a regular basis.
6. Change Management All changes to systems that store or process NPI are subject to a formal change management process, including risk assessment, testing, and approval procedures.
7. Logging and Monitoring Systems that store or transmit NPI are monitored for unauthorized access and anomalies. Logs are retained and reviewed regularly to detect and respond to potential security incidents.
8. Security Awareness and Training Information Security Personnel receive ongoing training to stay current with evolving threats, technologies, and compliance requirements. Annual security awareness training is mandatory for all employees.
9. Incident Response The institution maintains an Incident Response Plan that outlines procedures for identifying, reporting, and responding to security incidents involving NPI.
10. Program Evaluation The Information Security Program is reviewed and updated annually, or as needed, to address changes in technology, threats, or regulatory requirements.

12. Updating the Information Security Policy

The Information Security Policy will be reviewed by the CIO and a working group comprised of appropriate employees per the institutional policy review calendar. If circumstances arise that require significant changes to the policy, it may be reviewed and updated more often.

13. Training and Communication

The CIO, Information Technology, and Human Resources are responsible for managing annual information security practices training for all Kaskaskia College employees. This training will inform employees of their responsibilities when working with CSI, safe data practices at Kaskaskia College, and policy changes.

Additional training will be provided to employees whose primary job duties require them to work with CSI. The department head will be responsible for procedural training regarding CSI specific to a particular department.