3-1-3 Information Security Plan

BASED ON POLICY NUMBER AND TITLE: SBTCE 4-4-105 Information Security

Purpose
This Information Security Plan describes TTC’s procedures in order to protect covered data and information. The plan complies with federal statutes and regulations, specifically the Federal Trade Commission “Safeguards Rule” (16 CFR Part 314, Standards for Safeguarding Customer Information; Final Rule) and the Gramm-Leach-Bliley Act of 1999 (GLBA). The Information Security Plan applies to, but is not limited to, Business Operations, Admissions and the Registrar’s Office, Financial Aid, Student Services, the Bookstore, Institutional Research, Information Technology, all faculty and staff, and many third party contractors. 

The Federal Trade Commission’s “Safeguards Rule” requires that the Information Security Plan address the following:

• Designation of the coordination of the Information Security Plan,
• Assessment of reasonably foreseeable risks, both internal and external,
• Identification of safeguards for managing known risks with routine monitoring and testing of safeguards,
• Oversight of contractual agreements with college service providers to ensure service providers are capable of safeguarding financial information, and
• Evaluation, documentation, and adjustment to the Information Security Plan on an annual basis.

TTC Policy 3-1-0 and TTC Procedure 3-1-1, Use of Information Technology Resources, and TTC Procedure 16-7-1, Student Records, Confidentiality, are included in this plan by reference and are part of the college’s commitment to maintaining and limiting access and use of covered systems and data, as required by federal and state statutes and regulations. In addition, it is essential that employees review and understand response requirements for "red flag" identity theft incidents and/or breaches of confidential data as outlined in TTC Procedure 6-18-1, Red Flags Rule Identity Theft Prevention Plan, and TTC Procedure 3-1-4, Information Security Data Breach Response Plan. This Information Security Plan also applies to emerging technologies, including Artificial Intelligence systems, and shall be implemented in coordination with TTC Policy 3-2-0, Artificial Intelligence (AI) Acceptable Use Policy.

Definitions
Covered data and information for the purpose of this procedure include student financial information required to be protected under the Gramm-Leach-Bliley Act (GLBA). In addition to this coverage, which is required under federal law, TTC chooses as a matter of procedure to also include in this definition any credit card information received in the course of business by the college, whether or not such credit card information is covered by GLBA. TTC utilizes third party PCI-DSS compliant payment processors and does not store or process cardholder data internally. Covered data and information includes both paper and electronic records.

Family Educational Rights and Privacy Act (FERPA) requirements also apply to the definitions in this procedure as outlined in TTC Procedure 16-7-1, Confidentiality of Student Records. In particular, the release of personally identifiable information in TTC Procedure 16-7-1 is explicitly prohibited and also applies to protection under the GLBA Act:

"FERPA regulations specifically prohibit the use of ’personally identifiable information that, alone or in combination, links or is linkable to a specific student's identity' without the student's permission. Social Security numbers are personally identifiable and contain private information that is part of the student's education records. The College may choose to restrict a student's birth date and birthplace as personally identifiable information as a protection from identity theft."

Health Insurance Portability and Accountability Act (HIPPA) privacy regulations require health care providers and organizations that deal with health care information to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic.

Student financial information is that information the college has obtained from a student in the process of offering a financial product or service, or such information provided to the college by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information include names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, in both paper and electronic format.

Coordination of the Information Security Plan
TTC’s Chief Information Security Officer (CISO) coordinates the implementation of this plan.

Assessment of Risks
TTC recognizes that it has both internal and external data risks. These risks include, but are not limited to:

• Unauthorized access of covered data and information by someone other than the owner of the covered data and information,
• Compromised system security as a result of system access by an unauthorized person,
• Interception of data during transmission,
• Loss of data integrity,
• Physical loss of data in a disaster,
• Errors introduced into the system,
• Corruption of data or systems,
• Unauthorized access of covered data and information by employees,
• Unauthorized requests for covered data and information,
• Unauthorized access through hardcopy files or reports,
• Unauthorized transfer of covered data and information through third parties, and
• Unintended disclosure of covered data through electronic communications, hard copy files, mobile storage, and mobile computing devices.

In order to protect the security and integrity of the college network and its data, the college’s Information Technology Department will:     

1.  Assure the timely installation of patches for operating systems or software in collaboration with third party service providers’ installation and certification requirements. Responsibilities include: (a) keeping operating systems and software environments reasonably up to date; (b) maintaining records of patch/update activities and reviewing procedures for patches to operating systems and software; and (c) staying current on vulnerability management and potential threats to the network and its data.

2.  Maintain schedules of security classes that include an up-to-date listing of persons or offices with access to each covered data field or screen in relevant software systems (financial, student services, development, etc.).

3.  Ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks in collaboration with governing agencies.

Additionally, the Optimization and Planning for Technology, Innovation, and Collaboration (OPTIC) Committee will review existing schedules to make recommendations for continued compliance.

Safeguards for Social Security Numbers
Several college departments will continue to use social security numbers in the college’s information systems, which are considered protected information under both the Gramm-Leach-Bliley Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA). All TTC employees who have access to social security numbers have the responsibility to safeguard and to protect social security numbers. Employees and managers with access to Social Security Numbers (SSNs) are responsible for reviewing and understanding all aspects of required protections to safeguard SSNs. Incident response requirements for breaches of protected SSNs are the same requirements for reporting red flag identity theft breaches as outlined in TTC Procedure 6-18-1, Red Flags Rule Identity Theft Prevention Plan.

Design and Implementation of Safeguards Program

1.  Employee Training and Education

Background checks are performed and references are checked for new employees. The Human Resources Director will conduct training for every appropriate current employee and new employee during employee orientation on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Appropriate employees will sign a confidentiality agreement to indicate their understanding and agreement with their privacy and safeguarding obligations. All employees will receive information security awareness training including the proper use of computer information and passwords. Training also includes controls and procedures to prevent employees from providing any protected, confidential information to an unauthorized individual, either electronically or in a paper copy, including “pretext calling” (Social Engineering) and how to properly dispose of documents that contain covered data and information. Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. These training efforts should help minimize risk and safeguard covered data and information security.

2.  Physical Security

TTC has addressed the physical security of covered data and information by limiting access to only those employees who have a business reason to know such information.

Loan files, account information, and other paper documents that contain confidential, protected data must be kept in file cabinets, rooms, or vaults that are locked each night. Only authorized employees know combinations and have access to keys. Paper documents that contain covered data and information are shredded at time of disposal.

3.  Digital Security

Employees must adhere to all college procedures and best practices for safeguarding covered data. This includes redacting and/or encrypting emails and password protected attachments containing confidential data sent in an external email to authorized agencies and/or individuals. Sharing covered data with an authorized agency or third party through file upload to a secure site or portal is the recommended best practice over email. Protection of covered data also applies to college resources such as secure Cloud storage and collaboration sites. 

Information Systems
Access to covered data and information via TTC’s computer information system is limited to those employees who have a business reason to know such information. Each employee receives a username and creates their own distinct password after initial login. Multifactor authentication is enabled for core enterprise information system user accounts. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to TTC employees in appropriate departments and positions.

TTC will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission.

GLBA requires the college to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. The Procurement Director, with consultation from the college’s Vice President for Finance and Business Affairs, will maintain standard contractual provisions applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. All relevant future contracts between the college and these service providers should contain these provisions. Any deviation from these standard provisions will require prior approval. Contracts with service providers may include the following provisions:

• An explicit acknowledgement that the contract allows the contract partner access to confidential information,
• A specific definition or description of the confidential information being provided,
• A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract,
• A guarantee from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own information,
• A stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract,
• A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract,
• An agreement that any violation of the contract’s confidentiality conditions may constitute a material breach of the contract and entitles TTC to terminate the contract without penalty,
• A provision ensuring that the contract’s confidentiality requirements shall survive any termination agreement, and
• A provision allowing auditing of the contract partners’ compliance with the contract safeguard requirements.

Evaluation and Revision of the Information Security Plan

GLBA mandates that this Information Security Plan be subject to periodic review and adjustment. The plan and TTC’s related policies and procedures will be reevaluated annually by the CISO in coordination with the OPTIC Committee to ensure ongoing compliance with existing laws and regulations. As a result of the evaluations and reviews, it may be necessary to adjust the plan to reflect changes in technology, business processes, the sensitivity of student/customer data and internal or external threats to information security. 
 
The CISO will identify and monitor risks to security and privacy of information. The CISO will also provide information security recommendations to the President’s cabinet which includes an evaluation of risks related to compliance and implementation of the College’s information security program. The recommendations will also include how to reasonably safeguard information systems. Recommendations for revisions to related policies and procedures will include both positive and negative impacts on all college operations and academic programs.

_______________

¹ “Pretext calling” (Social Engineering) occurs when an individual improperly obtains personal information of college customers so as to be able to commit identity theft. It is accomplished by contacting the college, posing as a customer or someone authorized to have the customer’s information, and through the use of trickery and deceit, convincing an employee of the college to release customer identifying information. “Pretext calling” occurs when an individual improperly obtains personal information of college customers so as to be able to commit identity theft. It is accomplished by contacting the college, posing as a customer or someone authorized to have the customer’s information, and through the use of trickery and deceit, convincing an employee of the college to release customer identifying information.

_______________

Renumbered and moved from Section 6 to Section 3 September 2020.  Formerly number 6-17-1.

Updated: 10-05-2010

Updated: 11-04-2014

Updated: 02-08-2016

Updated: 04-08-2019

Updated: 08-10-2020

Updated: 04-23-2021

Updated: 03-17-2026