Policies

Stanly Community College shall maintain a comprehensive written Information Security Plan (ISP) and appoint a coordinator for the plan. The objectives of the ISP are to (1) ensure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience.

1. INFORMATION SECURITY PLAN
   1. The Information Security Plan (Plan) describes safeguards implemented by the College to protect covered data and information in compliance with the FTC’s Safeguards Rule promulgated under the Gramm Leach Bliley Act (GLBA).
   2. These safeguards are provided to:
      1. Ensure the security and confidentiality of covered data and information
      2. Protect against anticipated threats or hazards to the security or integrity of such information; and
      3. Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience. 
   3. This Plan also identifies mechanisms to:
      1. Identify and assess the risks that may threaten covered data and information maintained by the College
      2. Develop written policies and procedures to manage and control these risks
      3. Implement and review the Plan, and
      4. Adjust the Plan to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.
2. INFORMATION SECURITY PLAN COORDINATOR(S)
   1.  The Chief Technology Officer (CTO) serves as the coordinator of the Plan. The CTO is responsible for assessing the risks associated with unauthorized transfers of covered data/information and implementing procedures to minimize those risks to the College.
   2. Staff designated by the CTO shall conduct reviews of areas that have access to covered data/information to assess the internal control structure put in place by departmental employees and verify that all departments comply with the requirements of the security policies and practices delineated in this Plan. 
3. IDENTIFICATION & ASSESSMENT OF RISKS 
   1. The College recognizes that it is exposed to both internal and external risks, including but not limited to:
      1. Unauthorized access of covered data and information by someone other than the owner of the covered data and information.
      2. Compromised system security as a result of system access by an unauthorized person.
      3. Interception of data during transmission.
      4. Loss of data integrity.
      5. Physical loss of data in a disaster.
      6. Errors introduced into the system.
      7. Corruption of data or systems.
      8. Unauthorized access of covered data and information by employees.
      9. Unauthorized requests for covered data and information.
      10. Unauthorized access through hard copy files or reports.
      11. Unauthorized transfer of covered data and information through third parties.
   2. Recognizing that this may not represent a complete list of the risks associated with the protection of covered data/information, and that new risks are created regularly, the CTO and Information Technology Services (ITS) department actively participate and monitor appropriate cybersecurity advisory groups for identification of risks.
4. EMPLOYEE MANAGEMENT & TRAINING
   1. Personnel in the Office of Human Resources perform references and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g. Business Office, Financial Aid).
   2. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also required to complete information security training. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts minimize risk and safeguard covered data and information. 
5. PHYSICAL SECURITY
   1. The College addresses the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to College employees with an appropriate business need for such information. 
   2. Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.
6. INFORMATION SYSTEMS 
   1. Access to covered data and information via the College’s computer information system is limited to those employees who have a legitimate business reason to access such information. The College has policies and procedures in place to complement the physical and technical safeguards in order to provide security to the College’s information systems. 
   2. The College adheres to best practices and standards set forth in the NC Institutional Information Processing System (IIPS) Manual prepared by the IIPS Security Standards Committee and provided to North Carolina community colleges. 
   3. Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need. 
7. OVERSIGHT OF SERVICE PROVIDERS 
   1. GLBA requires the College to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Plan will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. 
8. REVIEW & ADJUSTMENT
   1. This Information Security Plan will be subject to annual review and, if necessary, adjustment. Continued administration of the development, implementation, and maintenance of the Plan is the responsibility of the designated Information Security Plan Coordinator, who shall assign specific responsibility for technical, logical, physical, and administrative safeguards implementation and administration as appropriate. 
   2. The Information Security Plan Coordinator will review the standards set forth in this procedure and recommend updates and revisions as necessary. It may be necessary to adjust the Plan to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.