TMCC

Information Technology

Information Security and Inventory of Institutional Data

Policy: It is the policy of Truckee Meadows Community College that all persons having access to confidential or sensitive data take all necessary precautions to safeguard that data as required in Chapter 486 of the 2005 Statutes of Nevada.

Originating Source: Information Technology

Responsible Office: Information Technology

Updated: October 2007


Procedure

  1. Protection of Confidential or Sensitive Data:
    1. Confidential or Sensitive Data (Highest level of security)
      1. Protected due to legal requirements (FERPA, Gramm Leach Bliley Act, ADA, EEO, HIPAA, etc.)
      2. All data must be either password protected, encrypted, or stored on secure network drives
      3. Whole disk encryption is an option
    2. Institutional/Proprietary Data (Moderate level of security): All data must be either password protected, encrypted, or stored on secure network drives
    3. Public Departmental Data (Lowest level of security)
      1. Protected at the discretion of the department/owner
      2. Recommended that data be stored on secured LAN drives
    4. Eradication of Data on Surplus or Repurposed Computers: Follow the procedures in the Baseline Security Procedures for All Truckee Meadows Community College Department and Unit Computers for administrative office desktop and academic lab computers as well as application and file servers.
  2. Inventory of Data Locations: On an annual basis, the college's departments and units will inventory the physical and network location of confidential or sensitive data. Each department or unit will create a master list that details this information for reference.
  3. Inappropriate Release of College Data: Follow the procedures in the Baseline Security Procedures for All Truckee Meadows Community College Department and Unit Computers for security incidents.
  4. Baseline Security Procedures for All Truckee Meadows Community College Department and Unit Computers:The TMCC Chief Information Technology Officer, in consultation with TMCC IT, the TMCC Technology Committee, the NSHE Security Interest Group, and other stakeholders, determines technical procedures and reviews them annually, at a minimum. To better safeguard the college's IT and data resources, the college's IT departments strongly recommends that all TMCC departments and units implement the following practices.
    1. All computers: All computer users are responsible.
      1. College supplied or purchased computers are the property of the college.
      2. Computer system users must take responsibility for the data on their systems. If confidential data are being stored or processed on their computer the user must inform their department/office leadership.
      3. Confidential or sensitive data is not allowed to be stored on systems that can be removed from the college unless the data is encrypted or password protected. This includes laptops, removable drives, CDs, DVDs, disks, or other similar removable media.
      4. Exceptions to these requirements must be collected and maintained by the department/office leadership.
    2. Application and File servers: All server administrators are responsible.
      1. Perform operating system hardening
        • Disable all services that are not required
        • User privileges must be configured as low as possible while still meeting business needs
        • Ensure all accounts have strong passwords similar to the strength required for NetID passwords.
      2. Harden all services (Apache, IIS, MS SQL, etc.) and disable all services that are not required
      3. There should be no shared usernames and passwords for any  applications or servers. In cases where shared accounts are required
        • Document all exceptions
        • Create inventory of all shared accounts and users who have access to these accounts
      4. At a minimum, daily auto update should be active for the operating system updates unless the computer is managed by a college patch management solution (i.e., Windows Server Update Services)
      5. Ensure console access is physically or technically secure. For computers that are not physically secured implement password protected screen savers that activate after inactivity.
      6. Maintain an appropriate level of logging for server OSes and applications (such as Web servers). These logs should be reviewed regularly looking for indications of malicious activity.
        • Determine length of log retention and level of logging.
        • Determine if logging is only needed for more confidential data.
      7. Run anti virus software on all servers where it does not interfere with server operation.
      8. An inventory of systems requiring exceptions should be kept up to date.
      9. Hard drives should be wiped clean prior to salvaging or repurposing.
    3. Administrative Office Desktop Computers: All desktop computer users are responsible.
      1. Perform operating system hardening
        • Disable all services that are not required.
        • User privileges should be configured as low as possible while still meeting business needs. Users are typically not provided with administrative rights.
        • Ensure all accounts have strong passwords.
      2. At a minimum, daily auto update should be active for the operating system unless the computer is managed by a college patch management solution (i.e., Windows Server Update Services).
      3. Antivirus software is installed, running, and set for daily automatic updating and weekly scanning.
      4. Personal firewalls (Symantec, Windows firewall, MacOS firewall, etc.) are installed and running.
      5. Anti spyware tools are installed and running.
      6. Local file shares should not be configured. Supported department file server shares should be used instead.
      7. Implement password protected screen savers that activate after some inactivity for computers that are in publicly accessible spaces.
      8. Hard drives should be wiped clean prior to salvaging or repurposing.
    4. Administrative Laptop Computers: All laptop users are responsible.
      1. Same as administrative office desktop computers.
      2. Must log into the network once every two months to ensure security updates are installed.
      3. Confidential or sensitive data is not allowed to be stored on systems that can be removed from the college unless the data is encrypted or password protected.
    5. Academic Lab Computers:Information Technology is responsible.
      1. Public access computers must not be on the same subnet as other administrative departmental computers.
      2. Computers must display an appropriate logon banner concerning appropriate use.
      3. At a minimum, daily auto update should be active for the operating system unless the computer is managed by a departmental patch management solution.
      4. Antivirus software is installed, running, and set for daily automatic updating.
      5. Personal firewalls (Symantec, Windows firewall, MacOS firewall, etc.) are installed and running.
      6. Anti spyware tools are installed and running.
      7. Local file shares should not be configured on desktops. Supported department file server shares should be used instead.
      8. If system privileges are required for users (users can write files to the computer) then a full system rebuild should occur prior to each individual use.
      9. Physically inspect systems regularly (at least each semester) looking for computing or setup anomalies.
      10. Hard drives should be wiped clean prior to salvaging.
    6. Removable Media (USB Flash Drives, USB Hard Drives, SD cards, disks, etc.):All users are responsible.
      1. Ensure that sensitive data is either password protected or encrypted.
      2. Include a small readable text file on the removable media that includes contact information, in the event your removable media is lost or misplaced, to aid in its return.. Simply provide a contact phone number. A legal disclaimer that clearly identifies the information on the drive as confidential and protected by law may also be included on the file.  Providing the name of the college on the text file is not recommended since it could tip off a malicious user where the data came from and how to use it.
      3. Confidential or sensitive data is not allowed to be stored on systems that can be removed from the college unless the data is encrypted or password protected.
      4. Media should be wiped clean prior to disposal.
    7. Kiosks:Information Technology is responsible.
      1. Ensure proper awareness is provided to convey appropriate use.
      2. Ensure proper notification is provided to articulate the requirement that these systems are not to be used to process sensitive data.
      3. Physically inspect systems regularly (at least each semester) looking for computing or setup anomalies.
    8. Instant Messaging:All instant messaging users are responsible.
      1. Sensitive data should not be transmitted during any instant messaging sessions.
      2. It is recommended that all instant messaging traffic be transmitted using secure instant messaging systems.
    9. Personal Digital Assistant (PDA) devices and Smartphones:All users are responsible.
      1. PDAs and Smartphones should be password protected.
      2. Confidential or sensitive data is not allowed to be stored on systems that can be removed from the college unless the data is encrypted or password protected.
      3. Data on PDAs and Smartphones should be cleared before salvaging or repurposing.
      4. Lost or stolen PDAs or Smartphones connected to the TMCC e mail system will be locked upon notification to IT Customer Service.
    10. Digital Cameras:All users are responsible.
      1. Digital cameras shall not be used to take pictures of confidential or sensitive data unless the picture is encrypted or password protected.
      2. Confidential or sensitive data is not allowed to be stored on systems that can be removed from the college unless the data is encrypted or password protected.
      3. Images on digital cameras should be cleared before salvaging or repurposing.
    11. Email: All users are responsible.
      1. If the need arises to send e mail containing confidential or sensitive data, the e mail shall be transmitted over a secure network, i.e., TMCC e mail user to TMCC e mail user. If transmitting to an authorized recipient not on a secure network, the e mail containing sensitive data must be password protected or encrypted.
      2. Scan to e mail functionality is not be used to transmit confidential or sensitive data to addresses outside of the TMCC e mail network.
    12. Wireless Networks: All users are responsible. If wireless networking is being used, all TMCC systems must use a virtual private network connection or log in via a secure connection prior to transmitting confidential or sensitive data.
    13. Networks:All network administrators are responsible.
      1. Limit network access to servers with ACLs, IPSec filtering, firewalls or some other mechanism. The rules should deny all inbound traffic except that which is explicitly permitted.
      2. Implement packet filtering to protect departmental resources. This should include, at a minimum, default ACLs restricting incoming connections except where explicitly required. Firewalls can be used as well.
      3. For administrative wireless networks, MAC address registration is mandatory. No unregistered systems should be allowed on a wireless subnet. All systems must be registered and tied to a user or network administrator.
      4. If a local unit uses a gateway or other network address translation (NAT) device network, logs must be retained for a minimum of 30 days.
      5. Provisioning: All users are responsible.
    14. Perform regular reviews of file, application and system privileges. Use the college's Network Access Security Application (NASA) to provision accounts for new hires and the TMCC Application for Computer Access for moves or terminations.
    15. Reviews and assessments: All unit leaders and Information Technology departments are responsible where applicable.
      1. Establish a record of local computer systems that require exceptions to these requirements.
      2. At a minimum, conduct yearly assessments of a sample of these systems. These assessments should include:
        1. Scans looking for open ports and services available on hosts.
        2. Network and host based vulnerability scans.
        3. Network application reviews (checking for vulnerabilities in websites, databases, etc.).
        4. Content inventories on desktops and servers to account for the location of all sensitive College data.
        5. Physical inventories to account for the location of hard copies of sensitive College data.
        6. Password audits looking for strong passwords on all accounts.
    16. Security Incidents:
      1. A security incident can be anything from a suspected virus on a computer, knowledge of malicious intent concerning the TMCC computer systems, witnessing suspicious activity, inappropriate release of college data, or the reasonable belief of unauthorized data access.
      2. Information security incidents should be reported to IT management in person, via e mail, or telephone. In the event of an information security incident, TMCC IT management is responsible for notifying college leadership as necessary.
      3. Physical security incidents should be reported to the TMCC Police Department in person, on line, or telephone. In the event of a physical security incident, TMCC Police department management is responsible for notifying college leadership as necessary.
    17. Related Documents:
      1. Information Security and Privacy
      2. TMCC Telecommunications Use Policy
      3. TMCC Life Cycle Replacement of Hardware Systems
      4. TMCC Network Operational and Security Procedures
      5. TMCC Copyright Infringement Procedures
      6. Network Login
      7. Passwords
      8. FERPA
      9. TMCC IT Disaster Recovery Plan
    18. Electronic Inventory of Sensitive Data:
      1. Departmental files on TMCC file servers
      2. SQL Database stored on TMCC file servers
    19. Physical Inventory of Sensitive Data:
      1. Academic student record files TMCC wide
      2. Admissions and Records
      3. Dandini Archival storage
      4. Accounting Services
      5. Financial Aid
      6. Foundation Office
      7. Human Resources
      8. Institutional Research
      9. President's Office
      10. Vice President of Academic Affairs Office
      11. Dean's Offices
      12. Supervisor personnel files stored in individual supervisor offices TMCC wide.
    20. Contacts
      Subject: Policy Interpretation and Clarification, Security of Network
      Contact: Information Technology
  5. Originating Policy or Source: TMCC Telecommunications Use Policy
  6. Responsible OfficeInformation Technology
  7. Updated: February 2008

College News

National Accreditation for EMS

The Emergency Medical Technician-Paramedic Program has been awarded accreditation by the CAAHEP.

Six-Week 3-D Printing Certificate

The general public can explore 3-D technology in this accelerated WDCE class.