Information Security

See Also: Policy 4810 - TMCC Telecommunications Use and Policy 4814 - Information Security and Inventory of Institutional Data

Procedures

Protection of Confidential or Sensitive Data

Confidential or Sensitive Data (highest level of security)

  • Protected due to legal requirements (FERPA, Gramm Leach Bliley Act, ADA, EEO, HIPAA, etc.)
  • All data must be either password protected, encrypted, or stored on secure network drives
  • Whole disk encryption is an option

Institutional/Proprietary Data (moderate level of security)

  • All data must be either password protected, encrypted, or stored on secure network drives

Public Departmental Data (lowest level of security)

  • Protected at the discretion of the department/owner
  • Recommended that data be stored on secured LAN drives

Eradication of Data on Surplus or Repurposed Computers

  • Follow the procedures in the Baseline Security Procedures (see below) for all TMCC department and unit computers for administrative office desktop and academic lab computers, as well as application and file servers.

Inventory of Data Locations

On an annual basis, the College's departments and units will inventory the physical and network location of confidential or sensitive data. Each department or unit will create a master list that details this information for reference.

Security Incidents

A security incident can be anything from a suspected virus on a computer, knowledge of malicious intent concerning the TMCC computer systems, witnessing suspicious activity, inappropriate release of College data, or the reasonable belief of unauthorized data access.

  • Information security incidents should be reported to IT management in person, via email, or by telephone.
    • In the event of an information security incident, TMCC IT management is responsible for notifying College leadership as necessary.
  • Physical security incidents should be reported to the TMCC Police Department in person, online, or by telephone.
    • In the event of a physical security incident, TMCC Police Department management is responsible for notifying College leadership as necessary.

Baseline Security Procedures

TMCC Information Technology, in collaboration with the TMCC Technology Committee, the NSHE Security Interest Group, and other stakeholders, determines technical procedures and reviews them annually, at a minimum.

To better safeguard data resources, Information Technology strongly recommends that all TMCC departments and units implement the following practices.

All TMCC Users' Responsibilities

All Computers

  • College supplied or purchased computers are the property of the College.
  • Computer system users must take responsibility for the data on their systems. If confidential data are being stored or processed on their computer the user must inform their department/office leadership.
  • Confidential or sensitive data is not allowed to be stored on systems that can be removed from the College unless the data is encrypted or password protected. This includes laptops, removable drives, CDs, DVDs, disks, or other similar removable media.
  • Exceptions to these requirements must be collected and maintained by the department/office leadership.

Administrative Office Desktop Computers

  • Perform operating system hardening:
    • Disable all services that are not required.
    • User privileges should be configured as low as possible while still meeting business needs. Users are typically not provided with administrative rights.
    • Ensure all accounts have strong passwords.
  • At a minimum, daily auto update should be active for the operating system unless the computer is managed by a College patch management solution (i.e., Windows Server Update Services).
  • Antivirus software is installed, running, and set for daily automatic updating and weekly scanning.
  • Personal firewalls (Symantec, Windows firewall, MacOS firewall, etc.) are installed and running.
  • Anti-spyware tools are installed and running.
  • Local file shares should not be configured. Supported department file server shares should be used instead.
  • Implement password protected screen savers that activate after some inactivity for computers that are in publicly accessible spaces.
  • Hard drives should be wiped clean prior to salvaging or repurposing.

Administrative Laptop Computers

  • Same as administrative office desktop computers.
  • Must log in to the network once every two months to ensure security updates are installed.
  • Confidential or sensitive data is not allowed to be stored on systems that can be removed from the College unless the data is encrypted or password protected.

Removable Media (USB Flash Drives, USB Hard Drives, SD cards, disks, etc.)

  • Ensure that sensitive data is either password protected or encrypted.
  • Include a small readable text file on the removable media that includes contact information, in the event your removable media is lost or misplaced, to aid in its return. Simply provide a contact phone number. A legal disclaimer that clearly identifies the information on the drive as confidential and protected by law may also be included on the file. Providing the name of the College on the text file is not recommended since it could tip off a malicious user where the data came from and how to use it.
  • Confidential or sensitive data is not allowed to be stored on systems that can be removed from the College unless the data is encrypted or password protected.
  • Media should be wiped clean prior to disposal.

Digital Cameras

  • Digital cameras shall not be used to take pictures of confidential or sensitive data unless the picture is encrypted or password protected.
  • Confidential or sensitive data is not allowed to be stored on systems that can be removed from the College unless the data is encrypted or password protected.Images on digital cameras should be cleared before salvaging or repurposing.

FERPA

FERPA uses language such as "reasonable methods" to safeguard information and is purposely non-specific regarding the use of technology methods, standards and email. As such, TMCC has created a set of reasonable guidelines for communicating FERPA-related information over email.

Email

  • If the need arises to send email containing confidential or sensitive data, the email shall be transmitted over a secure network, i.e., TMCC email user to TMCC email user. If transmitting to an authorized recipient not on a secure network, the email containing sensitive data must be password protected or encrypted.
  • Emails containing FERPA-related information may only be sent to the official TMCC email address of the authorized recipient (tmcc.edu). A student's NSHE ID and student name can be sent via email.
  • FERPA-related email may not be sent or forwarded to a personal address such as one associated with Gmail, Hotmail, or Yahoo.
  • Scan-to-email functionality is not be used to transmit confidential or sensitive data to addresses outside of the TMCC email network.
  • Students are required to use the provided TMCC email so that staff and faculty have reasonable certainty that communications are with the appropriate individual.
  • All TMCC email includes a disclaimer or tagline: "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persona or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer."
  • Email sent through the College's network are not private, as noted on the login page of every computer: "Unauthorized user or access is prohibited. By continuing to use this computer system, you accept the rights and responsibilities in the TMCC Telecommunications User Policy (effective March 2005). Your privacy is carefully guarded but cannot by guaranteed. Examination of information stored or accessed on the system may occur if authorized by the appropriate authorities."
  • Also, upon employment and orientation, each TMCC employee signs the TMCC Telecommunications Use Policy.
  • See Also: Disclaimer | Network Operations and Security | TMCC Email for Students

Personally identifiable information (PII)

Personally Identifiable Information (PII) is data that can be used to uniquely identify or locate a single person. PII, including Social Security numbers, is never to be included in any email or screen shots.

Computers as well as flash drives, smart phones, tablets and removable drives have the potential risk for PII data breaches. It is important to follow safe data practices, including the appropriate use of strong passwords, and always avoid transferring or storing any confidential data on removable storage devices.

Personally identifiable information (PII) includes, but is not limited to:

  • The student’s name;
  • The name of the student’s parent or other family members;
  • The address of the student or student’s family;
  • A personal identifier, such as the student’s Social Security number, student number, or biometric record;
  • Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
  • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and/or
  • Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

TMCC does not email or publicly post grades.

Instant Messaging

  • Sensitive data should not be transmitted during any instant messaging sessions.
  • All instant messaging traffic should be transmitted using secure instant messaging systems.

Mobile Devices/Smartphones

  • Mobile devices and smartphones should be password protected.
  • Confidential or sensitive data is not allowed to be stored on systems that can be removed from the College unless the data is encrypted or password protected.
  • Data on mobile devices and smartphones should be cleared before salvaging or repurposing.
  • Lost or stolen mobile devices or Smartphones connected to the TMCC email system will be locked upon notification to IT Customer Service.

Wireless Networks

  • If wireless networking is being used, all TMCC systems must use a virtual private network (VPN) connection or log in via a secure connection prior to transmitting confidential or sensitive data.
  • See Also: Wireless Network Security Policy

Information Technology's Responsibilities

Application and File Servers

  • Perform operating system hardening
    • Disable all services that are not required
    • User privileges must be configured as low as possible while still meeting business needs
    • Ensure all accounts have strong passwords similar to the strength required for NetID passwords.
  • Harden all services (Apache, IIS, MS SQL, etc.) and disable all services that are not required
  • There should be no shared usernames and passwords for any  applications or servers. In cases where shared accounts are required:
    • Document all exceptions,
    • Create inventory of all shared accounts and users who have access to these accounts.
  • At a minimum, daily auto update should be active for the operating system updates unless the computer is managed by a College patch management solution (i.e., Windows Server Update Services)
  • Ensure console access is physically or technically secure. For computers that are not physically secured implement password protected screen savers that activate after inactivity.
  • Maintain an appropriate level of logging for server OSes and applications (such as Web servers). These logs should be reviewed regularly looking for indications of malicious activity.
    • Determine length of log retention and level of logging.
    • Determine if logging is only needed for more confidential data.
  • Run antivirus software on all servers where it does not interfere with server operation.
  • An inventory of systems requiring exceptions should be kept up to date.
  • Hard drives should be wiped clean prior to salvaging or repurposing.

Academic Lab Computers

  • Public access computers must not be on the same subnet as other administrative departmental computers.Computers must display an appropriate logon banner concerning appropriate use.
  • At a minimum, daily auto update should be active for the operating system unless the computer is managed by a departmental patch management solution.
  • Antivirus software is installed, running, and set for daily automatic updating.
  • Personal firewalls (Symantec, Windows firewall, MacOS firewall, etc.) are installed and running.
  • Anti-spyware tools are installed and running.
  • Local file shares should not be configured on desktops. Supported department file server shares should be used instead.
  • If system privileges are required for users (users can write files to the computer) then a full system rebuild should occur prior to each individual use.
  • Physically inspect systems regularly (at least each semester) looking for computing or setup anomalies.
  • Hard drives should be wiped clean prior to salvaging.

Kiosks

  • Ensure proper awareness is provided to convey appropriate use.Ensure proper notification is provided to articulate the requirement that these systems are not to be used to process sensitive data.
  • Physically inspect systems regularly (at least each semester) looking for computing or setup anomalies.

Networks

  • Limit network access to servers with ACLs, IPSec filtering, firewalls or some other mechanism. The rules should deny all inbound traffic except that which is explicitly permitted.
  • Implement packet filtering to protect departmental resources. This should include, at a minimum, default ACLs restricting incoming connections except where explicitly required. Firewalls can be used as well.
  • For administrative wireless networks, MAC address registration is mandatory. No unregistered systems should be allowed on a wireless subnet. All systems must be registered and tied to a user or network administrator.
  • If a local unit uses a gateway or other network address translation (NAT) device network, logs must be retained for a minimum of 30 days.

Reviews and Assessments

  • Establish a record of local computer systems that require exceptions to these requirements.
  • At a minimum, conduct yearly assessments of a sample of these systems. These assessments should include:
    • Scans looking for open ports and services available on hosts.Network and host based vulnerability scans.
    • Network application reviews (checking for vulnerabilities in websites, databases, etc.).
    • Content inventories on desktops and servers to account for the location of all sensitive College data.
    • Physical inventories to account for the location of hard copies of sensitive College data. Password audits looking for strong passwords on all accounts.
    • Perform regular reviews of file, application and system privileges.
    • Use the College's Network Access Security Application (NASA) to provision accounts for new hires.
    • Use the TMCC Application for Computer Access for moves or terminations.