Information Services (SPC-IS)
Data Classification and Security Planning Policy: I-B
Purpose
Ensure that the South Plains College Information Technology (IT) resources and information
systems are established with adequate security controls and enhancements that reflect
applicable federal and state laws, Executive Orders, directives, regulations, policies,
standards, and guidance.
Policy
This policy applies to all departments and users of IT resources and assets.
- System Security Plan
SPC-IS Department shall:
- Develop a security plan for each information system that:
-
- It is consistent with SPC’s enterprise architecture.
- Defines explicitly the authorization boundary for the system.
- Describes the operational context of the information system in terms of missions and business processes.
- It provides security categorization of the information system, including supporting rationale.
- Describes the operational environment for the information system and relationships with or connections to other information systems.
- Provides an overview of the system's security requirements.
- Identify any relevant overlays, if applicable.
- Describes the security controls in place or planned to meet those requirements, including a rationale for the tailoring decisions.
- Is reviewed and approved by the authorizing official or designated representative before plan implementation.
- Distribute copies of the security plan and communicate subsequent changes to the plan to authorized personnel and business units.
- Review the security plan for the information system at least annually.
- Update the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
- Protect the security plan from unauthorized disclosure and modification.
2. Rules Of Behavior
SPC-IS Department shall:
-
- Establish and make readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior about information and information system usage.
- Receive a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to information and the information system.
- Review and update the rules of behavior.
- Individuals who have signed a previous version of the rules of behavior must read and resign when the rules of behavior are revised and updated.
3. Information Security Architecture
SPC-IS Department shall:
- Develop information security architecture for the information system that will:
-
- Describe the overall philosophy, requirements, and approach to protect the confidentiality, integrity, and availability of organizational information.
-
- Describe how the information security architecture is integrated into and supports the enterprise architecture.
- Describe any information security assumptions and dependencies on external services.
- Review and update the information security architecture no less than annually to reflect updates in the enterprise architecture.
- Ensure that planned information security architecture changes are reflected in the security plan, security operations, and procurements/acquisitions.
4. Defense-In-Depth Approach
SPC-IS Department shall:
- Design security architecture using a defense-in-depth approach that:
-
- Allocates security safeguards to SPC-defined locations and architectural layers.
- Will ensure that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.
- Security Categorization
SPC-IS Department shall:
-
- Apply proper security controls to data categorized as confidential by system owners, including protected health information (PHI) and personal identifiable information (PII), per applicable federal and state laws, directives, policies, regulations, standards, and guidance.
- Document the security controls (including supporting rationale) in the security plan for the information system.
- Risk Assessment
Each SPC Department shall:
-
- Conduct (or have conducted by a qualified third party) an assessment of risk, including the likelihood and magnitude of the harm, from unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits.
-
- Document risk assessment results in the annual IT Risk Assessment.
-
- Review risk assessment results quarterly.
-
- Disseminate risk assessment results to stakeholders.
-
- Update the risk assessment quarterly or whenever there are significant changes to the information system or operating environment (including the identification of new threats and vulnerabilities) or other conditions that may impact the system's security state.
- Vulnerability Scanning
SPC-IS Department shall:
- Scan for vulnerabilities in the information system and hosted applications quarterly or randomly per the Texas DIR and when new vulnerabilities potentially affecting the system/applications are identified and reported.
- Employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
-
- Enumerating platforms, software flaws, and improper configurations.
- Formatting checklists and test procedures.
- Measuring vulnerability impact.
c. Analyze vulnerability scan reports and results from security control assessments.
d. Remediate legitimate vulnerabilities within one month in accordance with an organizational assessment of risk.
e. Share information obtained from the vulnerability scanning process and security control assessments with the Chief Information Officer to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
f. Employ vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.
g. Update the information system vulnerabilities scanned monthly, prior to a new scan, or when new vulnerabilities are identified and reported.
h. Ensure that information systems implement privileged access authorization to all systems for selected vulnerability scanning.
Compliance
Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to IT resources, and other actions as well as both civil and criminal penalties.
Policy Exceptions
Requests for exceptions to this policy shall be reviewed by the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO). Departments requesting exceptions shall provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the IT Department, initiatives, actions, and a time-frame for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests and confer with the requesting department.
Related Documents
National Institute of Standards and Technology (NIST) Special Publications (SP): NIST
SP 800-53a – Risk Assessment (RA), NIST SP 800-12, NIST SP 800-30, NIST SP 800-39,
NIST SP 800-40, NIST SP 800-60, NIST SP 800-70, NIST SP 800-100, NIST SP 800-115;
NIST Federal Information Processing Standards (FIPS) 199
An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human resources/policy_procedure/?%20. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
Texas Security Controls Standards Catalog Control Group: CA-8, PL-2, RA-1, RA-2, RA-3, RA-5
NIST Function Groups: ID.RM-1