Effective Date:  03/22/2023

Owner:  PPAC

Team Members:  PPAC

1.0            PURPOSE

1.1             The purpose of this policy is to establish standardized IT security practices to strengthen, support, and protect the institution.

2.0           SCOPE DETAIL

2.1            This policy supports the management of Baker College’s IT systems and is applicable to any individual responsible for supporting IT systems across the institution.

3.0           DEFINITIONS

AUP

Acceptable Use Policy

EAS

The Enterprise Application Services team

EOS

The manufacturer’s End of Support or End of Service date.

Hardware

Any equipment managed by IT that is used across the organization.

Hosted Services

Service or IT infrastructure that is accessed from an external provider.

IDF

An Intermediate Distribution Frame or cable rack is used to manage communications between end user devices and the Main Distribution Frame (MDF).

ISS

The Infrastructure Security and Support team.

IT

Information Technology

MDF

A Main Distribution Frame is a signal distribution frame or cable rack used to interconnect and manage communication wiring between itself and any number of intermediate distribution frames (IDF).

SLA

Service Level Agreement defines the level of service expected by a customer from a supplier.

SME

Subject Matter Experts are the individuals responsible for documenting instructions and reviewing the compatibility of a resource with the College’s systems.

System Administrator

Administrator of all Networking Infrastructure whether it’s Network Hardware or Servers

Technology Request

A formalized procedure that approves technology installation, acquisition, contracts, and renewals for IT Resources.

TSS

The Technology Services and Support team

4.0           GUIDELINES

4.1              Information Security

4.1.1         Baker College is committed to ensuring a secure computing environment and recognizes the need to manage and prevent IT vulnerabilities. Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. Proactively managing vulnerabilities will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred. Baker College will use industry best practices for our accounts and IT infrastructure, including, but not limited to:

a.)                Vulnerability and patch management

b.)                Use of endpoint security software or hardware

c.)                Use of intrusion prevention and or detection systems

d.)                Regular Penetration testing

e.)                Regular security audits

f.)                 Provision of fault tolerances when possible

g.)                Establishing and maintaining a Disaster Recovery Plan

h.)                Use of least privilege access

i.)                 Enforcement of password complexity and expiration

j.)                 Use of secure Baker approved off-site access software

4.1.2       Baker College adheres to all applicable laws and regulations.

4.2             Infrastructure Security

4.2.1        IT will use industry best practices, including tiered access, to determine the level of access that all Baker staff and vendors will have in restricted IT areas.

a.)               Vendors must notify the Campus Safety office or IT before any work begins.

4.2.2      Physical security for restricted IT areas is handled by a card access system.

a.)              All Baker College infrastructure is located in secured MDF / IDF locations, in which audit logs of anyone who enters / exits internal MDF / IDF locations are available.

b.)              IT will audit MDF / IDF access semi-annually.

4.2.3       Security cameras record video of anyone who enters / exits secure IT locations.

4.2.4       Vendors should be accompanied by a Baker IT staff member when physical access to IT equipment is required.

4.2.5       Data Centers should be the sole location of all mission-critical physical hardware when possible. If not, it must be located within designated IT rooms.

4.2.6      Security technology lifecycle is determined by manufacturer EOS.

4.2.7       Technology usage should adhere to all guidelines as specified by the AUP and manufacturer specifications.

4.3             Cyber Incident Response

4.3.1        Any cyber event or attack where the confidentiality, integrity, or availability of a Baker College Information System is potentially compromised will be reported to the IT Department within one hour of the discovery of the event.

4.3.2       Immediately after notification or discovery of an event, IT will attempt to stop the attack if still present and assemble a Response Team to investigate the cyber event.

5.0           RESPONSIBILITIES

5.1              IT

5.1.1         The role of Baker College Information Technology is to ensure the IT environment and affiliated products and services are used to support the institution while striving to achieve the IT SLA’s.

5.1.2        SMEs are responsible for maintaining a process to audit and manage technology.

a.)                SMEs will notify the appropriate parties of any licensing violations.

5.2             Procurement Department

5.2.1        Where applicable, recording technology acquisitions and the start and end dates of contracts and agreements.

5.2.2       Provide reporting for contract and licensing expirations.

5.3             Faculty/Staff

5.3.1        Review potential donations or acquisitions of IT-related technology with Campus IT.

5.4             End User

5.4.1        The end user is responsible for understanding all Federal and State regulations that apply to their role(s).

5.4.2       Usage should adhere to all guidelines as specified by the AUP, student handbook, and employee handbook.