Effective Date: 12/13/2023
Owner: PPAC
Team Members: PPAC
1.0 PURPOSE
1.1 The purpose of this policy is to establish standardized IT security practices to strengthen, support, and protect the institution.
2.0 SCOPE DETAIL
2.1 This policy supports the management of Baker College’s IT systems and is applicable to any individual responsible for supporting IT systems across the institution.
3.0 DEFINITIONS
AUP
Acceptable Use Policy
EAS
The Enterprise Application Services team
EOS
The manufacturer’s End of Support or End of Service date.
Hardware
Any equipment managed by IT that is used across the organization.
Hosted Services
Service or IT infrastructure that is accessed from an external provider.
IDF
An Intermediate Distribution Frame or cable rack is used to manage communications between end user devices and the Main Distribution Frame (MDF).
ISS
The Infrastructure Security and Support team.
IT
Information Technology
MDF
A Main Distribution Frame is a signal distribution frame or cable rack used to interconnect and manage communication wiring between itself and any number of intermediate distribution frames (IDF).
SLA
Service Level Agreement defines the level of service expected by a customer from a supplier.
SME
Subject Matter Experts are the individuals responsible for documenting instructions and reviewing the compatibility of a resource with the College’s systems.
System Administrator
Administrator of all Networking Infrastructure whether it’s Network Hardware or Servers
Technology Request
A formalized procedure that approves technology installation, acquisition, contracts, and renewals for IT Resources.
TSS
The Technology Services and Support team
4.0 GUIDELINES
4.1 Information Security
4.1.1 Baker College is committed to ensuring a secure computing environment and recognizes the need to manage and prevent IT vulnerabilities. Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization.
4.1.2 Proactively managing vulnerabilities will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred. Baker College will use industry best practices for our accounts and IT infrastructure, including, but not limited to:
a.) Vulnerability and patch management
b.) Use of endpoint security software and/or hardware
c.) Use of intrusion prevention and/or detection systems
d.) Regular Penetration testing
e.) Regular security audits
f.) Provision of fault tolerance (redundancy) where necessary
g.) Establishing and maintaining a Disaster Recovery Plan
h.) Use of least privilege access
i.) Enforcement of password complexity and expiration guidelines
j.) Use of secure Baker approved off-site access software
4.1.3 Baker College adheres to all applicable laws and regulations.
4.2 Infrastructure Security
4.2.1 IT will use industry best practices (i.e. tiered access control) to determine the level of access that all Baker College staff and vendors will have in restricted IT areas.
a.) Vendors must notify the Campus Safety office and/or IT before any work begins.
4.2.2 Physical security for restricted IT areas is handled by a card access system.
a.) All Baker College infrastructure is located in secure MDF/IDF locations
b.) Audit logs of anyone who enters/exits internal MDF / IDF locations are maintained.
c.) IT will audit MDF/IDF access semi-annually.
4.2.3 Security cameras will be in place to record video of anyone who enters/exits secure IT locations.
4.2.4 Vendors should be accompanied by a Baker IT staff member when physical access to IT equipment in a secure area is required.
4.2.5 Data Centers should be the sole location of all business-critical physical hardware when possible. If not, it must be located within designated secure IT areas.
4.2.6 Security technology lifecycle is determined by manufacturer EOS.
4.2.7 Technology usage should adhere to all guidelines as specified by the AUP and manufacturer specifications.
4.3 Cyber Incident Response
4.3.1 Any cyber event or attack that compromises the confidentiality, integrity, or availability of a Baker College Information System is potentially compromised will be reported to the IT Department within one hour of the discovery of the event.
4.3.2 Immediately after notification or discovery of an event, IT will work to mitigate the attack if still present and notify pertinent leadership within the organization of the event.
4.3.3 An incident response team will be assembled to investigate the event in accordance with procedure IT200.018.xx IT Incident Response Plan.
5.0 RESPONSIBILITIES
5.1 IT
5.1.1 The role of Baker College IT is to ensure the IT environment along with affiliated products and services are used to support the institution while striving to achieve the IT SLA’s.
5.1.2 SMEs are responsible for maintaining a process to audit and manage technology.
a.) SMEs will notify the appropriate parties of any licensing requirements and/or violations.
5.2 Procurement Department
5.2.1 Where applicable, recording technology acquisitions and the start and end dates of contracts and agreements.
5.2.2 Provide reporting for contract and licensing expirations.
5.3 Faculty/Staff
5.3.1 Review potential donations or acquisitions of IT-related technology with Campus IT prior to accepting and/or implementing them.
5.4 End User
5.4.1 All end users (employees, students, vendors, etc.) are responsible for understanding all Federal and State regulations that apply to their role(s).
5.4.2 All end users are responsible for reporting any cyber incidents that may occur immediately upon discovery.
5.4.3 Technology usage should adhere to all guidelines as specified by the AUP, student handbook, and employee handbook.