IT Foundational Policy: Security (IT 500-000)

1.0 Purpose

The purpose of this policy is to establish standardized IT security practices to strengthen, support, and protect the institution.

2.0 Definitions

AUP - Acceptable Use Policy

EAS - The Enterprise Application Services team

EOS - The manufacturer’s End of Support or End of Service date.

Hardware - Any equipment managed by IT that is used across the organization.

Hosted Services - Service or IT infrastructure that is accessed from an external provider.

IDF - An Intermediate Distribution Frame or cable rack is used to manage communications between end user devices and the Main Distribution Frame (MDF).

ISS - The Infrastructure Security and Support team.

IT - Information Technology

MDF - A Main Distribution Frame is a signal distribution frame or cable rack used to interconnect and manage communication wiring between itself and any number of intermediate distribution frames (IDF).

SLA - Service Level Agreement defines the level of service expected by a customer from a supplier.

SME - Subject Matter Experts are the individuals responsible for documenting instructions and reviewing the compatibility of a resource with the College’s systems.

System Administrator - Administrator of all Networking Infrastructure whether it’s Network Hardware or Servers

Technology Request - A formalized procedure that approves technology installation, acquisition, contracts, and renewals for IT Resources.

TSS - The Technology Services and Support team

3.0 Scope

This policy supports the management of Baker College’s IT systems and is applicable to any individual responsible for supporting IT systems across the institution.

4.0 Policy Statement

Information Security

Baker College is committed to ensuring a secure computing environment and recognizes the need to manage and prevent IT vulnerabilities. Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization.

Proactively managing vulnerabilities will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred. Baker College will use industry best practices for our accounts and IT infrastructure, including, but not limited to:

• Vulnerability and patch management
• Use of endpoint security software and/or hardware
• Use of intrusion prevention and/or detection systems
• Regular Penetration testing
• Regular security audits
• Provision of fault tolerance (redundancy) where necessary
• Establishing and maintaining a Disaster Recovery Plan
• Use of least privilege access
• Enforcement of password complexity and expiration guidelines
• Use of secure Baker approved off-site access software

Baker College adheres to all applicable laws and regulations.

Infrastructure Security

IT will use industry best practices (i.e. tiered access control) to determine the level of access that all Baker College staff and vendors will have in restricted IT areas.

• Vendors must notify the Campus Safety office and/or IT before any work begins.

Physical security for restricted IT areas is handled by a card access system.

• All Baker College infrastructure is located in secure MDF/IDF locations
• Audit logs of anyone who enters/exits internal MDF / IDF locations are maintained.
• IT will audit MDF/IDF access semi-annually.

Security cameras will be in place to record video of anyone who enters/exits secure IT locations.

Vendors should be accompanied by a Baker IT staff member when physical access to IT equipment in a secure area is required.

Data Centers should be the sole location of all business-critical physical hardware when possible. If not, it must be located within designated secure IT areas.

Security technology lifecycle is determined by manufacturer EOS.

Technology usage should adhere to all guidelines as specified by the AUP and manufacturer specifications.

Cyber Incident Response

Any cyber event or attack that compromises the confidentiality, integrity, or availability of a Baker College Information System is potentially compromised will be reported to the IT Department within one hour of the discovery of the event.

Immediately after notification or discovery of an event, IT will work to mitigate the attack if still present and notify pertinent leadership within the organization of the event.

An incident response team will be assembled to investigate the event in accordance with procedure IT200.018.xx IT Incident Response Plan.

5.0 Procedures

None

6.0 Responsibilities

IT

The role of Baker College IT is to ensure the IT environment along with affiliated products and services are used to support the institution while striving to achieve the IT SLA’s.

SMEs are responsible for maintaining a process to audit and manage technology.

SMEs will notify the appropriate parties of any licensing requirements and/or violations.

IT Leadership

Where applicable, recording technology acquisitions and the start and end dates of contracts and agreements.

Provide reporting for contract and licensing expiration.

Faculty/Staff

Review potential donations or acquisitions of IT-related technology with Campus IT prior to accepting and/or implementing them.

End User

All end users (employees, students, vendors, etc.) are responsible for understanding all Federal and State regulations that apply to their role(s).

All end users are responsible for reporting any cyber incidents that may occur immediately upon discovery.

Technology usage should adhere to all guidelines as specified by the AUP, student handbook, and employee handbook.

7.0 Citations & Related Information

None