Information Technology Security Plan

Home > Faculty & Staff > Information Technology > Information Technology Security Plan

The College has adopted the policies, models, standards, and guidelines set forth by the Virginia Community College System (VCCS) Information Security Program. This, along with College-specific supporting documentation, constitutes the Community College Information Technology Security Plan.

Governance

VCCS governance considers it essential to communicate its information security requirements throughout the organization to all users in a form that is relevant, accessible, current, and understandable to any reader. Standards are applicable to all organizations that comprise the Virginia Community College System (VCCS), including the System Office, the Shared Services Center, and all Community Colleges, and to all persons directly or indirectly employed by the VCCS, including student employees, faculty, adjunct faculty, staff, and contract personnel.

The College has chosen the website as the communication vehicle for faculty and staff. College-specific information technology security documents are available at: Information Technology Security Plan

Security Controls

The purpose of security controls is to perform the tasks in the management, planning, technical, and operational safeguards, and security measures to ensure the College’s confidential and sensitive information is secure, that data remains intact, and that services remain available to our patrons.

These resources are vulnerable to being rendered unusable or crippled due to sabotage, human error, and natural disasters. To preserve the integrity of information technology resources, all areas of the College must contribute to the appropriate level of protection of these mission-critical resources. The primary areas of focus for security controls which significantly reduce threats are:

4. Information Security Risk Management
4.1 - Risk Management Program
4.2 - Assessing Security Risks
4.3 - Treating Security Risks
4.4 - Risk Acceptance, Monitoring, and Review

The results of the Assessing Security Risks standard will be used to determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. Risks will be identified, quantified or qualitatively described, and prioritized against risk evaluation criteria and objectives relevant to the College.

5. Information Security Management Program
5.1 – Information Security Program

The Information Security Standard is applicable to all VCCS offices, including all personnel whether employees, students or contractors; all information systems, data, and facilities maintained, whether leased or owned or created within the jurisdiction of the VCCS information technology functions.
The information security policy and standard is reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. The review of the VCCS information security program, including the security policy and security standards will occur annually during the first quarter of the calendar year (Jan – Mar).
VCCS governance reserves the right without notice to limit or restrict any individual's access and to inspect, remove or otherwise alter any data, file, or system resource that may undermine the authorized use of any technology resource. VCCS governance also reserves the right to periodically check any system and take any other action necessary to protect its technology resources. VCCS disclaims responsibility for loss of data or interference with files resulting from its efforts to maintain the privacy and security of those technology resources.

6. Organization of Information Security
6.1 - Internal Organization
6.2 - Mobile Devices and Teleworking

Information security responsibilities are allocated in accordance with the ownership of information technology assets identified in an inventory of information technology systems and as determined by the Risk Assessment performed for sensitive systems.
The College will protect the integrity of information by defining segregated duties and responsibilities to reduce the opportunities for unauthorized or unintentional modification or misuse of organizational assets. Duties and responsibilities will be designed to ensure that no single person can access, modify, or use assets without authorization or detection. Any input received from contact with authorities is maintained and is used as input to there view of the VCCS Information Security Policy and Program.
The College actively participates in ISO Meetings, EDUCAUSE, VASCAN, ACCS, MS-ISAC, US-CERT, ISACA, ISC2, VITA-ISOAG, and others.
Information security will be integrated into the VCCS project management method(s) to ensure that information security risks are identified and addressed as part of a project. This applies generally to any project regardless of its character, e.g. a project for a core business process, IT, facility management and other supporting processes.

College Presidents – Each College President is responsible for the College’s IT systems and data. Their information security responsibilities include:

Designation of an ISO for the College by providing the employee’s name, title and contact information to Chief Information Security Officer (CISO) annually or as personnel changes are made. This information shall be submitted using the VCCS ISO Designation Form via email to the CISO. The College President is strongly encouraged to designate at least one backup for the ISO, as well.
Determine the optimal place of the information security function within the College hierarchy with the shortest practicable reporting line to the College President.
Maintain an Information Security Program that is sufficient to protect the information technology systems, is documented, and effectively communicated.
Review and approve the College’s Business Impact Analyses (BIA), Risk Assessment (RA), and a Continuity of Operations Plan (COOP), to include an IT Disaster Recovery Plan, if applicable.
Accept residual risks associated with information security and determine any conditions for risk acceptance.
Maintain compliance with the VCCS Information Security Program. This compliance must include, but is not limited to:
- Requiring development and implementation of the College’s Business Continuity Plan and Information Technology Contingency Planning along with the submission of the Annual Statement of Compliance to the SystemOffice
- Requiring that IT security audits are conducted;
- Receiving reports of the results of the IT security audits
- Requiring development of Corrective Action Plans to address findings of the IT security audits
- Reporting to the System Office all IT security audit findings and progress in implementing corrective actions in response to IT security audit findings
Facilitate communications between IT staff and those in other areas of the College.
Establish a program of IT security safeguards.
Establish an IT security awareness and training program.
Provide the resources to enable employees to carry out their responsibilities for securing IT systems and data.
Ensure that managers in the College at all levels provide for the IT security needs under their jurisdiction and they take all reasonable actions to provide adequate IT security and to escalate problems, requirements, and matters related to IT security to the highest level necessary for resolution.
Maintain an organization chart that depicts the reporting structure of employees with specific responsibilities for the security of IT systems and data and their specific IT security roles and responsibilities.
Review System Security Plans for all sensitive College IT systems and:
- Approve those System Security Plans that provide adequate protections against IT security risks or
- Disapprove System Security Plans that do not provide adequate protections against IT security risks and require the System Owner implement additional security controls on the IT system to provide adequate protections against IT security risks.

Information Security Officer (ISO) - The ISO is responsible for the development and administration of the College Contingency Planning and Business Recovery Program as well as the local IT security architecture. They are expected to perform the following duties:

Develop and manage the IT security program that meets or exceeds the requirements of VCCS IT security policies and standards in a manner commensurate with risk.

Develop and maintain an IT security awareness and training program for the staff, including contractors and IT service providers.
Coordinate and provide IT security information to the VCCS CISO as required.
Implement and maintain the appropriate balance of protective, detective and corrective controls for IT systems commensurate with data sensitivity, risk and systems criticality.
Mitigate and report all IT security incidents in accordance with related VCCS requirements and take appropriate actions to prevent recurrence.
Maintain liaison with the VCCS ISO.

System Administrators - The System Administrator is an analyst, engineer, or technician who implements, manages, and/or operates a system or systems. The System Administrator assists management in the day-to-day administration of the IT systems, and implements security controls and other requirements of the local IT security program on IT systems for which the System Administrator have been assigned responsibility. Typically in the VCCS these are SIS Security Officers, LAN Administrators, Network Security Engineers, Database System Administrators, and Application Administrators, etc.

IT System Users - All users of VCCS IT systems including employees and contractors are responsible for the following:

Read and comply with VCCS Contingency Planning and Business Recovery program requirements as well as VCCS and College IT polices, standards, and guidelines.
Report breaches of IT security, actual or suspected, to their management and/or the ISO.
Take reasonable and prudent steps to protect the security of IT systems and data to which they have access.

System Owner - The System Owner is the manager responsible for operation and maintenance of an IT system. With respect to IT security, the System Owner’s responsibilities include the following:

Require that all IT system users complete required IT security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually,there after.
Manage system risk and developing any additional IT security policies and procedures required to protect the system in a manner commensurate with risk.
Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.
Designate a System Administrator for the system.

Data Owner - The Data Owner is the manager responsible for the policy and practice decisions regarding data, and is responsible for the following:

Evaluate and classify sensitivity of the data.
Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
Communicate data protection requirements to the System Owner.
Define requirements for access to the data.

Note: A Data Owner can own data on multiple IT systems.

Data Custodian - Data Custodians are individuals or organizations in physical or logical possession of data for Data Owners. Data Custodians are responsible for the following:

Protect the data in their possession from unauthorized access, alteration, destruction, or usage.
Establish, monitoring, and operating IT systems in a manner consistent with VCCS IT security policies and standards.
Provide Data Owners with reports, when necessary and applicable.

Privacy Officer - The ISO will work with the College employee designated as the Privacy Officer dependent on their area of responsibility (Human Resources, Student Services, etc.). Otherwise, the ISO will assume the duties of the Privacy Officer in matters relating to information security. The Privacy Officer will provide guidance on:

The requirements of state and federal privacy laws.
Disclosure of and access to sensitive information.
Security and protection requirements in conjunction with IT systems when there is some overlap among sensitivity, disclosure, privacy, and security issues.

7. Personnel Information Security
7.1 - Prior to Employment
7.2 - During Employment
7.3 - Termination or Change of Employment

Background verification checks, including who is eligible to screen people and how, when, and why verification checks are carried out, on all candidates for College employment will be carried out in accordance with Virginia Department of Human Resource Management (DHRM) Policy 2.10, Hiring and be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
Employees, contractors, and third party users must sign the appropriate information security agreements applicable to their employment. Employees, contractors and third party users must apply information security in accordance with the VCCS established policies and procedures.
All College employees, and where relevant, contractors and third party users, receive annual security awareness training. Refresher, updated, or special situational training as technology, System Office, or College environments change will be held as appropriate. The security awareness training will begin with a formal introduction process within the first 30 days to introduce VCCS’s security policies and expectations to continue accessing information and services or before increased access is granted. Afterwards, training must be completed on an annual basis.
Employees who commit a security violation are subject to potential disciplinary action as per the Department of Human Resources Standards of Conduct Policy1.60.
The communication of termination responsibilities should include ongoing security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement, and the terms and conditions of employment, continuing for a defined period after the end of the employee’s, contractor’s or third party user’s employment.

8. Asset Management
8.1 - Responsibility for Assets
8.2 - Information Classification
8.3 - Media Handling

All assets will be clearly identified and an inventory of all important assets will be compiled and maintained. Information and assets that are associated with information processing facilities will be owned by a designated part of the organization. The “asset owner” will be assigned the overall responsibility for protecting individual assets. The asset owner is responsible for:
- Ensuring that information and assets associated with information processing facilities are appropriately classified;
- Defining and periodically reviewing access restrictions and classifications, taking into consideration applicable access control policies
- Note: Ownership may be allocated to a business process; a defined set of activities; an application; or a defined set of data.
All employees, contractors and third party users will return all of VCCS’s assets in their possession upon termination of their employment, contract or agreement. In cases where an employee, contractor or third party user purchases VCCS’s equipment or uses their own personal equipment, procedures will be developed and implemented to ensure that all relevant information is transferred to VCCS and securely erased from the equipment. In cases where an employee, contractor or third-party user has knowledge that is important to ongoing operations, that information will be documented and transferred to VCCS prior to termination or change in employment.
The College will protect information by implementing procedures for the handling and storage of information to prevent unauthorized or inadvertent disclosure or misuse. These procedures will include operating procedures and will apply to information in paper form, computing systems, networks, mobile computing, mobile communications, mail, voice mail, voice communications in general, multimedia, postal services and facilities, use of fax machines, other devices or formats, and will include the handling, processing, storing, and communicating of information consistent with the criticality and sensitivity of the information.
The College will protect information by implementing effective procedures to manage electronic and non-electronic removable media including the handling of assets.

9. Access Control
9.1 - Business Requirement for Access Control
9.2 - User Access Management
9.3 – User Responsibilities
9.4 – System and Application Access Control

Users will be provided with access to the network and only those network services that they have been specifically authorized touse.
The access rights of all employees, contractors and third party users to information and information processing facilities will be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Users are required to follow good security practices in the selection and use of passwords.
All users of College data systems will be issued individual identifiers (user id’s) to log on to the systems. Users may not share their user ids with anyone, and suitable authentication techniques must be used to verify the identity of users.
Users will lock their workstations when they leave their work area.
Operating systems are configured to timeout inactive user sessions after a predefined time period. Inactive sessions increase the likelihood that unauthorized users could use the credentials of the logged on user to gain access to the system and data, or to cause denial of service to legitimate users.

Privileged Accounts

Multi-user systems (e.g. AIS & SIS) that require protection against unauthorized access will have the allocation of privileges controlled through a formal authorization process.

Privileges will be allocated to users on a need-to-use basis and on an event-by-event basis, i.e. the minimum requirement for their functional role only when needed;
The principle of least privilege must be used by each college and the System Office in the assignment of security roles and responsibilities
Each college campus may name two qualified individuals as the primary users of the Student Information System Enrollment Panel per campus location. The college is responsible for ensuring the individual has all the required knowledge, training and appropriate skillsets required to effectively administer and use the Panel. User exceptions beyond two individuals must be documented. The college information security officer must maintain, on file, a current list of qualified users for review by the VCCS Internal Audit Office.
Given the current authority and scope of access assigned to the Super User security role and other similar privileged security roles access must be strictly limited to those personnel as determined by the needs of the colleges and System Office. Request for access to the production instance must be authorized by the immediate supervisor, College head or their designee, the data owner, and system owner.
Given the current scope and power of correction mode in AIS this privilege must be strictly limited to those personnel as determined by the needs of the Colleges and System Office.
Each College may name up to six qualified individuals as the primary users of the Workforce Enterprise System Power User Role. The number of Power Users for your College is based on your Lumens license. Those serving as Power Users must be identified and registered with Augusoft as well as documented by the College. The College is responsible for ensuring the Power Users have all the knowledge, training and appropriate skillsets required to effectively administer and use the Role’s privileges.

10. Cryptography
10.1 - Cryptographic Controls

A policy on the use of cryptographic controls for protection of information has been developed and implemented. Cryptographic controls will be used to achieve the three (3) following security objectives:
Confidentiality: using encryption of information to protect sensitive or critical information either stored or transmitted.
Integrity/authenticity: using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information; and
Non-repudiation: using cryptographic techniques to obtain proof of the occurrence or non- occurrence of an event or action.

All cryptographic keys will be protected against modification, loss, and destruction. In addition, secret and private keys will need protection against unauthorized disclosure. Equipment used to generate, store and archive keys will be physically protected.
In order to reduce the likelihood of compromise, activation, and deactivation dates for keys will be defined so that the keys can only be used for a limited period of time. This period of time will be dependent on the circumstances under which the cryptographic control is being used, and the perceived risk, and will be documented in the risk assessment.

11. Physical and Environmental Security
11.1 - Secure Areas
11.2 – Equipment Security

The College will use security perimeters/barriers, such as walls, card controlled entry doors or manned reception desks to protect areas that contain information and information processing facilities.
Secure areas will be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
Physical security for offices, rooms, and facilities will be designed and applied.
Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster should be designed and applied.
Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
Equipment, information or software should not be taken off-site without prior authorization.
Security should be applied to off-site equipment taking into consideration the different risks of working outside the College’s premises. Regardless of ownership, the use of any information processing equipment outside the College’s premises should be authorized by management as determined by recognized risks. Information storing and processing equipment includes all form factors of network computing devices (including but not limited to desktops, laptops, tablets, and smart phones), USB storage devices, organizers, mobile phones, smart cards, paper or other form, which is held for home- working/teleworking or being transported away from the normal work location.
All items of equipment containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. Devices containing sensitive information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.
All users will be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection as part of the security awareness training received.
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities have been adopted. This clear desk and clear screen policy takes into consideration the information classifications, legal and contractual requirements, and the corresponding risks and cultural aspects of VCCS.

12. Operations Security
12.1 - Operational Procedures and Responsibilities
12.2 - Protection from Malware
12.3 - Backup
12.4 – Logging and Monitoring
12.5 - Control of Operational Software
12.6 - Technical Vulnerability Management
12.7 - Information Systems Audit Considerations

The College will consider the security implications associated with the responsibilities and procedures for the management and operation of all information processing facilities. This includes the development of appropriate operating procedures. Segregation of duties will be implemented, where appropriate, to reduce the risk of negligent or deliberate systemmisuse.
The College will protect information by ensuring operating procedures are documented, maintained, and made available to all users who needthem.
The College will ensure required system performance, availability, and reliability of computing resources isachieved.
User activity is logged through Microsoft Sentinel and logs are monitored continuously by Conquest Cyber.
The College requires Multi-Factor Authentication(MFA) for all enterprise systems through MyVCCS/RapidIdentity and also requires MFA for all users to access Microsoft 365 email/OneDrive/SharePoint, VPN and Meraki network devices.
The College will protect information by implementing detection, prevention, and recovery controls against malicious code. VCCS and College will implement appropriate user awareness procedures and programs to educate users on the risks and responses to malicious code.
The College performs continual penetration testing and scanning through the use of RedSpy 365.
The retention period for essential business information, and any requirement for archive copies to be permanently retained should be determined in accordance with Library of Virginia retention schedules for both physical and virtual records as well as the timely destruction of records per Virginia Code §42.1- 86.1 Disposition of Public Records.
Any decision to upgrade to a new release will take into consideration the business requirements for the change, and the security of the release, and severity of security problems affecting this version. Software patches will be applied when they can help to remove or reduce security weaknesses.
Change requests will be managed through help desk tickets and emails to the CIO and VP of Administration for approval.

13. Communications Security
13.1 – Network Security Management
13.2 – Information Transfer

The College will ensure networks are adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information intransit.
The College will protect network and information by implementing security features, service levels, and management requirements for all network services to be identified and included in any network services agreement, whether these services are provided by the System Office, College, or outsourced.
The VCCS will protect information by implementing formal policies, procedures, and controls for the exchange of information through the use of all types of communication media and resources. Information exchange may occur through the use of a number of different types of communication media and resources, including electronic mail, voice, facsimile, and video.
The VCCS will protect media containing sensitive or confidential information against unauthorized access,misuse,or corruption during transportation beyond the College physical boundaries. Information can be vulnerable to unauthorized access, misuse, or corruption during physical transport, for instance when sending media via the postal service or via courier.
The VCCS will protect information by establishing agreements for the exchange of information and software between the VCCS and external parties. Policies, procedures, and standards will be established and maintained to protect information and physical media in transit and should be referenced in such exchange agreements.
The VCCS will protect information involved with the interconnection of business information systems by identifying vulnerabilities, implementing policies and controls to manage information sharing, and limiting access to system and data by employing the least privilege model
The VCCS will protect information involved in electronic messaging with appropriate protection controls based upon the classification of data transmitted. Electronic messaging such as email, Electronic Data Interchange (EDI), and instant messaging play an increasingly important role in business communications.
Official VCCS communications sent by electronic systems are subject to the same public information, privacy and records retention requirements and policies as other official communications. All VCCS employees and other authorized users are required to exercise extreme caution when using electronic communication services and must not assume their service providers can guarantee that private, sensitive, or confidential messages will be automatically afforded the appropriate protection. Emails containing information classified as Sensitive or Confidential shall not be sent over any email system, unlessencrypted.
No user of electronic communication services should have any expectation of privacy in any message, file, image or data created, sent, retrieved or received by the College. The College retains the right to monitor any and all aspects of their electronic communication systems including email sent or received by VCCS users or stored on any College owned equipment (for example; servers, notebooks or desktop computers). Such monitoring may occur at any time, without notice, and without the user’s permission.
Faculty and staff shall not automatically redirect or forward messages from their official College email address to an unofficial email address (such as AOL, Yahoo, or Hotmail). This puts the College at risk of inadvertently disclosing sensitive data. Having email lost or delayed as a result of redirection or mislabeled as spam or junk mail does not absolve users from the responsibilities associated with information sent to their official email address. The VCCS is not responsible for the handling of email by outside vendors or unofficial mailservers.
The Student email account is provided to students for the purpose of exchanging official electronic communications with other students, faculty, and staff and is designated as the official channel for all communications with the college. The student email account will be suspended for those students who applied to the college, but never enrolled, and are considered inactive in accordance with the Academic/Student Services discontinuation policy. Suspended email accounts can be reactivated through reapplication for admission to the college following the normal online application process.
VCCS has identified the requirements for confidentiality and non-disclosure agreements which reflect VCCS’s needs for the protection of VCCS data and systems and reviews them on at least an annual basis.
Confidentiality and/or non-disclosure agreements used by VCCS addresses the requirement to protect confidential information using legally enforceable terms.
VCCS’s confidentiality and non-disclosure agreements comply with all applicable laws and regulations for the jurisdiction to which it applies. Requirements for confidentiality and non-disclosure agreements will be reviewed annually and/or when changes occur that influence these requirements.

14. System Acquisition, Development & Maintenance
14.1 - Security requirements of Information Systems
14.2 - Security in Development and Support (pending approval)
14.3 – Test Data

Statements of business requirements for new information systems, or enhancements to existing information systems should specify the requirements for security controls.
Data input to applications will be validated to ensure that the data is correct and appropriate.
The College will document and enforce formal change control procedures in order to minimize the corruption of information systems. Introduction of new systems and major changes to existing systems will follow a formal process of documentation, specification, testing, quality control, and managed implementation.
The College will establish specific acceptance criteria for new information systems, upgrades, and new versions and appropriate tests of the system(s) will be carried out during development and prior to acceptance. The criteria will ensure that the requirements for acceptance of new systems are clearly defined, agreed, documented, and tested. New information systems, upgrades, and new versions should only be migrated into production after obtaining formal acceptance.

15. External Party Relationships
15.1 – Information Security in External Party Relationships
15.2 – Third Party Service Delivery Management

The risks to VCCS’s information systems or data from business processes involving external parties will be identified and appropriate controls implemented before grantingaccess.
Access by external parties to VCCS’s information will not be provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the workingarrangement.
Agreements with third parties involving accessing, processing, communicating or managing VCCS’s information systems or data, or adding products or services to information systems or data will cover all relevant securityrequirements.
All identified security requirements will be addressed before giving customers access to VCCS’s information orassets.
The College will protect information by ensuring that third parties implement, operate, and maintain securitycontrols,servicedefinitions,anddeliverylevelsdefinedintheagreements.

16. Information Security Incident Management
16.1 - Management of Information Security Incidents and Improvements

Management responsibilities and procedures are established to ensure a quick, effective, and orderly response to information security incidents. In addition to reporting of information security events and weaknesses, the monitoring of systems, alerts, and vulnerabilities will be used to detect information securityincidents.
Information security events at the College are to be reported to the IT department as quickly as possible.
All employees, contractors and third party users shall report these matters either to their management or directly to IT as quickly as possible in order to prevent information securityincidents.
Where a follow-up action against a person or organization after an information security incident involveslegalaction(eithercivilorcriminal),evidencewillbecollected,retained,andpresentedto conform to the rules for evidence laid down in the relevantjurisdiction(s).

17. Information Security Aspects of Business Continuity Management
17.1 – Information Security Aspects of Business Continuity Management

The College will develop and implement plans to maintain or restore operations and ensure availability of information at the required level and in the required time frames following interruption to, or failure of, critical businessprocesses.
The College will test business plans periodically to ensure that they are up to date andeffective.
Business continuity plan tests will ensure that all members of the recovery team and other relevant staff are aware of the plans and their responsibility for business continuity and information security and know their role when a plan isinvoked.

18. Compliance
18.1 - Compliance with Legal and Contractual Requirements
18.2 - Information Security Reviews

Implement appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary softwareproducts
Protect important records from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and businessrequirements.
Protect data and privacy as required in relevant legislation, regulations, and, if applicable, contractual clauses.

19. Cloud Services
19.1 - Public Cloud Services

The cloud service provider must indicate in the contract for cloud services all information security responsibilities that will remain with the VCCS or are specifically excluded from their service offering depending on the type of service to be provided. The VCCS requires a service level agreement (SLA) that will document its performance expectations of the cloud services provider, as well as its obligations under the cloud services contract. The cloud service provider must provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. The cloud service provider must have an established management framework to initiate and control the implementation and operation of information security within the organization. The cloud service provider must ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. The cloud service provider must ensure that employees and contractors are aware of and fulfill their information security responsibilities. The cloud service provider must protect the VCCS’s interests as part of the process of changing or terminating employment.

20. Office 365
20.1 - 365 Account Security

Microsoft Office 365 suite must be deployed, configured and monitored in adherence with all security, confidentiality and privacy standards as well as applicable statutes. Every Microsoft Office 365 tenant must have at least two (2) and no more than four (4) Global Administrator accounts. Exceptions to the maximum of 4 accounts must be approved in writing by the Information Security Officer for each college. Such exceptions must be confirmed annually. (There must always be at least 2 Global Administrators – no exceptions.)

Summary

The College constantly works to neutralize, or minimize, all known vulnerabilities identified via the risk assessment of information technology resources and environment. While conducting business there remains inevitable risks that exist, therefore, it must be recognized that we function in this environment, yet strive to provide services while instituting reasonable protective measures. The College will determine funding sources during planning to rectify, where applicable, any discrepancies of non- compliance with ISO/IEC 27002:2013(E), as identified from conducting the Business Impact Analysis and the Risk Assessment for Information Technology Infrastructure.

Contact the Information Security Officer for further information or questions on the Information Technology Security Plan.