Information Security Policy

Introduction

The purpose of this policy is to ensure the confidentiality and integrity of Mississippi College (MC) information assets. This policy reflects MC’s commitment to stewardship of sensitive personal information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of MC constituents, safeguarding vital business information, and fulfilling legal obligations.

Scope

Identity theft has received much attention over the past few years and will continue to be a major concern with information. Moreover, the threat of natural disaster requires physical security of the institution’s information assets and plans for timely resumption of business in the wake of such an event.

Some of the numerous federal and state laws and regulations regarding the protection of data that relates to MC are:

1. The Family Educational Rights and Privacy Act of 1974, (FERPA) commonly referred to as the Buckley Amendment, protects the rights of students by controlling the creation, maintenance, and access of educational records. It guarantees students' access to their academic records while prohibiting unauthorized access by others.
2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes significant privacy requirements by creating national standards to protect personal health information.
3. The Gramm-Leach-Bliley Act (GLBA), while targeted at financial institutions, requires universities to maintain an information security program for the protection of financial information.
4. The Payment Card Industry (PCI) Data Security Requirements apply to all members, merchants, and service providers that capture, store, process, or transmit credit card data. Major universities are in a unique position with large amounts of educational, medical, financial, and other critical information. The risks associated with an information security breach or significant data loss demands a strong Information Security Policy.

Policy Statement

It is the policy of Mississippi College to protect critical information in all forms for which it is the custodian and to maintain a robust, proactive, and evolving information security program. This includes protection from a variety of both internal and external threats such as fraud, embezzlement, sabotage, terrorism, extortion, privacy violation, service interruption and natural disaster. Information security is the responsibility of all individuals who access and maintain Mississippi College information resources, i.e. students, faculty, staff, alumni, affiliates, contractors, and retirees, and others as appropriate. Each individual must be aware of, committed to, and accountable for their role in the overall protection of critical information.

Procedure

Security of protected information is a complex issue, requiring a multi-faceted framework. While technology provides numerous tools to facilitate safeguarding of protected information, ultimately institutional awareness, commitment, vigilance, and persistence are the keys to a successful program. It is expected that the individual components within the overall policy framework will continually evolve in response to changing information security technologies, requirements, and threats.

Data Classification

The Data Classification Table is meant to describe the confidentiality of the data in question, and does not factor in the integrity or availability requirements in its rating. Note that if a piece of data fits into more than one category, it is considered to be the highest of those classes.

Network Security

MC's university network refers to those devices and communication pathways that form the campus computer and data communications infrastructure. University departments and individuals that make use of the university network and computing equipment connected to the networks are responsible for keeping the network and departmental workstations secure in accordance with this policy

1. Role and Authority of Information Systems and Services: Due to the critical nature and function of MC's university network, the design, operation and maintenance of the network is delegated exclusively to the Computer Services Department.
2. User Responsibilities
   1. Basic Security Measures: All network users are responsible for implementing the following basic security measures with respect to their PCs or Laptops:
      1. Installing a current version of anti-virus software;
      2. Running an operating system that has been recently updated and patched;
      3. Uploading all vendor-recommended security updates to all MC owned computers when prompted to do so by patch management software;
      4. Utilizing a personal Firewall is recommended;
      5. Users of the university's Virtual Private Network or Wireless Network must implement anti-virus software, an updated and patched operating system, and a personal Firewall;
      6. Encrypting laptop computers and other mobile devices that contain non-public information.
   2. Additional Security Requirements for Virtual Private Network Usage 
      1. Security threats increase when using remote access to Virtual Private Networks (VPN). Thus, all VPN connections must receive written approval from a Vice President and are maintained by Computer Services. VPN users must maintain the workstation security measures identified under User Responsibilities, above. In addition, VPN users may use the VPN only under the following stipulations: 
      2. Computer Services shall limit access to the VPN to individuals who have a justifiable administrative, business, academic or research need to access university-owned systems from a remote location. Upon graduation or termination of employment with the university, all privileged access to systems and VPN must be surrendered, unless the user has ongoing permission to access university-owned systems ​​

   3. Unauthorized Access and other Network Security Violations: ​​​​​​​It is a violation of this policy for any user connected to the university network to allow an unauthorized individual to use the network. Other network security violations include but are not limited to routing between networks, using networks in a manner that degrades quality of network service, stealing an Internet Protocol (IP) address, Spoofing, “phishing,” using peer-to-peer (P2P) or other similar file sharing technologies without approval of the Chief Information Officer, or using network resources in violation of applicable laws or university policies. The university network and users use thereof are subject to monitoring by Computer Services.

3. Administrator Responsibilities

   1. System Security: The administrator of a Server for university network-connected computers is responsible for the security of that system. The administrator must monitor and log accesses and keep other system logs that could be useful in establishing the identities and actions of people, programs and processes that might use the system to breach network or system security. All Servers that provide access to the university network or Internet services must require user authentication in order to restrict access. Departments that operate publicly accessible computers connected to the university network must implement safeguards against network abuse appropriate to the network access available to users of those systems. 

   2. Information Security: Information that is considered restricted, protected, or confidential must not be publicly accessible. System administrators are responsible for reasonably securing these systems so as to reduce the threat to the university as a whole.

4. Reporting Security Violations: Due to the interconnections provided by MC’s university network, a security violation on one machine can threaten security of other systems on the network. Accordingly, any suspected instances of security violations must be reported immediately to the Computer Services Help Desk at (601) 925-3939 or at support@mc.edu.​​​​​​​

Approved by the Information Technology Committee, October 13, 2016