4.23 Written Information Security Program

Overview

Description: In advancement of the Chief Information Officer’s operational responsibilities and in accordance with federal, state, local and international laws relevant to information privacy and security, this administrative regulation describes the role-based responsibilities and activities associated with implementation of the Maricopa County Community College District (“MCCCD”) program for protecting the confidentiality, integrity, security and availability of records, data applications, and/or systems containing Confidential Information[1]  (the “Written Information Security Program” or “WISP”).[2] 

Applicability: Information Security is everyone’s responsibility. All MCCCD Personnel and Persons of Interest (“POIs”) with access to MCCCD Confidential Information, whether through use of online technology resources[3] or otherwise, are covered by this administrative regulation.  All Personnel and POIs must complete training on the information security administrative regulations and information security awareness training annually, certify their attendance at each training session, and certify their familiarity with MCCCD’s requirements for protecting Confidential Information in compliance with the WISP. MCCCD students are expected to know and comply with all current published policies, rules and regulations as stated in the college catalog, class schedule, and/or student handbook.[4]

Failure to Comply: Failure to comply with this administrative regulation may result in disciplinary actions up to and including dismissal from employment and termination of service at MCCCD. Legal actions, including, but not limited to the application of civil and criminal penalties, may also be taken for violations of applicable regulations and/or laws.

MCCCD recognizes that laws and regulations involving security of Confidential Information are continuously evolving.  In this context, to the extent that applicable data privacy laws or regulations conflict with the procedures outlined in the Information Security Incident Response Plan, the applicable laws or regulations govern and override the Information Security Incident Response Plan.  Notify the Chief Privacy Officer immediately of applicable law or regulations that appear to conflict with the Information Security Incident Response Plan.

Information Security is everyone’s responsibility. Listed below are some of the crucial roles and responsibilities associated with implementation of the WISP: 

General WISP Responsibilities

Role
 

All
Report Security Incidents by exclusively contacting the Chief Privacy Officer  protect.privacy@maricopa.edu, without communicating with anyone else beforehand.

Chief Information Officer
Issue Governance Directives as needed to regulate use of IT resources and protection of

Confidential Information.

Chief Information Security Officer
1.) Implement the WISP.

 

2.) Regularly test the WISP’s safeguards.

3.) Facilitate compliance with regulatory requirements in coordination with MCCCD IT and Legal personnel.[4]

4.) Evaluate the ability of relevant MCCCD Personnel and POIs to implement and maintain appropriate security measures for the Confidential Information to which MCCCD has permitted access, and require such individuals to implement and maintain appropriate security measures.

5.) Review the WISP, in collaboration with the Information Security Incident Response Team (“IRT”), at least annually and whenever there is a material change in MCCCD’s business practices that may implicate the confidentiality, integrity, security and/or availability of MCCCD Confidential Information.[5]

Chief Privacy Officer
1.) Obtain details about the situation from the individual(s) who report actual or suspected Security Incidents.

 

2.) Coordinate with the IRT to take any additional actions that may be appropriate.

Incident Response Team
As noted in Administrative Regulation 4.24 Information Security Incident Response Plan.

Office of Information Technology Services
1.) Configure network devices to prevent possible electronic breaches.

 

2.) Configure intrusion detection and file integrity monitoring systems to continually track activity and identify possible electronic intrusions.

 

Role
Training, Awareness and Compliance  Responsibilities[6]

Chief Information Security Officer
1.) In conjunction with the Chief Privacy Officer, conduct annual Information Security Awareness training that includes all MCCCD Personnel and POIs and those employed by others to perform MCCCD work who regularly use and/or have access to Confidential Information; and

 

2.) In conjunction with the Chief Privacy Officer, conduct annual Information Security Awareness training that includes MCCCD personnel and those employed by others to perform MCCCD work who do not regularly use and/or have access to Confidential Information.

Chief Privacy Officer
1.) In conjunction with the Chief Information Security Officer, conduct annual Information Security Awareness training that includes all MCCCD Personnel and POIs and those employed by others to perform MCCCD work who regularly use and/or have access to Confidential Information;

 

2.) In conjunction with the Chief Information Security Officer, conduct annual Information Security Awareness training that includes MCCCD personnel and those employed by others to perform MCCCD work who do not regularly use and/or have access to Confidential Information; and

3.) Maintain accurate records pertaining to all in-person training activities.

Human Resources Division
In collaboration with the Office of Information Technology Services and the Chief Privacy Officer, provide training to all Personnel and POIs via an online training course on the information security administrative regulations and information security awareness every year, and additional training as warranted.

Office of General Counsel (Legal)
In coordination with Human Resources Division and Office of Information Technology Services, generate reports to meet litigation and regulatory requests.

Office of Information Technology Services
In collaboration with the Human Resources Division and Chief Privacy Officer, provide training to all Personnel and POIs via an online training course on the information security administrative regulations and information security awareness every year, and additional training as warranted.

Personnel and POIs
1.) Complete training on the information security administrative regulations and information security awareness annually, certify attendance at each training session, and certify familiarity with MCCCD’s requirements for protecting Information in compliance with the WISP.[7]

 

2.) Maintain the confidentiality, integrity, security and availability of MCCCD Confidential Information in compliance with the WISP.[8]

3.) Comply with MCCCD Administrative Regulation 4.4 Technology Resource Standards, including, but not limited to, the acceptable computer use provisions described therein.[9]

 

Role
Internal Risk Mitigation  Responsibilities10

Chief Information Security Officer

Review and reevaluate, in collaboration with the Chief Privacy Officer, information security measures annually or whenever there is a material change in MCCCD’s business practices that may reasonably implicate the security or integrity of records containing Confidential Information.

Chief Privacy Officer
Review and reevaluate, in collaboration with the Chief Information Security Officer, information security measures annually or whenever there is a material change in MCCCD’s business practices that may reasonably implicate the security or integrity of records containing Confidential Information.

Human Resources Division

1) Obtain acknowledgement, via the completion of the required online training course, that all Personnel and POIs have received a copy of the WISP and will abide by its provisions.

 

2) Require that Human Resource departments or responsible parties at all MCCCD sites work with the Office of Information Technology Services and Chief Privacy Officer to establish exit processes that require Personnel and POIs who cease employment/contract service with MCCCD (“Separated Individuals”) to return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

Management through enforcement of Administrative Regulations
1) Require that Personnel and POIs immediately report any suspicious or unauthorized use of Confidential Information to the Chief Privacy Officer who coordinates with the IRT to appropriately respond.

 

2) Require that Personnel and POIs who violate the WISP may be disciplined according to the severity of the violation, regardless of whether Confidential Information was accessed or used without authorization.

Office of General Counsel (Legal)
1) Require that all employment and consulting agreements contain provisions that (1) require all Personnel and POIs to receive training and acknowledge, sign and comply with the provisions of the WISP, and

 

2) prohibit any nonconforming use of Confidential Information during or after employment.

3) Authorize in writing any and all exceptions to internal risk mitigation responsibilities.

Office of Information Technology Services
At the direction of the appropriate manager and Chief Privacy Officer, revoke Separated Individuals’ physical, electronic, and remote electronic use of and/or access to Confidential Information.

Personnel and POIs
1) Cooperate with efforts underway to limit the amount of Confidential Information collected or stored to that amount reasonably necessary to accomplish MCCCD’s legitimate business purposes or as required by law.

 

2) Limit use of and/or access to records, data applications, and/or systems containing Confidential Information to those persons who have a legitimate business purpose for such use and/or access.

3) Permit use of and/or access to MCCCD’s Confidential Information by only authorized individual(s) for legitimate business reasons.

4) Do not store Confidential Information on personally owned Portable Devices.

5) Periodically change passwords and conform to MCCCD’s password standards.

6) Do not manipulate or disregard security measures that have been put in place to protect Confidential Information, including, but not limited to, access controls, cameras and secure storage for card and device inventory, as well as tracking and monitoring of individuals' use of and/or access to Confidential Information.

7) Secure Confidential Information in a manner that is consistent with the WISP’s rules for protecting information security of any files and other records containing Confidential Information.

8) Securely dispose of physical and electronic records containing Confidential Information at the earliest opportunity consistent with business needs and records retention requirements11 in the following manner:

a) Physical documents containing Confidential Information are redacted, burned, pulverized, cross-cut shredded, or otherwise securely erased so that Confidential Information cannot practicably be read or reconstructed; and

b) Electronic media and other non-physical media containing Confidential Information are destroyed or otherwise securely erased so that such information cannot practicably be read or reconstructed.

9)  Upon ceasing employment/contractual service with MCCCD, (1) return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

 

10 Any exception must be authorized in writing by General Counsel.

 

11 See, Records Retention and Disposition Schedules for Arizona Community Colleges and Districts located in the Employee Portal [ [Employee credentials are needed to enter secure site].

 

Role
External Risk Mitigation  Responsibilities[12]

Human Resources Division
1.) Obtain acknowledgement, via the completion of the required online training course, that all Personnel and POIs have received a copy of the WISP and will abide by its provisions.

 

2.) Require that Human Resource departments or responsible parties at all MCCCD sites work with the Office of Information Technology Services and the Chief Privacy Officer to establish exit processes which require Personnel and POIs who cease employment with MCCCD (“Separated Individuals”) (1) return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

Management through enforcement of Administrative Regulations

1.) Require that Personnel and POIs immediately report any suspicious or unauthorized use of Confidential Information to the Privacy Officer who coordinates with the Information Security Incident Response Team to appropriately respond.

2.) Require that Personnel and POIs who violate the WISP may be disciplined according to the severity of the violation, regardless of whether Confidential Information was accessed or used without authorization.

Office of General Counsel (Legal)
1.) Require that all employment and consulting agreements contain provisions that (1) require all POIs to acknowledge, sign and comply with the provisions of the WISP, and (2) prohibit any nonconforming use of Confidential Information during or after employment.

 

2.) Authorize in writing any and all exceptions to external risk mitigation responsibilities.

3.) Provide legal advice to the Chief Information Officer, Chief Information Security Officer, Chief Privacy Officer, Human Resources Division and Management as needed in connection with any and all aspects of WISP compliance.

Office of Information Technology Services
At the direction of the appropriate manager, revoke Separated Individuals’ physical, electronic, and remote electronic use of and/or access to Confidential Information.

Personnel and  POIs
1.) Prohibit removal of Confidential Information from the MCCCD business premises (whether owned, leased, rented or otherwise utilized by MCCCD) in electronic or written form absent (i) an approved, legitimate business need and (ii) use of reasonable security measures, as described in this WISP.

 

2.) Encrypt or deliver by an alternative, more secure method all records and files containing Confidential Information that are transmitted wirelessly or across public networks.

 

3.) Protect all passwords.  Keep passwords in a location and format that are secure. 

 

4.) Contact the Chief Privacy Office or protect.privacy@maricopa.edu to ensure evaluation of all vendors, subcontractors and third-party products in advance of any work or purchase.

 

5.)  Require that all vendors, subcontractors and third-party products be evaluated in advance of any work or purchase. 

 

6.) Upon ceasing employment with MCCCD, (1) return all records, data applications and/or systems, in any form, including, but not limited to, information stored on laptops or other Portable Devices or media, and in files, records, and work papers, and        (2) surrender all keys, identification cards, and all other means of using and/or accessing MCCCD’s premises and/or information.

Definitions: As used in this administrative regulation, the following terms have the respective meanings set forth below: 

ARS: Arizona Revised Statutes; the statutory laws that govern the state of Arizona as formally enacted in writing by the Arizona State Legislature, such as the Arizona law that requires businesses, including, but not limited to, colleges and universities, to provide consumer notification of data breaches involving personally identifiable information.  Pursuant to ARS § 44-7501, “personally identifiable information (PII) (a) Means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable: (1) The individual's social security number; (2) The individual's number on a driver license issued pursuant to ARS § 28-3166 or number on a nonoperating identification license issued pursuant to ARS § 28-3165; or (3) The individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.”  PII does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

FERPA: Family Educational Rights and Privacy Act; a federal law that protects the privacy of student education records. "Education records" are "those records, files documents, and other materials which 1) contain information directly related to a student; and 2) are maintained by an educational institution.” (20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3). FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. 

GLBA aka Financial Services Modernization Act of 1999: Gramm–Leach–Bliley Act; an Act that requires “financial institutions,” including, but not limited to, colleges and universities, to protect the privacy of their customers, including information that customers provide to a financial institution that would not be available publicly (“personally identifiable financial information (PIFI)”).13  MCCCD, therefore, has a responsibility to secure the personal records of its students and employees.  To ensure this protection, GLBA mandates that all financial institutions establish appropriate administrative, technical and physical safeguards.  GLBA also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement, because they already do so under FERPA.  Colleges and universities complying with FERPA are considered to be in compliance with GLBA.

HIPAA: Health Insurance Portability and Accountability Act of 1996; an Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

HIPAA Privacy Rule aka Privacy Rule: A statute that (1) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically, (2) requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and (3) gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.  The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.  The Privacy Rule calls this information “protected health information (PHI).” (45 CFR § 160.103). Individually identifiable health information” is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Ibid.  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, social security number). 

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. 

Information Security Incident Response Team (IRT): The internal ad hoc team of professionals that is convened to provide incident handling services to MCCCD during an ongoing information security event and to respond to an information security incident when the need arises. 

Payment Card Industry Data Security Standard (PCI DSS): Payment Card Industry Data Security Standard; a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, automated teller machine (ATM), and point-of-sale (POS/ePOS) cards.  “Payment card information” is any personally identifiable information associated with a cardholder, such as the cardholder’s account number, account expiration date, name, address, or social security number.  All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered payment card information. 

Personnel: All full-time, part-time and temporary employees and faculty who work for the MCCCD organization.  

 

POI: Person(s) of Interest; individuals such as the following who are not considered part of the MCCCD workforce but who are still of interest to the organization:

 

Person of interest category

Definition

Dual enrollment instructor

Individuals who teach college-level courses to high school students and are not compensated by MCCCD

Consultant

Individuals who are hired to do specialized work for MCCCD and are paid by outside sources

Agency temporary employee

Temporary agency employees who come to work for MCCCD and are paid by the temporary agency

Retired employee

Retired employees who continue a relationship with MCCCD are changed from Employee status to Person of Interest status

Call center or contract employee

Employees who provide support for some of our systems and are paid by the contracted company

Unpaid intern

An individual who is completing an internship at MCCCD for credit in their degree program

Volunteer

An individual who is working at MCCCD on a volunteer basis

Vendor (e.g., Follett bookstores, Chartwells dining services, Aramark facilities services)

Members of organizations that provide services to MCCCD employees and students

ESS Educational Services (e.g., hospitals providing adjuncts for nursing program and/or Fire Science/EMT department)

Members of organizations that have contractual relationships with MCCCD for specialized programs

 

Portable Devices: Examples of portable devices include, but are not limited to, CDs, DVDs, eReaders, external hard drives, Google Glasses, laptops, memory sticks, smart phones, tablets, thumb drives, and USB drives. 

Security Incident: The unauthorized access to and/or misappropriation of Confidential Information. 

Confidential Information: Information that is so deemed under applicable law.  Personally identifiable information, personally identifiable education records, individually identifiable health information, personally identifiable financial information and payment card information are examples of Confidential Information covered under the Arizona Revised Statutes (ARS), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm–Leach–Bliley Act (GLBA aka Financial Services Modernization Act of 1999) and Payment Card Industry Data Security Standard (PCI DSS), respectively.

Separated Individuals:  Personnel and POIs who cease employment with MCCCD.

Technology Resources: MCCCD Administrative Regulation 4.4 Technology Resource Standards provides the following examples of technology resources:  Websites, applications (such as, but not limited to, MCCCD’s Instructure/Canvas-based Course Management System and RioLearn Learning Management System), desktop and laptop systems, printers, central computing facilities, MCCCD-wide or college-wide networks, local-area networks, telephones, facsimile machines, scanners, access to the Internet, electronic mail and similar electronic devices and information. 

Reference(s):

MCCCD Administrative Regulations 2.1 General Regulation, 2.5.1 Disciplinary Standards, and 2.5.2 Student Conduct Code

MCCCD Administrative Regulation 4.4 Technology Resource Standards

MCCCD Administrative Regulation 4.24 Information Security Incident Response Plan

MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting

MCCCD Administrative Regulation 6.17 Requests for Public Information 

Records Retention and Disposition Schedules for Arizona Community Colleges and Districts are located at: Employee Portal [ [Employee credentials are needed to enter secure site].

Contact(s): 

Pursuant to MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting, anyone who notices that a MCCCD technology resource(s) is currently being or may have been used in an inappropriate fashion should contact the Chief Privacy Officer via email at protect.privacy@maricopa.edu.  

Pursuant to MCCCD Administrative Regulation 6.11 Identity Theft Red Flag and Security Incident Reporting: (1) anyone, including, but not limited to, any MCCCD Personnel and POIs, who notices and/or suspects that MCCCD Confidential Information may currently be or may have been exposed to someone without authorization should immediately contact the Chief Privacy Officer at protect.privacy@maricopa.edu,  and (2) the Chief Privacy Officer is designated as the exclusive recipient of reports of this nature.   The Chief Privacy Officer is responsible for obtaining details about the situation from the individual(s) and coordinating with the IRT to take any additional actions that the IRT deems necessary.  Responsibilities of the IRT are described in MCCCD Administrative Regulation 4.24 Information Security Incident Response Plan.   

MCCCD, in consultation with legal counsel, is responsible for completing the analysis necessary to determine whether a breach has indeed happened.  Deciding whether a breach of Confidential Information has happened is a complex technical and legal determination that involves detailed analysis.  Neither MCCCD Personnel, POIs, nor students should postpone notification of the Privacy Officer until a breach determination has been made.  Instead, MCCCD encourages anyone to report their hunch or suspicion, since MCCCD counts on everyone to share the responsibility for keeping information secure.

Please email governance@domail.maricopa.edu with any questions and concerns about the MCCCD administrative regulations.  

Please email protect.privacy@maricopa.edu with any legal questions and/or to arrange for the evaluation of any vendors, subcontractors and/or third-party products in advance of any work or purchase.