This Information Security Plan describes Nevada State College’s safeguards to protect Sensitive Information in compliance with institutional, state, and federal guidelines. These safeguards are provided to:
- Protect the security and confidentiality of Sensitive Information;
- Protect against anticipated threats or hazards to the security or integrity of Sensitive Information;
- Protect against unauthorized access to or use of Sensitive Information that could result in substantial harm or inconvenience to any student, employee, or customer.
The purpose of this plan is to:
- Identify the risks that may threaten Sensitive Information maintained by Nevada State College;
- Designate individual(s) responsible for coordinating the plan;
- Establish and maintain a safeguards program;
- Establish and maintain an incident response plan;
- Adjust the plan to reflect changes in technology, sensitive information, or threats related to information security.
Data Owner: An individual, entity, or office that is authorized to collect, view, or manage the data.
Sensitive Information: Any information or data associated with an individual that is considered personal or confidential, including but not limited to Social Security Numbers, individually-identifiable health information, education records, non-public information, and data that is protected by Board policy, state, or federal law.
Third Party: Any individual or entity contracted by Nevada State College.
I. Identification of Risk to Sensitive Information
Nevada State College recognizes that it faces both internal and external risks regarding Sensitive Information. These risks include, but are not limited to:
- Unauthorized access of Sensitive Information by someone other than the Data Owner;
- Compromised system security which can result in unauthorized access to Sensitive Information;
- Interception of Sensitive Information during transmission;
- Loss of data integrity;
- Physical loss of Sensitive Information in a disaster;
- Corruption of data or systems;
- Unauthorized access of Sensitive Information by employees;
- Unauthorized access of Sensitive Information through hardcopy files or reports;
- Unauthorized transfer of Sensitive Information through a Third Party.
II. Information Security Plan Coordinator
The appointed Information Security Officer, in cooperation with the Chief Information Security Officer at the Nevada System of Higher Education, is responsible for the implementation and maintenance of this policy.
III. Safeguards Program
A. Employee Management and Training: Upon selection for hire, background checks are conducted when deemed appropriate. During onboarding, each new employee who may handle or encounter Sensitive Information shall receive information security training highlighting the importance of confidentiality and protecting Sensitive Information.
B. Physical Security: Nevada State College has addressed physical security of Sensitive Information by limiting access to only those employees who have a business reason to know such information and requiring acknowledgement of the requirement to keep Sensitive Information private.
C. Information Systems: Information systems housing Sensitive Information shall be secured behind network firewalls, physically accessible only to key personnel, electronically accessible only via controlled access, kept up-to-date with security patches, backed up on a routine basis, and shall transmit Sensitive Information in a secured manner such as via encrypted channels. Additionally, Nevada State College will maintain systems to prevent, detect, and respond to attacks or intrusions. This includes maintaining anti-virus protection, a network intrusion detection/alert system, and tools to secure systems in the event of a breach.
D. Selection of Service Providers: In the process of selecting a service provider that will maintain or regularly access Sensitive Information, the evaluation process shall include the ability of the service provider to safeguard such data. Contracts with service providers should also include the following provisions:
- A stipulation that the Sensitive Information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- An assurance from the contract partner that the partner will protect any Sensitive Information it receives.
IV. Incident Response Plan
Nevada State College shall maintain an incident response plan. Per the incident reporting and response procedures, all suspected information security incidents must be reported as quickly as possible to the Office of Information & Technology Services. This includes, but is not limited to, security breaches, unintended exposure of Sensitive Information, suspected viruses or malware, or unauthorized requests for login information or Sensitive Information.
V. Evaluation and Adjustment
This information security plan will be subject to periodic review and adjustment due to constantly changing technology and evolving risks. The plan coordinator will recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the definition of Sensitive Information, or internal/external threats to information security.