Establishing & Maintaining Information Security Program
Employee Training and Management in Information Security
Attending and passing an annual online curriculum of the IT Security awareness training program is mandatory for all full time and part-time Standard College employees. Newly hired Standard College employees are required to complete the online training within thirty (30) days of their hire date. The requirement for an annual review shall be superseded by an incident or information indicating a need for immediate intervention and training by a specific Standard College employee or the entire staff. Additional topic-specific training may be required, based on role, or Client information type to be accessed or used. These details are listed in IT-013_IT Security Awareness Training Policy and IT-002_SCN Acceptable Use Policy.
Information Systems, Including Network And Software Design, As Well As Information Processing, Storage, Transmission, And Disposal.
The access to restricted or confidential data is restricted to only those authorized Standard College employees who need it to perform their official duties in the performance of the work requiring access to the information. The protected data is stored on a dedicated file location where the data is segregated, and access is restricted with no exceptions. The protected data may only be transmitted via encrypted email with special permission from the Standard College Management team. The sensitive customer data is encrypted at rest on all devices using methods described in IT-001_SCN Acceptable Encryption Policy. The data retention and deletion will follow the guidelines outlined in Standard College’s Agreement executed between Standard College and students. All Standard College, owned, maintained, and controlled, computers, electronic devices, media, and electronic communications are capable of processing (e.g., storing or transmitting) electronic Standard College confidential data or Standard College ‘s students’ confidential data. All electronic data access is controlled as per IT-017-A_SCN Access Control Policy and access to physical servers is locked as per IT-014_Server Room Access Policy Detecting, Preventing and Responding to Attacks, Intrusions, or other Systems Failure.
Standard College will utilize Malwarebytes protection and Cisco Firewall protection to detect and notify the Standard College IT team of any attempted unauthorized access to Standard College’s IT infrastructure. Malwarebytes agents are installed on critical file servers to monitor user activity on those servers. SCN has local and offsite backups to recover from a systems failure. Exposed data must be immediately reported verbally to IT following the IT-012-BC_Cyber Incident Response Standards and Procedure; All parties will be involved for any attacks as per IT-012-B-C_SCN Cyber Incident Response Standard and Procedure policy. All servers and devices are patched as per patching policy IT-021-A_SCN Patch Management Policy. The Vulnerability Scan is performed once a year as per IT-018_SCN Vulnerability Scan Policy.
Documented Safeguards for Identified Risks
All IT Security policies are stored at a secure network location and safeguard for identified risks are documented at the same place