Skip to page content
In This Section

Information Security Plan

Introduction

In today's digital age, safeguarding sensitive information is paramount. Yosemite Community College District (YCCD) is committed to protecting the personal and financial information of its students and employees. This Information Security Plan outlines the measures YCCD is implementing to comply with the Gramm-Leach-Bliley Act (GLBA) and ensure the security of sensitive data.
 

Gramm-Leach-Bliley Act (GLBA) Overview

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, mandates that financial institutions, including higher education institutions, protect the privacy and security of customer information. The GLBA comprises three main components: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.1 These rules require institutions to explain their information-sharing practices, develop a comprehensive information security program, and protect against unauthorized access to sensitive data.2
 

How GLBA Relates to YCCD

As a higher education institution, YCCD collects, stores, and processes a significant amount of personally identifiable information (PII) and nonpublic personal information (NPI) related to students and employees. Compliance with the GLBA ensures that YCCD maintains the confidentiality, integrity, and availability of this sensitive information.3
 

Which GLBA Provisions Apply and Do Not Apply to YCCD

The GLBA provisions that apply to YCCD include the Safeguards Rule, which requires the implementation of an information security program, and the Financial Privacy Rule, which mandates transparency in information-sharing practices.4 The Pretexting Provisions, which protect against social engineering attacks, also apply. However, certain financial-specific provisions may not be directly applicable to YCCD.
 

Security Plan

Overview

YCCD's Information Security Plan is designed to meet the requirements of the GLBA and protect sensitive information from unauthorized access, use, or disclosure. The plan includes specific measures and protocols to ensure compliance and enhance the overall security posture of the institution.
 

Qualified Individual

The Director of Information Security is designated as the Qualified Individual responsible for overseeing, implementing, and enforcing the information security program.
 

Reporting

The Director of Information Security will submit a written report to the Board of Trustees at least annually each fiscal year. This report will detail the status of the information security program, identified risks, and mitigation efforts.5
 

Risk Assessment

Each department within Information Technology will conduct a written risk assessment, with assistance from Information Security, twice a year. These risks will be evaluated and compiled into a final risk assessment for the district as a whole. The final risk assessment will include:
  • How YCCD will categorize and evaluate risks it faces
  • The criteria for assessing the confidentiality, integrity, and availability of customer information in information systems
  • The adequacy of existing controls as they relate to the risks identified
  • How identified risks will be mitigated or accepted based on the risk assessment
  • How the information security program will address the risks
The risk assessment will cover risks related to:
  • Customer, student, or employee PII or NPI
  • Information systems, including software and hardware used in the storage, access, and transmission of sensitive information
  • Employee behavior and security awareness, with additional emphasis on those encountering sensitive information
  • Any in-house developed code

Monitoring and Testing

  • Information Security will run a penetration test at least annually using either in-house staff or by contracting with a third-party cybersecurity vendor. Additionally, comprehensive vulnerability assessments will be conducted at least twice a year and after any significant changes in any system.

Safeguards and Controls

The information security program will undergo review and adjustment at least once every fiscal year based on information gathered during risk assessments, emerging threats, or industry best practices to:

  • Authenticate and permit access only to authorized users.
  • Prevent the unauthorized access or dissemination of staff or student information.
  • Limit user access to staff or student information following the Principle of Least Privilege.
  • Identify and manage the data, personnel, devices, systems, and facilities considered "mission critical."
  • Encrypt all customer information at rest and in transit, except where infeasible.
    • NOTE: Where encryption is deemed infeasible, the Director of Information Security must approve adequate compensating controls.
  • Adopt and update secure development practices for in-house developed applications that interact with or store staff or student information.
  • Implement multi-factor authentication for any individual accessing any information system.
  • Ensure staff and student data is retained for the minimum period required by law.
  • Develop, implement, and maintain procedures for the secure disposal of information that is past its retention period. For financial information protected under GLBA, this is a period of no more than two years after the last transaction involving this data.
  • Improve or update the district's change management processes.
  • Adopt or improve policies, procedures, and controls to monitor and log the activity of authorized users and detect unauthorized access or modification of staff or student data by such users.

Policies and Procedures

  • All permanent, temporary, and contract staff must undergo information security awareness training at least every fiscal year.
  • Users with access to sensitive data will undergo additional training for handling confidential information at least once every fiscal year.
  • Users with administrative access in any system will complete specialized cybersecurity training at least once every fiscal year.
  • At the discretion of the Director of Information Security, additional training may be required for Information Security Department personnel and for certain Information Technology personnel involved in managing the information security program.
  • Information security/cybersecurity training will be required before access to related systems/functions is granted.

Incident Response

The Director of Information Security is responsible for maintaining and updating the district's Incident Response Plan. This plan includes actions to be taken during and after an incident, and procedures to follow should an incident require notifying the Federal Trade Commission.

Service Providers and Contracts

  • All vendors with access to YCCD systems will undergo a risk assessment to determine their risk level before formal selection.
  • Vendors will undergo reevaluation at renewal to monitor changes in their risk level.
  • YCCD will ensure that contracts with covered vendors include provisions sufficiently covering data security.

Evaluation and Revision of the Information Security Program

The Vice Chancellor of Information Technology and Institutional Research and the Director of Information Security will review the district's Information Security staffing and knowledge levels, along with current cybersecurity trends, on an annual basis and make adjustments as necessary.

By adhering to these guidelines, YCCD demonstrates its commitment to protecting sensitive information and maintaining compliance with the Gramm-Leach-Bliley Act.

In This Section