Safeguarding Customers' Information

Imperial Community College District (IVC) takes very seriously the responsibility of safeguarding its customers' information. We appreciate and protect the privacy of our students, faculty, staff, and other third parties. As such, IVC has been establishing an Information Security Program to ensure and protect all confidential information.

The foundation of the Information Security Program is the Information Protection Operation Procedure document that went through the governance process and was approved by the Technology Planning Committee is December of 2018. The Information Protection Procedures document is supported by the Information Technology Department Policies, Procedures and Processes manual. The overall goal for the program is to:

• Meet regulatory compliance
• Restrict access to personal information to only those who need it to conduct their work.
• Put safeguards in place to prevent unauthorized access to personal information.
• Ensure appropriate employee training
• Detect, prevent, and remediate attacks, intrusions, or other information security risks.

In accordance with GLBA Safeguards Rule, IVC's information security program incorporates the following objectives:

• Designate an information security officer and related oversight responsibilities for the institution's security.
• Assess the risks to confidential information, assess the level of mitigating controls in place, and identify action plans to accept or further mitigate remaining risks.
• Implement an information security program, including various technical and physical underlying controls, such as data encryption and secure shredding processes.
• Oversee vendor relationships to ensure confidential data are secured at their locations when applicable and access is controlled when vendors connect to the institution.
• Perform an ongoing evaluation of their program to keep content current with an ever-evolving security environment.

Imperial Community College District's Chief Technology Officer is the designated information security program coordinator (ISPC). The ISPC reports to and takes guidance from the Technology Planning Committee and the President's Cabinet.

The ISPC, on a yearly basis, contracts with a third-party vendor to conduct a cyber security audit to identify and assess likely external and internal risks to the security, confidentiality, and integrity of protected information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. This audit is based on the Cyber Security Framework from the National Institute of Standards and Technology (NIST).

The audit looks at IVC's security program holistically, reviewing the policies and procedures, auditing the electronic system and security measures that have been implemented, testing the physical securities that are in place, and testing the end user cyber security knowledge through email phishing campaigns. At a minimum, the audit includes consideration of risks in each relevant area of IVC operations, including:

• Foundational policies, procedures and practices
Cybersecurity practices that provide the foundation for how the business aligns with cyber security, such as a cybersecurity governance program containing the policies and procedures allowing the organization to maintain adherence to legal and regulatory requirements.
• Employee training and management
Consider the effectiveness of current employee training and management procedures relating to the access and use of covered information.
• Information systems, information processing, and disposal
Controls and safeguards to protect or deter a cybersecurity threat from materializing, such as data at rest, in motion and in use is protected.
• Detecting, preventing, and responding to attacks and system failures
Continuous monitoring to provide proactive and real-time alerting of cybersecurity-related events, such as detection processes and procedures which includes periodic testing to validate awareness and unusual incidents.
• Ability to respond and recover
Response activities which are executed during a cybersecurity incident and Incident Response Plans/Business Continuity Plans which allow you to recover services impacted by a cyber breach.

The Information Security Program is built on the assumption that over time a program will lose its' effectiveness and eventually will fail if it is not continually reviewed and updated. As such we use the yearly audit as an opportunity to review the program and adjust it to reflect changing college business, measurements of program effectiveness, and lessons learned from the implementation of security safeguards.