Reed College
Reed College

Information Technology

Information Security Policy

Introduction

Reed College is committed to protecting the confidentiality, integrity, and availability of all information assets, including, but not limited to: student records; faculty, administrative, and employee data; research materials; and financial information. This Information Security Policy outlines the framework for establishing and maintaining a secure environment to support Reed's mission, comply with legal and regulatory requirements, and minimize risks associated with information security threats.

Policy Objectives

The objectives of this policy are to:

  • Protect the confidentiality of sensitive information.
  • Maintain the integrity of information to ensure its accuracy and reliability.
  • Ensure the availability of information and systems to support Reed's operations.
  • Comply with relevant laws, regulations, and contractual obligations (e.g., FERPA, GDPR, PCI DSS).
  • Establish clear roles and responsibilities for information security.
  • Provide a framework for identifying, assessing, and managing information security risks.
  • Ensure timely and effective response to security incidents.
  • Promote security awareness and best practices among the Reed community.

Scope

This policy applies to all members of the college community. This includes faculty, staff, students, visitors, affiliates, and contractors, as well as any individual or entity accessing Reed's information assets, regardless of their location or the device they use.

Definitions

  • Information Asset: Any data, system, device, or resource used to create, store, process, or transmit information.
  • Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
  • Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
  • Availability: Ensuring timely and reliable access to and use of information.
  • Security Incident: Any event that compromises the confidentiality, integrity, or availability of information.
  • Data Owner: An individual responsible for a specific set of data.
  • User: Anyone who accesses Reed's information assets.

Governance and Responsibilities

  • Information Technology (IT) Leadership: Provides overall direction and support for information security, policies, and resources.
  • Chief Information Security Officer (CISO): Responsible for developing, implementing, and maintaining the Information Security Program; monitoring compliance; managing security incidents; and providing security awareness training.
  • IT Department: Responsible for implementing and maintaining technical security controls, managing network infrastructure, and providing technical support.
  • Data Owners: Individuals responsible for specific data sets (e.g., Registrar for student records, Controller for financial data). They determine access rights and ensure data is handled appropriately.
  • All Users: Responsible for adhering to this policy, protecting their credentials, using Reed resources responsibly, and reporting security incidents.

Information Classification

Information shall be classified based on its sensitivity, value, and legal/regulatory requirements. The following classification levels are examples and should be adapted as necessary:

  • Low : Information that has low to no risk to individuals or the college.
  • Moderate : Unauthorized access or use poses moderate risk of damage to the individual and/or the college.
  • High: Access and use is restricted by laws, regulations, contractual agreements, or college policy. Unauthorized access or use may have serious legal and financial consequences, as well as damage to reputation.
  • Restricted: Access and use is subject to special regulatory requirements. Unauthorized access has significant legal or financial consequences and may result in mandatory notification, credit monitoring services, or other obligatory measures. Systems may be in place to log and audit access.

Data Security and Handling

  • Data Storage: All data shall be stored securely using appropriate physical and logical controls to prevent unauthorized access, loss, or damage. These controls may include data encryption at rest to comply with legal and regulatory mandates such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR).
  • Data Transmission: Sensitive data shall be encrypted during transmission over networks, including email and wireless connections.
  • Data Backup and Recovery: Regular backups of critical data shall be performed and stored securely to ensure business continuity and disaster recovery.
  • Data Disposal: Data shall be disposed of securely to prevent unauthorized disclosure. Electronic data should be securely wiped, and paper documents should be shredded.
  • Data Retention: Data shall be retained only as long as necessary to meet legal, regulatory, and College requirements. Data should be handled in such a way to ensure its accuracy, confidentiality, and integrity.

Network Security

  • Network Infrastructure: Reed's network infrastructure, including wired and wireless networks, shall be protected by firewalls, intrusion detection/prevention systems, and other appropriate security measures.
  • Wireless Security: Wireless networks shall use secure protocols (e.g., WPA2) and access controls.
  • Remote Access: Remote access to Reed systems must use a VPN client or other secure technology that has been explicitly approved by the IT department.
  • Network Monitoring: Network activity shall be continuously monitored and alerted for security threats to enable detection and response to security threats, excluding pre-approved maintenance or update windows.

System Security

  • Hardware and Software: All Reed-owned hardware and software shall be properly configured, maintained, actively supported, and patched to address security vulnerabilities. The use of end-of-support (EOS) or unsupported systems is prohibited without formal exception and compensating controls.
  • Antivirus and Malware Protection: All Reed systems shall be protected with up-to-date antivirus and anti-malware software where feasible.
  • Patch Management: Security patches for operating systems and applications shall be applied promptly to minimize the risk of exploitation.
  • Configuration Management: System configurations shall be documented and managed to ensure consistency and security.
  • Mobile Device Security: Reed owned mobile devices should be managed by an approved Mobile Device Management (MDM) solution and comply with best practice security standards, including password protection, encryption (where applicable), and have remote wipe capabilities.

Physical Security

  • Facility Access: Access to College facilities, particularly areas housing IT infrastructure and sensitive data, shall be controlled through appropriate measures (e.g., key cards, locks, surveillance).
  • Equipment Security: Reed-owned equipment containing Reed data shall be protected from theft or damage where feasible.
  • Visitor Management: Visitor access to secure IT infrastructure areas, such as data centers, shall be controlled and monitored.

Logging

  • Logging Requirements: Reed shall maintain comprehensive logs of system and network activity to:
    •  Detect and investigate security incidents.
    • Monitor system usage and performance.
    • Support compliance with legal and regulatory requirements.
  • Log Data: Logs shall include, but are not limited to:
    • User authentication attempts (successful and failed).
    • Access to resources and data.
    • System events and errors.
    • Network traffic.
    • Security alerts.
  • Log Storage and Retention: Logs shall be stored securely and retained for a minimum of 90 days to comply with legal, regulatory, and operational requirements.
  • Log Monitoring and Analysis: IT data logs shall be regularly monitored and analyzed by IT personnel or IT auto alerting systems to identify suspicious activity and potential security incidents.
  • Log Access: Access to log data shall be restricted to authorized personnel.

Vulnerability Management

  • Vulnerability Management Program: Reed shall implement a Vulnerability Management Program to identify, assess, and remediate security vulnerabilities in a timely manner.
  • Vulnerability Scanning: Regular vulnerability scans shall be conducted on systems and networks to identify potential weaknesses.
  • Vulnerability Assessment: Identified vulnerabilities shall be assessed to determine their potential impact and risk to the College.
  • Vulnerability Remediation: Vulnerabilities shall be remediated in accordance with a risk-based approach. Critical vulnerabilities shall be addressed with the highest priority.
  • Patch Management: Reed shall maintain a patch management process to ensure that systems are updated with the latest security patches.
  • Penetration Testing: Periodic penetration testing may be conducted to simulate real-world attacks and assess the effectiveness of security controls to meet internal and external compliance requirements.

Incident Response

  • Incident Response Plan: Reed shall maintain an Incident Response Plan to address security incidents in a timely and effective manner and to ensure compliance requirements are met
  • Incident Reporting: Reed employees are required to report any suspected security incidents to the CISO or IT Department immediately.
  • Incident Handling: Security incidents shall be investigated, contained, and remediated in accordance with the Incident Response Plan.
  • Post-Incident Review: Following a significant security incident, a post-incident review shall be conducted to identify the root cause, assess the effectiveness of the response, and implement measures to prevent recurrence.

Security Awareness and Training

  • Security Awareness Program: Reed shall provide ongoing security awareness training to all users to promote understanding of security risks and best practices.
  • Training Content: Training shall cover topics such as password security, phishing awareness, data handling, and incident reporting.
  • Training Frequency: Security awareness training shall be provided to new users and periodically thereafter.

Compliance

  • Policy Compliance: Compliance with this Information Security Policy is required for all users outlined in the scope.
  • Policy Review: This policy shall be reviewed and updated periodically to reflect changes in technology, threats, and legal/regulatory requirements.
  • Non-Compliance: Violations of this policy may result in disciplinary actions in accordance with Reed’s misconduct and disciplinary processes, up to and including termination of employment or expulsion for students, and legal action where applicable.
  • Audits: Periodic security audits may be conducted to assess compliance with this policy and the effectiveness of security controls.

Policy Exceptions

Any exceptions to this policy must be approved by the Chief Information Security Officer and IT Leadership.