Each faculty, staff, student, contractor, or affiliate of California College of the Arts with access to institutional data is subject to and has responsibilities under this policy.

This policy governs management of devices, resources, and user access to equipment and systems owned or administered by the College that hold or process institutional data. The Institutional Data Policy defines and classifies three sensitivity levels (low, medium and high risk) to categorize institutional data. All sensitivity levels other than “low” may be described collectively as “non-public” data.

Principles

• California College of the Arts is committed to ensuring that the security and confidentiality of institutional data is maintained at all times, and that institutional data is only accessed appropriately.
• Users are individually responsible for any breaches that occur as a direct result of non-compliance.
• Access to non-public institutional data may only be granted to Authorized Users on a need to know basis. The Data Steward of any non-public institutional data must approve and verify Authorized User access.
• Users who access data for which they are not authorized and/or commit breaches of confidentiality may be subject to disciplinary action up to and including discharge, termination of contract/relationship, and/or liability to civil and criminal penalties.
• Authorized Users will be provided training on the expectations, knowledge, and skills related to information security.
• Authorized Users must maintain the confidentiality of all non-public institutional data even if technical security mechanisms fail or are absent. A lack of security measures to protect the confidentiality of information does not imply that such information is public.
• Authorized Users are responsible for enforcing security controls whenever they place institutional data onto devices or services not managed by CCA.
• All users’ access to CCA owned or managed digital and or physical assets will comply with applicable standards, controls, and regulations (e.g., PCI-DSS, FERPA, HIPAA, GLBA, FISMA, ITAR, GDPR, etc.).
• Non-compliance must be promptly reported to the Chief Information Officer.

Roles and Responsibilities for Information Security

Responsibility for California College of the Arts' comprehensive enterprise information security program is delegated to the groups and individuals as defined below.

Chief Information Officer (CIO)

The official responsible for approving and overseeing the enterprise information security program. The Chief Information Officer will:

1. Be responsible for overseeing, implementing and enforcing the College’s information security program.
2. Review and approve information security policies and standards.
3. Oversee investigation and response to security incidents.
4. Prepare and submit a written report on key aspects of the information security program to the Board of Trustees on an annual basis.
5. Serve as liaison to the Senior Cabinet, Board of Trustees, Law Enforcement and Legal Services regarding the College’s information security program and security incidents.

Associate Vice President, Technology Services (AVP-TS)

The official responsible for directing implementation of the enterprise information security program. The Associate Vice President, Technology Services will:

1. Coordinate the development and maintenance of information security policies and standards.
2. Advise Data Stewards in classifying their data and recommend available controls as defined in the Institutional Data Policy.
3. Ensure ongoing identification and remediation of network vulnerabilities.
4. Investigate security incidents and coordinate their resolution.
5. Serve as liaison and consultant to all units within the college regarding information security.

Technology Leadership Team

The Technology Leadership Team is composed of senior technology leaders appointed by the CIO, and who are responsible for providing technology services to the campus. Collectively, this team is responsible for governance and oversight of the enterprise information security program. The Technology Leadership Team will:

1. Analyze and manage institutional risks.
2. Assess the organization’s ability to monitor, prevent and respond to security incidents.
3. Review and recommend policies, procedures, and standards.
4. Ensure consistency in disciplinary processes for violation.
5. Implement an information security awareness program.

Senior Security and Infrastructure Engineer

The individual responsible for managing vulnerability assessments and remediation activities. The Senior Security and Infrastructure Engineer will:

1. Conduct and/or coordinate network vulnerability assessments on an ongoing basis.
2. Coordinate with system administrators to remediate vulnerabilities identified.
3. Keep leadership apprised of system vulnerabilities and progress toward remediation.
4. Support security incident investigation and response activities as needed.

System Administrator

The individual who is responsible for an information system at CCA. While most system administrators work within Technology Services, some systems are managed by departmental units. In this scenario, the department-based system administrator acts as a liaison for timely and relevant information flow between Technology Services security staff and the unit.

The System Administrator will:

1. Ensure security controls outlined in this policy are appropriately implemented in the systems they manage.
2. Receive network alerts, outage notifications, vulnerability reports or other security issues regarding their systems, and coordinate with Technology Services as appropriate.
3. Work toward remediation of vulnerabilities identified in information systems they manage.
4. Periodically review user activity in the systems they manage for unauthorized access or tampering.
5. Participate in investigation and response to security incidents impacting systems for which they are responsible, under the direction of Associate Vice President, Technology Services.

Authorized User

Individuals who have been granted access to information assets in the performance of their assigned duties are considered Authorized Users ("Users"). Users include, but are not limited to: faculty and staff members, students, vendors, volunteers, contractors, or other affiliates of California College of the Arts.

Authorized Users will:

1. Seek access to data only through established authorization and access control processes.
2. Access only that data for which they have a business need to know to carry out job responsibilities.
3. Disseminate data to others only when authorized by the Data Steward (see Institutional Data Policy).
4. Complete training in information security and confidentiality policies and procedures.
5. Acknowledge or sign annual confidentiality statements for access to restricted and critical data.
6. Perform all responsibilities necessary to protect data when placing institutional data on personally owned or managed devices.

Information Access and Authorization

Physical and electronic access to institutional data must be controlled. The level of control will depend on the classification of the data and the level of risk associated with loss or compromise of the information. Data handling requirements are outlined in the Institutional Data Policy.

All access to institutional data will be provisioned and managed through user accounts, in accordance with the User Account Policy.

Procedures must be documented for the timely removal of access to systems, services and accounts, including return of institutionally owned materials (e.g., keys, ID Cards), for employees, affiliates and contractors.

Authentication

The enterprise directory seeks to provide a fully integrated method for verifying the identity of all persons in the CCA community, granting access to Institutional Data, and securing systems and devices allowed to access that data.

CCA Accounts is a single, enterprise authentication service that serves as the authoritative source for institutional data such as IDs, email, service eligibility indicators, and other derived attributes. consolidates identity information for support of enterprise authentication. CCA Single-Sign On (SSO) Accounts is the college-wide standard for a unique login identifier (ID) for each person in the CCA community. Data in the CCA Account directory is fed from authoritative sources, e.g. Workday, making the data dependable and available for decisions.

Authentication is the mechanism that verifies that an individual is who they claim to be. Verification is based on a CCA username and password, coupled with Multi-Factor Authentication, which is required as appropriate (see next section).

Password Requirements

Passwords for both CCA Accounts and Local System Accounts (see below) are required to be strong, based on an industry standard password strength metering system.

Passwords must always be encrypted at rest and in transit.

Local System Accounts

All enterprise systems storing institutional data should strive to utilize CCA SSO Accounts for authentication. When integration with CCA SSO accounts for authentication is not possible, the authentication mechanisms must be reviewed by the Senior Security and Infrastructure Engineer, and approved by the AVP-TS.

Services that are not able to use the CCA SSO Account for authentication must rely on local authentication, until such time as the service can use CCA SSO Accounts. Plans should be developed to determine how the service will transition toward enterprise authentication in the future.

All systems and applications not using CCA SSO Accounts for authentication must use strong, encrypted passwords to access/authenticate.

System Administrators are responsible for maintaining these accounts, including disabling these accounts when users leave the college or no longer require access.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is achieved when multiple forms of authentication are used to increase the likelihood that the credentials are from the individual to whom they were assigned. This process reduces the risk of impersonation or the use of compromised credentials by an unauthorized individual. The types of credentials typically fall into three categories - something you know, such as a PIN or password, something you have, such as a one-time passcode generator, token or smart card, and something you are, such as a fingerprint or other biometrics.

MFA is required for all CCA staff, faculty and current students when using their CCA Single Sign-On (SSO) account.

Wherever possible, all CCA systems will utilize SSO, to ensure MFA is enforced. In cases where a system does not support SSO, we expect the system to provide an MFA solution, which will be enabled for all users accessing the system.

• If an existing system does not support SSO, and does not provide an MFA alternative, CCA will work with that vendor toward a solution that meets this policy.
• No new system will be acquired that does not integrate with SSO or provide an alternate MFA solution.

Access Control

Inactivity time-outs must be implemented for workstations that access non-public institutional data. The period of inactivity shall be no longer than 20 minutes in publicly accessible areas. A shorter timeout period may be required by law or regulatory requirements.

Inactivity timeouts must be implemented for all online authentication sessions that include access to non-public institutional data. These sessions should be no longer than 20 minutes for systems that grant access to data classified as high risk, and no longer than 7 days for systems that grant access to data classified as moderate or low risk.

Remote access to manage on-premise systems or devices requires MFA, is logged at the firewall, and is fully encrypted.

Physical Access Control

The level of physical access control for any area that contains institutional data is determined by the level of risk and exposure. Data centers and other locations where non-public data is housed must be protected at all times with physical access controls such as keys, biometrics or proximity cards.

Physical access to data centers or any area with non-public institutional data must be monitored and logged through electronic logging or tracking mechanisms. Visitors and other maintenance personnel must be escorted by authorized operations staff when in a data center.

Media (e.g., paper records, digital devices and peripherals) that contain non-public institutional data must be secured during transportation and disposal.

Mobile Device Security

Mobile devices present a unique challenge to securing sensitive data. Lost or stolen devices must be protected from unauthorized access and sensitive data disclosure.

• Non-public institutional data should never be stored on a mobile device. Institutional data should always be stored in official CCA systems, including Workday, Google Workspace, and Salesforce.
  • By exception, non-public institutional data may be saved to a mobile device temporarily while working with the data, but must be removed promptly when the work is completed.
• Mobile devices must be kept in a secure location when not in use, and the device must be access controlled with a password, PIN, biometrics or similar control.
• Full disk encryption is required for College-owned mobile devices (e.g. laptops, tablets) unless the device meets criteria for an exception.
• Authorized Users must choose College approved data storage systems over mobile device storage whenever possible, to minimize the risk of lost or stolen devices and institutional data.
• Use of external storage devices to store non-public data is prohibited.

Data Storage and Protection

CCA will store sensitive data in approved cloud systems that employ encryption technology for all non-public data, both at rest and in transit. These systems include Workday, Touchnet, Google Workspace, Salesforce and others.

When non-public data needs to be stored on CCA-managed systems, CCA will encrypt this data both at rest and in transit using appropriate encryption technology.

CCA will use only strong, publicly reviewed encryption algorithms and reputable cryptographic implementations and will not employ any proprietary or secret algorithms.

CCA will annually verify that all sensitive information stored on CCA managed systems is being encrypted and that the encryption technology is appropriate and effective.

CCA will use authentication and encryption to protect any non-public information sent over a public network.

CCA will annually verify that all sensitive information stored on CCA managed systems is being encrypted and that the encryption technology is appropriate and effective.

Technology Evaluation and Procurement

All technology must be reviewed by Technology Services and approved by the Chief Information Officer prior to acquisition.

Any new systems that will store and/or process non-public data must undergo a security review by the Senior Security and Infrastructure Engineer prior to acquisition. The security review will confirm that the system and vendor is in full compliance with this and other CCA policies relevant to information security.

Technology Inventory

A comprehensive accounting of all systems in use at the College will be maintained in a centralized inventory, including custom and CCA-hosted applications, vendor-hosted cloud services, hardware and software. The inventory must include the following information:

• Description of the function and purpose of the system
• System administrator responsible for the system
• Current status of the system
• Risk classification of the institutional data handled by or stored within the system
• Vendor/manufacturer information, as relevant
• Physical and/or web accessible location, as applicable

The Technology inventory will be reviewed and updated on a regular basis. The Senior Security and Infrastructure Engineer is responsible for ensuring that updates are made at least annually, and on an ad hoc basis as new systems are added or deprecated. The System Administrator is responsible for maintaining updated and accurate information for each system for which they are responsible.

All on-premise servers, network and other hardware must be maintained in the Technology Inventory, including information about the current status, operating system, purpose and applications installed on the device.

An inventory of all mobile devices and workstations managed by the College will be maintained and include information about the device, current status, user/location to which the device has been issued, operating system and applications installed on the device.

Separation of duties and functions

Separation of Duties is an attempt to ensure that no single individual has the capability of executing a particular task/set of tasks that could negatively impact the confidentiality, integrity, or availability of information systems critical to business operations or containing non-public institutional data. It is understood that different information systems will have different requirements.

System Administrators must implement administrative access for their systems’ critical operational and administrative functions that are separated into distinct roles, such that tasks involved in critical business processes must be performed by separate individuals. This prevents a single person from harming a development or operational system or the services it provides, whether by an accidental act, omission, or intentional act.

Technical staff with broad administrative access to systems, such that they have access to modify or grant access to other users, will use a separate account for administrative tasks vs daily activities.

In systems where this is not feasible, a second level of authentication (e.g. Step-Up Authentication) or a defined protocol should be required for any security changes when possible.

Change Management

Change control management must be implemented to monitor and control hardware and systems that store or process non-public institutional data or support critical business functions of the College. Changes in scope include, but are not limited to, software updates, configuration changes, installation of new software.

The following change control mechanisms are required to be in place for all hardware and systems in scope:

• Modifications must require sufficient authentication and authorization in order to protect the system/hardware from unauthorized changes.
• All system/hardware changes in production systems must be fully auditable, showing a record of any changes made to the system.
  • If auditing is not possible in a particular system, robust documentation of the change must be manually recorded, including date, time, change being made, and user making the change.
• Documentation must be maintained for all system changes that have a potential impact on security, access to data or system availability, including all of the appropriate details below that are appropriate for the change being made:
  • A description of the request, describing the reason for the request, intended result, and the person requesting the change.
  • Approval for the change, by the appropriate manager and/or data steward, depending on the nature of the change.
  • Testing conducted in non-production systems, and the results of those tests.
    • For any change that may impact access to non-public data, testing in non-production systems is required prior to making the change in the production system, wherever possible.
  • Final documentation of the change made in production systems, including the date, person making the change, and a description of the change that was made.

Custom Application Development

Applications developed internally, or custom applications developed by a third party, often present significant risk, particularly when the system interacts with non-public institutional data. Without proper security controls over software development, the risk of security weaknesses being introduced into production, either inadvertently or otherwise, increases significantly.

To prevent the introduction of security vulnerabilities into custom applications developed internally or by a third party, CCA will develop secure coding guidelines for use by their developers that address the most significant security issues common to applications. The developers will be trained on these guidelines and in secure coding techniques.

In addition, the following mechanisms must be in place:

• The custom application must adhere to all controls within this policy, including but not limited to Information Access, Multi-Factor Authentication, Change Management, Separation of Duties, and Preventive Measures, Backup and Recovery.
• Verification that all non-public data handled within the custom application is encrypted at rest and in transit.
• Testing must be conducted in a development and/or Test environment prior to deployment in production.
  • The Test environment should match the production environment as closely as possible, including real non-public data as needed to conduct proper testing. As such, the same controls and data protections are required in the Test environment as they are in a production environment.
  • Testing must include security-specific application testing, including a review of security requirements, vulnerability testing and code review.
• Prior to deploying any changes to production, CCA will perform independent code review of all applications and changes to custom applications. Code review procedures include the following requirements:
  • Code changes are reviewed by individuals other than the original author and/or static code analysis or another automated tool
  • Code changes are reviewed by individuals who are knowledgeable in code review techniques, and in secure coding practices
  • Code reviews make sure secure coding guidelines have been followed
  • Any corrections identified during the code review are implemented prior to release

External Data Sharing

All non-public data shared or placed outside California College of the Arts' control are subject to College policy, as well as external regulations and controls. For example, Protected Health Information (PHI) will only be shared based on HIPAA Business Associate Agreements.

Institutional data transmitted outside the organization requires additional safeguards. The security provisions employed will depend upon the identified risk and threats, regulatory requirements, and the technical mechanisms available.

• The Data Steward is responsible for making decisions regarding appropriateness of external transmission and access to institutional data.
• Critical or restricted data transmitted outside of the CCA managed network must be encrypted in transit, at rest on the external system, and require strong authentication.
• Whenever possible, data shared with non-CCA parties should be shared using CCA-managed systems, such as Google Drive, using appropriate sharing settings. This allows CCA to retain control of data sharing, and requires users to authenticate in order to access the data.
• Sharing non-public data externally via an email attachment is a last resort, and the data must be encrypted and include strong authentication.
• Sharing PHI externally requires the completion of a HIPAA Business Associate Agreement unless the communication is authorized for the purpose of treatment, payment or health care operations. Sharing other non-public data may have similar contract requirements.

Anti-Malware controls

All systems connected to the network or handling non-public institutional data will have malware protection where technologically feasible.

The most recent version of anti-malware software must be implemented and maintained with daily malware definition updates.

All anti-malware titles must be approved by the Senior Security and Infrastructure Engineer.

Preventive Measures, Backup and Recovery

Processes are necessary to prevent loss of vital records, to provide backup and recovery, and provide continuous operation consistent with the business needs of the institution.

At CCA, the majority of vital records are stored in cloud-based systems, and are dependent upon the backup and recovery mechanisms provided by our vendors. CCA is required to ensure that all vendors have the processes below in place.

Any CCA-managed system that stores vital records or supports mission critical systems, must also have these backup and recovery mechanisms in place.

• Prevention: Annual testing of preventive methods as they apply to fire, utility services and other environmental hazards must occur.
• Backup: Institutional data must have sufficient backup and be fully recoverable. The procedures for regular backup and safe recovery of systems will be documented. Backups containing non-public data must be encrypted.

In the event of a natural disaster, fire, act of vandalism, or act of terrorism, alternate modes of operation must be documented to ensure continuity of critical services. These modes of operation may include manual processes.

Network Vulnerability Assessment and Continuous Monitoring

Regular scanning of devices attached to the network, to assess potential security vulnerabilities, is a best practice for managing a dynamic computing environment. For critical enterprise systems or those dealing with sensitive data, additional testing methods to look deeper for more security vulnerabilities may be a requirement for compliance with laws, regulations, and/or policies.

All devices attached to the California College of the Arts networks are subject to security vulnerability scanning and/or penetration testing. Systems that are not properly managed can become a potential threat to the operational integrity of our systems and networks. Other systems dealing with sensitive data may be submitted for penetration testing at the request of the System Administrator, or at the recommendation of the Technology Leadership Team.

Attacks on College technical resources are infractions of the Acceptable Use Policy constituting misuse, or they may be vandalism or other criminal behavior. Attacks on College resources will not be tolerated, and this policy provides a method for pursuing the resolution and follow-up for incidents.

Network scans are performed only by scanning systems authorized by Technology Services.

CCA will conduct periodic network vulnerability assessments, designed to detect system vulnerabilities before they are exploited, and respond to successful system exploitations in a comprehensive manner.

Multiple levels and types of network security scanning are utilized by the California College of the Arts, and are conducted under the direction of the Senior Security and Infrastructure Engineer:

1. Continuous Monitoring-- CCA’ s security team are alerted to malicious activity, compromised hosts, and other suspicious network behavior by the firewall. Automated port scans of the college’s private networks identify suspicious services that may be evidence of a compromised host requiring further investigation. CCA is alerted when new hosts appear on the dedicated server network.
2. Ad Hoc Scan – Before a new system is put into service, a network security scan may be conducted for the purposes of identifying potential vulnerabilities. In addition, specialized scans to target specific problems posing a threat to the College’s systems and networks or to correlate interrelated network-based vulnerabilities will be conducted on an ad hoc basis, often in response to alerts from the firewall and other monitoring systems.
   • Scans may be requested by system administrators at any time, as frequently as necessary to maintain confidence in the security protections being employed.
   • Any system identified in conjunction with a security incident, as well as any system undergoing an audit, may be subject to a network security scan without prior notification.

1. Penetration Test - Penetration testing is a separate and distinctly different set of testing activities. Its primary focus is the exploitation (not just observation or assessment) of security vulnerabilities and therefore may be disruptive to operations. Penetration testing is most beneficial when executed after an Assessment has been performed and the issues found by that Assessment have been remediated.
   • All penetration testing of College systems must be conducted or arranged by Technology Services. Penetration testing is typically conducted over a period of several weeks, with regular feedback to the system administrators if issues are identified.
   • Internal penetration testing will be conducted at least annually by the Senior Security and Infrastructure Engineer using a variety of free and/or commercial tools, or more frequently if appropriate.
   • More in-depth 3rd party penetration testing will be done as part of the periodic risk assessment every 5 years, and will include testing of CCA developed web applications.

Vulnerabilities that are identified during network vulnerability assessments will be communicated by the Senior Security and Infrastructure Engineer to the corresponding system administrators, and reported to the Associate Director, Technology Services (AVP-TS).

Vulnerability Remediation

After vulnerabilities are identified and communicated to the appropriate system administrators, the system administrators must work toward vulnerability remediation, mitigation, or implementing compensating controls to reduce risks identified in vulnerability assessments.

The identification of “false positives” in scan reports is the responsibility of the system admins, and must be communicated to the Senior Security and Infrastructure Engineer.

Systems Administrators will report their progress on remediation efforts on a monthly basis, until such time that the vulnerability has been satisfactorily remediated, or classified as a false positive. The Senior Security and Infrastructure Engineer is responsible for determining that a vulnerability has been remediated satisfactorily.

The Senior Security and Infrastructure Engineer will provide a monthly report to the AVP-TS on current vulnerabilities and progress toward remediation.

Vulnerability Assessment of Vendor-Managed Systems

Vulnerability assessment of cloud-based systems is typically the responsibility of the vendor. CCA will ensure that each vendor-managed system has a process for conducting routine vulnerability assessments prior to acquisition. This verification is part of the security review conducted by the Senior Security and Infrastructure Engineer prior to acquisition.

User Activity Logging

All systems that store or process non-public data will be configured to maintain activity logs for all authorized users, in all systems where this is feasible.

• In the case of a system in scope that does not support activity logging, the system administrator will work with the vendor toward a solution to meet this requirement.
• No new systems will be acquired that are intended to handle non-public institutional data and do not support user activity logging. This will be part of the security review under the Technology Evaluation and Procurement section of this policy.

System Administrators will periodically review user activity for unauthorized access or tampering with non-public institutional data.

Wherever possible, automation will be implemented that will detect and alert system administrators of unauthorized access or tampering with data in the system.

All audit logs and tools will be protected from unauthorized access, modification and deletion. Access to audit records will be limited to a subset of privileged users.

Risk Assessment

CCA will perform a formal risk assessment of the College’s Information Technology environment on an annual basis. The risk assessment formally documents the risks associated with IT systems and sensitive information based on the threats to the system, potential vulnerabilities of the systems to those threats and the adverse impact of a security breach on those systems.

The annual risk assessment will be conducted on all systems and vendor services for which an outage, breach or similar event would have a moderate or greater adverse impact on the organization, and in particular should include systems and vendor services that store or process non-public institutional data.

The risk assessment process should be formally documented so that it can be implemented in an effective manner. The AVP-TS must review and approve the risk assessment process prior to the initiation assessment.

The CCA risk assessment methodology should derive from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Rev. 1 (http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.epub), with modifications as needed to suit CCA’s technical environment.

In general, the CCA risk assessment process will include the following steps:

• Identify systems (including IT infrastructure, applications, vendor-provided services and data repositories) that are critical to business operations or have access to non-public institutional data
• Enumerate reasonably foreseeable internal and external threats to those systems (e.g., human actors, automated attacks, environmental threats and accidents) that could result in unauthorized disclosure, misuse, alteration or destruction of constituent or organization information
• Identify vulnerabilities that could be present on the system that would enable the threats to impact the system
• Assign an impact rating to each threat gauging the adverse impact to the system if the threat occurred
• Assign a risk rating to each system or threat based on the likelihood and adverse impact of an event
• Determine controls in place and evaluate their effectiveness
• Assign a residual risk rating to each threat based on the risk and control effectiveness

The CCA risk assessment will be conducted internally by knowledgeable, experienced Technology Services staff, on an annual basis, with the following exceptions:

• At least once every five years, an external consultant will be contracted to conduct the risk assessment
• After a security incident, the CIO may determine that a risk assessment conducted by an external consultant is warranted.

When conducted internally, the AVP-TS is responsible for designating team members who conduct the risk assessment. When conducted by an external consultant, the AVP-TS is responsible for selecting the vendor with whom to contract for risk assessment services.

Reporting of Risk Assessment Results

The team who conducted the risk assessment will compile the results of the risk assessment into a formal report to be presented to the AVP-TS and the CIO.

The CIO is responsible for reporting the results of the risk assessment with Senior Cabinet and the Board of Trustees.

Equipment and Data Disposal

California College of the Arts is committed to compliance with applicable laws and regulations associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.

Digital storage devices that contain licensed software programs and/or institutional data must be reliably erased and/or destroyed before the device is transferred out of College control, or erased before being transferred from one College department or individual to another.

All computers and digital storage devices including, but not limited to desktop workstation, laptop, server, tablet, and hard drives; and all external data storage devices such as disks, SANs, optical media (e.g., DVD, CD), magnetic media (e.g., tapes, diskettes), and non-volatile electronic media (e.g., memory sticks), are covered under these requirements for disposal.

College-owned assets must have all institutional data and licensed software reliably erased from the device prior to its transfer out of College control, and/or the media must be destroyed, using current best practices for the type of media.

1. For all computer and digital storage media leaving the College’s possession and/or control while still intact, erasure of data using approved procedures must be performed prior to release. An exception may be made when e-wasting equipment with a vendor who has an explicit agreement with the College to erase all data as part of the e-waste service.
2. Technology support staff are required to erase computer and digital storage media prior to transfer within the College, or destroy/replace storage media, before equipment transfers take place.
3. The College must have a confidentiality agreement in place with any vendor receiving devices for trade-in or repair, or that must be replaced as part of a warranty or repair contract but which cannot be erased for technical reasons.

For vendor-managed systems that store or process institutional data, all data must be fully erased at the time that the College discontinues use of the system. Documentation of erasure is required, and will be maintained by the Senior Security and Infrastructure Engineer.

Incident Response

In accordance with applicable law, the California College of the Arts shall provide timely and appropriate notice to affected individuals when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information, typically maintained in an electronic format by the College.

Reporting information security incidents occurring on College systems and/or on College networks to the appropriate authorities is a requirement of all persons affiliated with the College in any capacity, including staff, students, faculty, contractors, visitors, and alumni. Suspected or confirmed information security incidents must be reported promptly to Technology Services by sending a message to helpdesk@cca.edu.

The AVP-TS will investigate the report, and if a security breach may have occurred, will inform the CIO. The CIO will inform General Counsel, Senior Cabinet, and/or law enforcement, as appropriate.

If the incident qualifies as a covered event under CCA’s cyber security insurance, the CIO will file a claim with the insurance provider, and seek legal consultation.

Pending guidance from legal consultation, the CIO will coordinate any further response with legal services provided by CCA’s cyber security insurance. This response may include internal notification, public notification, notification to impacted individuals, and/or notifications to regulatory and government authorities.

Only the CIO, in consultation with legal services provided by CCA’s cyber security insurance, is authorized to perform public notification.

Incident Response Procedures

The system administrators responsible for support of the system or network that has been compromised or is under attack is in all cases expected to:

1. Report the incident to their leadership and to Technology Services via the Help Desk.
2. Take action at the direction of the AVP-TS to contain the problem, and block or prevent escalation of the attack, if possible. For systems critical to College operations, administrators may continue recovery efforts while awaiting the AVP-TS response.
3. Follow instructions communicated from the AVP-TS in order to facilitate investigation of the incident and preservation of evidence.
4. Implement recommendations from the AVP-TS to remediate the system, and repair resulting damage, if any.
5. Restore service to its former level, if possible.

Incident Response Planning

The AVP-TS shall maintain an internal, standardized incident response framework that includes protection, detection, analysis, containment, recovery, and user response activities.

The AVP-TS shall annually, at a minimum, test the incident response framework and associated capabilities in order to determine the framework’s effectiveness. The results of this testing shall then be used to improve the incident response framework.

Cardholder Data

CCA cardholder data functions are completely outsourced to validated third parties. As such, CCA payment collections processes are such that:

• Payments are collected only through e-commerce functions.
• All processing of cardholder data is entirely outsourced to PCI DSS validated third party service providers.
• CCA does not store, process or transmit cardholder data in electronic or paper format in our systems or on our premises.
• CCA will confirm that all third-party handling cardholder data are PCI DSS compliant.
• All elements of the any payment page delivered to the payor’s browser originate only and directly from a PCI DSS validated third-party service provider.

Access to sensitive cardholder data via third-party platforms is tightly controlled, such that:

• Any job functions that require access to cardholder data must be clearly defined.
• Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information.
• Any display of cardholder data is restricted at a minimum to the first 6 and the last 4 digits of the cardholder data.
• No other employees are granted access to this confidential data unless they have a genuine business need.

CCA will ensure that any service provider that will be handling, processing or transmitting cardholder data is PCI DSS compliant. This assessment will be completed prior to initiating service with any such provider, and on an annual basis, in conjunction with the Information Security Risk Assessment.