This Information Security Plan describes Nevada State College’s safeguards to protect Sensitive Information in compliance with institutional, state, and federal guidelines. These safeguards are provided to:
The purpose of this plan is to:
Data Owner: An individual, entity, or office that is authorized to collect, view, or manage the data.
Sensitive Information: Any information or data associated with an individual that is considered personal or confidential, including but not limited to Social Security Numbers, individually-identifiable health information, education records, non-public information, and data that is protected by Board policy, state, or federal law.
Third Party: Any individual or entity contracted by Nevada State College.
Nevada State College recognizes that it faces both internal and external risks regarding Sensitive Information. These risks include, but are not limited to:
The appointed Information Security Officer, in cooperation with the Chief Information Security Officer at the Nevada System of Higher Education, is responsible for the implementation and maintenance of this policy.
A. Employee Management and Training: Upon selection for hire, background checks are conducted when deemed appropriate. During onboarding, each new employee who may handle or encounter Sensitive Information shall receive information security training highlighting the importance of confidentiality and protecting Sensitive Information.
B. Physical Security: Nevada State College has addressed physical security of Sensitive Information by limiting access to only those employees who have a business reason to know such information and requiring acknowledgement of the requirement to keep Sensitive Information private.
C. Information Systems: Information systems housing Sensitive Information shall be secured behind network firewalls, physically accessible only to key personnel, electronically accessible only via controlled access, kept up-to-date with security patches, backed up on a routine basis, and shall transmit Sensitive Information in a secured manner such as via encrypted channels. Additionally, Nevada State College will maintain systems to prevent, detect, and respond to attacks or intrusions. This includes maintaining anti-virus protection, a network intrusion detection/alert system, and tools to secure systems in the event of a breach.
D. Selection of Service Providers: In the process of selecting a service provider that will maintain or regularly access Sensitive Information, the evaluation process shall include the ability of the service provider to safeguard such data. Contracts with service providers should also include the following provisions:
Nevada State College shall maintain an incident response plan. Per the incident reporting and response procedures, all suspected information security incidents must be reported as quickly as possible to the Office of Information & Technology Services. This includes, but is not limited to, security breaches, unintended exposure of Sensitive Information, suspected viruses or malware, or unauthorized requests for login information or Sensitive Information.
This information security plan will be subject to periodic review and adjustment due to constantly changing technology and evolving risks. The plan coordinator will recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the definition of Sensitive Information, or internal/external threats to information security.