1. Policy Statement

Quincy College is committed to protecting the confidentiality, integrity, and availability of its information assets. To this end, the College will establish and maintain a comprehensive Information Security Policy to mitigate risks, ensure regulatory compliance, and safeguard sensitive information against unauthorized access, data breaches, and other security threats.

2. Objectives

  • Ensure a formalized, defined, and circulated Information Security Policy.
  • Protect information assets from unauthorized access, misuse, disclosure, destruction, and alteration.
  • Implement measures to mitigate risks associated with removable media and other potential security threats.
  • Ensure compliance with relevant regulatory requirements and industry best practices.

3. Scope

This policy applies to all information systems, networks, applications, and data owned or managed by Quincy College, including both physical and digital assets.

4. Roles and Responsibilities

  • Vice President of Mission Support: Leads the policy implementation team, coordinates efforts, and ensures compliance with policy requirements.
  • Vice President of Finance: Ensures that financial aspects of information security, including budget considerations and financial risks, are managed effectively.
  • IT Manager: Manages the technical aspects of information security, including system configurations, security measures, and incident response.
  • IT Analyst: Supports the IT Manager in conducting security assessments, monitoring system activities, and ensuring technical compliance.

5. Security Measures

  • Autorun and Autoplay: Disable autorun and autoplay functionality for all removable media to prevent the automatic execution of malicious software.
  • Access Control: Implement strict access controls to ensure that only authorized personnel have access to sensitive information. Use multi-factor authentication and regular access reviews.
  • Data Encryption: Encrypt sensitive data both at rest and in transit to protect it from unauthorized access and disclosure.
  • Malware Protection: Install and maintain up-to-date antivirus and anti-malware software on all systems to detect and prevent infections.
  • Patch Management: Regularly update and patch all systems, applications, and software to address security vulnerabilities.

6. Monitoring and Auditing

  • Conduct regular security audits and assessments to ensure compliance with the Information Security Policy.
  • Monitor network and system activities for signs of unauthorized access, misuse, or security breaches.

7. Incident Response

  • Establish procedures for responding to security incidents. See Incident Response (IR) Policy for detailed procedures.
  • Ensure staff are aware of their responsibilities in the event of an incident, including timely reporting and cooperation with the incident response team.

8. Training and Awareness

  • Provide training for all stakeholders involved in information security, including the IT Manager, IT Analyst, and department heads.
  • Regularly update training materials to reflect changes in the policy and regulatory requirements.

9. Review and Updates

  • Conduct an annual review of the Information Security Policy to ensure it remains current and effective.
  • Update the policy as necessary to address emerging threats, changes in regulatory requirements, and lessons learned from incidents.

Original: July 2024