Information Security Program (ISP)
The Board recognizes the importance of information security. The following shall constitute Board policy concerning information security.
Each College and the System Office will have an Information Security Program (ISP) which ensures availability, confidentiality and integrity of NSCS Technology Resources. Collectively, these programs will constitute the Information Security Program (ISP) for the NSCS, and this NSCS ISP shall satisfy the Gramm-Leach-Bliley Act (GLBA) requirements for non-public financial data.
The ISP will comply and align with other NSCS policies and shall be based on the Information Security Standards identified in this Policy.
Each President shall designate an individual responsible for each College ISP. The Vice Chancellor for Facilities and Information Technology shall be the individual responsible for the System Office ISP and shall serve as the System Office Information Security Officer (SOISO).
The SOISO shall coordinate with each President’s designee to review the NSCS ISP no less frequently than annually, and to update as necessary.
To protect all Technology Resources of the NSCS, this Policy and NSCS ISP applies to all faculty, staff, students, visitors, vendors and contractors, and to all systems that access, store or transmit NSCS data.
In all Standards, the principles of least privilege, least functionality, and defense in depth, shall be applied.
Information Security Program Standards
Each College and the System Office shall implement and apply the following NSCS ISP Standards:
Standard 2: Responsibilities, Enforcement and Exceptions
Standard 3: Security Training and Awareness
Standard 4: Information Protection
Standard 5: Acceptable Use Policy
Standard 6: Computer and Network Security
Standard 7: Configuration and Change Management
Standard 8: Email
Standard 9: Physical Security
Standard 10: Technology Resources Acquisition
Standard 11: Payment Card Data Protection
Standard 12: HIPAA Security Rules and the HITECH Act
Standard 13: Cloud Computing
Standard 14: Information Systems Security Risk Management
Standard 15: Bring Your Own Device (BYOD)
Standard 16: Incident Management
Additional and updated information can be found here.