Information Security Program
Introduction
The purpose of this Information Security Program is to provide an overview of the policies, standards and procedures that make up The Chrysm Institute of Esthetics IT Security Program. These policies, standards and procedures document the practices undertaken to protect information which falls under federal and state laws and regulations such as HIPPA and FERPA. The intent of the Program is to provide effective security balanced with the need for maintaining the open and collaborative network environment required for higher education institutions to foster scholarly activity and to remain competitive. The Chrysm Institute of Esthetics exercises independent authority for establishing and executing its information security program.
It is the collective responsibility of all users to ensure:
The Information Technology Security Program establishes guidelines and principles for initiating, implementing, maintaining, and improving information security management for The Chrysm Institute of Esthetics. The program is intended to protect the confidentiality, integrity and availability of information resources and is not intended to prevent, prohibit, or inhibit the sanctioned use of information technology resources as required to meet The Chrysm Institute of Esthetics’ mission and academic and administrative goals.
Scope
The program applies to all users, all information assets, facilities, applications, systems and network resources. Auxiliary organizations or any entity, including third parties, using The Chrysm Institute of Esthetics information technology resources must operate those assets in conformity with The Chrysm Institute of Esthetics Information Technology Security Program, unless otherwise formally exempted by the President or their designee.
Information Security Policy
Policy is developed and executed, and expectations are set for protecting the institution’s information assets. These are supported by related policies, standards, guidelines and practices to facilitate campus compliance:
Security Policy Management
In collaboration with all appropriate institution representatives, the Information Security Officer (ISO) leads efforts to develop, approve, and launch information security policies and standards, based upon the industry’s best practices in information security. These policies, standards and guidelines formally establish The Chrysm Institute of Esthetics Information Security Program and set forth employee responsibility for information protection.
The security policy also incorporates security requirements of applicable regulations including, but not limited to, the Family Educational Rights and Privacy Act and Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking (VASCAN), also serve as resources for additional effective security practices.
Security Organization and Governance
Information security cannot be treated solely as a technology issue. Based on the institution’s growing dependence on information technology and information technology- based controls, information and information technology security risks increasingly contribute to operational and reputational risk.
Information Security Officer (ISO)
As the overall IT security responsibilities are assigned to the President of The Chrysm Institute of Esthetics as Agency head, the President designates the Information Security Officer (ISO) the responsibility to develop and manage The Chrysm Institute of Esthetics IT security program and to coordinate and provide IT security information to the staff. The ISO oversees an annual review of the security program and communicates any changes or additions to the appropriate stakeholders. In addition, the program is updated to reflect changes in The Chrysm Institute of Esthetics policy, academic, administrative, or technical environments, or applicable laws and regulations. The ISO reports to the President on the current state of the institution’s security relative to protecting institution information assets as needed.
Privacy of Personal Information
All users of information technology resources are advised of the open nature of information disseminated electronically, and must not assume any degree of privacy or restricted access to information they create or store on The Chrysm Institute of Esthetics systems. The institution will disclose information about individuals only to comply with applicable laws or regulations, to comply with or enforce applicable policy, to ensure the confidentiality, integrity, or availability of campus information, and to respond to valid legal requests or demands for access to campus information.
User access to IT systems is based on the principle of least privilege. Proper authorization and approval by the IT system user’s supervisor and the System Owner is required for access.
Security Awareness and Training
The focus of security awareness at The Chrysm Institute of Esthetics is aimed at creating an attitude towards a commitment to good security practices and facilitating a climate that sees security rules as beneficial to the protection of the institution environment. Users acknowledge their responsibilities through the acceptance of a statement on the terms of use of information technology resources, in the employee Policy & Procedure Manual. Training is required periodically. Security awareness information is provided to new employees. Security tools are provided at no charge. Users are notified of email scams, phishing attempts and other malicious actions and are required to report the same.
Identity Management
The Chrysm Institute of Esthetics maintains a technical environment with services which require unique identifying credentials in order to gain access and authorization. These credentials are managed as much as possible through the Financial Aid and/or Registration Departments. Access to computing resources is authorized on the basis of roles (faculty, staff, or student). This system continues to be developed with fundamental security principles in mind. Account administration is guided by account management and access standards.
Incident Management
Security incidents are managed by the ISO and designated staff to ensure that security incidents are promptly reported, investigated, documented and resolved in a manner that restores operation quickly and, if required, maintains evidence for further disciplinary, legal, or law enforcement actions. Incident response program is reviewed periodically and modified as needed to comply with applicable laws and institution policies and standards.
Detection, analysis, containment, recovery and review include several mechanisms such as malicious code scanning, virus protection, intrusion detection, monitoring, logging and incident handling protocols via McAfee antivirus software.
Operational Security
To ensure the secure operation of information technology facilities and resources, system activities must be managed consistently and under a set of principles and controls.
Risk Management
Identifying and prioritizing risks form the basis for determining appropriate actions to take. Risk assessment involves evaluating risks and their likelihood along with selecting and implementing controls to reduce risks to an acceptable level. No set of controls can achieve complete security so assessments are completed as needed to evaluate the effectiveness of the controls.
Access Control
Access to information technology resources is controlled on the basis of business need and security requirements. Network access control lists enforce specific security and business requirements. Access management, user registration and termination, and privilege management govern the allocation of rights. Sets of controls are in place that restricts access through technical structures and authentication methods. Passwords are managed through a formal process and secure log-on procedures.
Systems Security
System Security is maintained over the lifetime of systems through a series of standards intended to protect The Chrysm Institute of Esthetics resources from initiation through implementation and maintenance of the system, and upon retirement and disposal of the system. System planning includes a Risk Assessment standard to be followed prior to placing a system into production status.
Overall system security during the production lifetime is maintained via operational security standards including malicious code protection, logical access controls standards, data protection standards, facility security standards, personnel security standards and IT System Security standards.
Personnel Security
In addition to defining security roles and responsibilities, personnel security is addressed through adequate position descriptions, terms of employment, and security education and training. The employee Policy & Procedures Manual expresses responsibilities regarding confidentiality, data protection, ethics, and appropriate use of facilities, materials and equipment. Third party users are made aware of their responsibility to comply with relevant laws, regulations and institution expectations.
Contingency Planning
Contingency planning is conducted to minimize the impact and loss of information assets in the event of a disaster. Data is backed up using Carbonite cloud backup solution, at minimum, on a daily basis. Based on the results of the analysis, a risk assessment is performed to evaluate the probability and impact and to consider the consequences to information security. An overall strategy is developed for crisis management, recovery and restoration.
Security Assessments and Reviews
Management’s approach to information security is reviewed on a regular schedule and as necessary to ensure continuing appropriateness, adequacy and effectiveness. The IT Security Program is reviewed and evaluated by the ISO and the designated staff regularly to discuss specific incidents and to identify areas of concern.
Annual Security Plan
The Information Security Officer completes a comprehensive review of the Security Program annually. This review may include assessments and recommendations for addressing identified vulnerabilities.
Compliance
The Chrysm Institute of Esthetics’ information security practices must comply with a variety of federal and state laws, and institutional policies designed to protect individuals and organizations against the unauthorized disclosure of information that could compromise their identity or privacy. Legal regulations cover a variety of types of information including personally identifiable information, personal financial information, medical information, and confidential student information.
There are many individual laws, regulations, and policies that establish our information security requirements. Some of the most notable include:
Policy Enforcement
The Information Security Officer or designee will ensure that suspected violations and resultant actions receive the proper and immediate attention of the appropriate institution officials, law enforcement, outside agencies, and disciplinary/grievance processes in accordance with due process.
Allegations against employees that are sustained may result in disciplinary action. Third party service providers who do not comply may be subject to appropriate actions as defined in contractual agreements or other legal remedies available to the institution. Non-compliance may result in personal, criminal, civil, or other administrative liability.
The Chrysm Institute of Esthetics reserves the right to temporarily or permanently suspend, block, or restrict access to institution information assets, independent of such procedures, when it reasonably appears necessary to do so in order to protect the confidentiality, integrity, availability or functionality of The Chrysm Institute of Esthetics information assets; to protect The Chrysm Institute of Esthetics from liability; or to enforce this policy and its related standards and practices.
The purpose of this Information Security Program is to provide an overview of the policies, standards and procedures that make up The Chrysm Institute of Esthetics IT Security Program. These policies, standards and procedures document the practices undertaken to protect information which falls under federal and state laws and regulations such as HIPPA and FERPA. The intent of the Program is to provide effective security balanced with the need for maintaining the open and collaborative network environment required for higher education institutions to foster scholarly activity and to remain competitive. The Chrysm Institute of Esthetics exercises independent authority for establishing and executing its information security program.
It is the collective responsibility of all users to ensure:
- Confidentiality of information which The Chrysm Institute of Esthetics must protect from unauthorized access
- Integrity and availability of information stored on or processed by The Chrysm Institute of Esthetics information systems
- Compliance with applicable laws, regulations, and The Chrysm Institute of Esthetics policies governing information security and privacy protection
The Information Technology Security Program establishes guidelines and principles for initiating, implementing, maintaining, and improving information security management for The Chrysm Institute of Esthetics. The program is intended to protect the confidentiality, integrity and availability of information resources and is not intended to prevent, prohibit, or inhibit the sanctioned use of information technology resources as required to meet The Chrysm Institute of Esthetics’ mission and academic and administrative goals.
Scope
The program applies to all users, all information assets, facilities, applications, systems and network resources. Auxiliary organizations or any entity, including third parties, using The Chrysm Institute of Esthetics information technology resources must operate those assets in conformity with The Chrysm Institute of Esthetics Information Technology Security Program, unless otherwise formally exempted by the President or their designee.
Information Security Policy
Policy is developed and executed, and expectations are set for protecting the institution’s information assets. These are supported by related policies, standards, guidelines and practices to facilitate campus compliance:
- Standards establish specific criteria and minimum baseline requirements or levels that must be met to comply with policy. They provide a basis for verifying compliance through audits and assessments.
- Guidelines are recommended or suggested actions that can supplement an existing standard or provide guidance where no standard exists.
Security Policy Management
In collaboration with all appropriate institution representatives, the Information Security Officer (ISO) leads efforts to develop, approve, and launch information security policies and standards, based upon the industry’s best practices in information security. These policies, standards and guidelines formally establish The Chrysm Institute of Esthetics Information Security Program and set forth employee responsibility for information protection.
The security policy also incorporates security requirements of applicable regulations including, but not limited to, the Family Educational Rights and Privacy Act and Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking (VASCAN), also serve as resources for additional effective security practices.
Security Organization and Governance
Information security cannot be treated solely as a technology issue. Based on the institution’s growing dependence on information technology and information technology- based controls, information and information technology security risks increasingly contribute to operational and reputational risk.
Information Security Officer (ISO)
As the overall IT security responsibilities are assigned to the President of The Chrysm Institute of Esthetics as Agency head, the President designates the Information Security Officer (ISO) the responsibility to develop and manage The Chrysm Institute of Esthetics IT security program and to coordinate and provide IT security information to the staff. The ISO oversees an annual review of the security program and communicates any changes or additions to the appropriate stakeholders. In addition, the program is updated to reflect changes in The Chrysm Institute of Esthetics policy, academic, administrative, or technical environments, or applicable laws and regulations. The ISO reports to the President on the current state of the institution’s security relative to protecting institution information assets as needed.
Privacy of Personal Information
All users of information technology resources are advised of the open nature of information disseminated electronically, and must not assume any degree of privacy or restricted access to information they create or store on The Chrysm Institute of Esthetics systems. The institution will disclose information about individuals only to comply with applicable laws or regulations, to comply with or enforce applicable policy, to ensure the confidentiality, integrity, or availability of campus information, and to respond to valid legal requests or demands for access to campus information.
User access to IT systems is based on the principle of least privilege. Proper authorization and approval by the IT system user’s supervisor and the System Owner is required for access.
Security Awareness and Training
The focus of security awareness at The Chrysm Institute of Esthetics is aimed at creating an attitude towards a commitment to good security practices and facilitating a climate that sees security rules as beneficial to the protection of the institution environment. Users acknowledge their responsibilities through the acceptance of a statement on the terms of use of information technology resources, in the employee Policy & Procedure Manual. Training is required periodically. Security awareness information is provided to new employees. Security tools are provided at no charge. Users are notified of email scams, phishing attempts and other malicious actions and are required to report the same.
Identity Management
The Chrysm Institute of Esthetics maintains a technical environment with services which require unique identifying credentials in order to gain access and authorization. These credentials are managed as much as possible through the Financial Aid and/or Registration Departments. Access to computing resources is authorized on the basis of roles (faculty, staff, or student). This system continues to be developed with fundamental security principles in mind. Account administration is guided by account management and access standards.
Incident Management
Security incidents are managed by the ISO and designated staff to ensure that security incidents are promptly reported, investigated, documented and resolved in a manner that restores operation quickly and, if required, maintains evidence for further disciplinary, legal, or law enforcement actions. Incident response program is reviewed periodically and modified as needed to comply with applicable laws and institution policies and standards.
Detection, analysis, containment, recovery and review include several mechanisms such as malicious code scanning, virus protection, intrusion detection, monitoring, logging and incident handling protocols via McAfee antivirus software.
Operational Security
To ensure the secure operation of information technology facilities and resources, system activities must be managed consistently and under a set of principles and controls.
Risk Management
Identifying and prioritizing risks form the basis for determining appropriate actions to take. Risk assessment involves evaluating risks and their likelihood along with selecting and implementing controls to reduce risks to an acceptable level. No set of controls can achieve complete security so assessments are completed as needed to evaluate the effectiveness of the controls.
Access Control
Access to information technology resources is controlled on the basis of business need and security requirements. Network access control lists enforce specific security and business requirements. Access management, user registration and termination, and privilege management govern the allocation of rights. Sets of controls are in place that restricts access through technical structures and authentication methods. Passwords are managed through a formal process and secure log-on procedures.
Systems Security
System Security is maintained over the lifetime of systems through a series of standards intended to protect The Chrysm Institute of Esthetics resources from initiation through implementation and maintenance of the system, and upon retirement and disposal of the system. System planning includes a Risk Assessment standard to be followed prior to placing a system into production status.
Overall system security during the production lifetime is maintained via operational security standards including malicious code protection, logical access controls standards, data protection standards, facility security standards, personnel security standards and IT System Security standards.
Personnel Security
In addition to defining security roles and responsibilities, personnel security is addressed through adequate position descriptions, terms of employment, and security education and training. The employee Policy & Procedures Manual expresses responsibilities regarding confidentiality, data protection, ethics, and appropriate use of facilities, materials and equipment. Third party users are made aware of their responsibility to comply with relevant laws, regulations and institution expectations.
Contingency Planning
Contingency planning is conducted to minimize the impact and loss of information assets in the event of a disaster. Data is backed up using Carbonite cloud backup solution, at minimum, on a daily basis. Based on the results of the analysis, a risk assessment is performed to evaluate the probability and impact and to consider the consequences to information security. An overall strategy is developed for crisis management, recovery and restoration.
Security Assessments and Reviews
Management’s approach to information security is reviewed on a regular schedule and as necessary to ensure continuing appropriateness, adequacy and effectiveness. The IT Security Program is reviewed and evaluated by the ISO and the designated staff regularly to discuss specific incidents and to identify areas of concern.
Annual Security Plan
The Information Security Officer completes a comprehensive review of the Security Program annually. This review may include assessments and recommendations for addressing identified vulnerabilities.
Compliance
The Chrysm Institute of Esthetics’ information security practices must comply with a variety of federal and state laws, and institutional policies designed to protect individuals and organizations against the unauthorized disclosure of information that could compromise their identity or privacy. Legal regulations cover a variety of types of information including personally identifiable information, personal financial information, medical information, and confidential student information.
There are many individual laws, regulations, and policies that establish our information security requirements. Some of the most notable include:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health insurance Privacy and Accountability Act (HIPAA)
Policy Enforcement
The Information Security Officer or designee will ensure that suspected violations and resultant actions receive the proper and immediate attention of the appropriate institution officials, law enforcement, outside agencies, and disciplinary/grievance processes in accordance with due process.
Allegations against employees that are sustained may result in disciplinary action. Third party service providers who do not comply may be subject to appropriate actions as defined in contractual agreements or other legal remedies available to the institution. Non-compliance may result in personal, criminal, civil, or other administrative liability.
The Chrysm Institute of Esthetics reserves the right to temporarily or permanently suspend, block, or restrict access to institution information assets, independent of such procedures, when it reasonably appears necessary to do so in order to protect the confidentiality, integrity, availability or functionality of The Chrysm Institute of Esthetics information assets; to protect The Chrysm Institute of Esthetics from liability; or to enforce this policy and its related standards and practices.