Privacy Statement

Information Security Policy

Bay de Noc Community College Board of Trustees Policy

1000 General Administration
1057 Information Security Policy

It shall be the policy of the Bay de Noc Community College Board of Trustees to protect the confidentiality, integrity, and availability of information that is accessed, managed and/or controlled by Bay College. This information includes electronically stored data, printed materials, and verbally communicated information.

This policy exists to ensure compliance with regulations including Family Education Rights and Privacy Act (FERPA), Health Insurance Portability Accountability Act (HIPAA), and Payment Card Industry Data Security Standards (PCI DSS).

This policy also applies to personally owned devices used for College business.


Procedure

1057.1

Sensitive (confidential) data is defined by Bay College as:

  • Items covered by FERPA, HIPAA, and PCI DSS
  • Third party confidential information (both sent and received)
  • Personally identifiable information (PII)
  • Financial information when integrity, confidentiality, and/or availability are an issue
  • Information covered by Attorney-Client privilege
  • Information with a defined retention and disposal schedule
  • Safety/security information
  • Building technical specifications
  • Misconduct information
  • Title IX information and case details
1057.2

All employees with access to sensitive data must sign the confidentiality agreement at the time of hire.

1057.3

Access to data is to be coordinated through the IT request tracking system to establish an audit trail. The Data Owner’s explicit permission to grant access must be recorded along with the original request.

1057.4

Prior to granting access to data, the Data Owner must educate the Data User on the applicable regulations that exist to protect the specific data to which access is being granted.

1057.5

When access to sensitive and/or protected data is granted, the least access required to perform job functions based upon role and responsibility will be provisioned.

1057.6

When access to sensitive and/or protected data is granted, the least access required to perform job functions based upon role and responsibility will be provisioned.

1057.7

Encryption is to be used whenever transmitting or storing sensitive and/or protected data.

1057.8

Physical security measures must be in place to restrict access to printed materials or electronic systems that store sensitive data.

1057.9

Notify law enforcement and IT if a device containing data has been stolen or is missing.

1057.10

Privacy and security of data must be considered regardless of the medium in which it is stored. Compliance with College policies and procedures, as well as federal and state law, is expected for all data. Failure to comply may result in disciplinary actions in accordance with College policies (812 Disciplinary Actions Policy) and applicable laws.


Origin Date: 08/16/2017 Procedure Origin Date: 08/16/2017

Top