1 – PURPOSE
Northland Pioneer College (NPC) Risk Assessment focuses on the confidentiality, integrity, and availability of data, both in electronic and physical forms. This procedure outlines formal and informal risk assessments, facilitates internal and external audits, coordinates departmental information management and protection efforts, and supports delivery of security and phishing awareness training and related efforts. This document provides an overview of NPC’s Risk Assessment efforts to protect sensitive information, identify roles and responsibilities, and provide contact information for reporting purposes.
2 – SCOPE
This procedure applies to all NPC employees, contractors, and volunteers, and to all College-owned data, including data subject to regulatory compliance under State or Federal regulations that involve data privacy. Risk Assessment, related to the College’s electronic software and data, is the responsibility of the College’s Technology Advancement and Support (TAS) division.
NPC participates in financial activities related to students, including making, acquiring, brokering, or awarding Federal Financial Aid and engaging in collection agency services, either directly or via contracted third parties. As a result, NPC is required to comply with the Gramm-Leach-Bliley Act (GLBA). NPC follows the privacy provisions of the GLBA due to its compliance with the Family Education Rights and Privacy Act (FERPA). However, the GLBA holds institutions to additional provisions related to administrative, technical, and physical safeguarding of customer information (electronic and physical forms).
The Family Educational Rights and Privacy Act (FERPA) is a comprehensive federal law governing education records ~ 20 U.S.C. § 1232g; 34 C.F.R. Part 99.
Arizona’s Data-Breach Notification Law ~ A.R.S. §§ 18-551 and 18-552 is intended to provide Arizona residents with information about data breaches involving their personal information.
3 – PROCEDURE
NPC’s Risk Assessment focuses on the confidentiality, integrity, and availability of data. This procedure outlines formal and informal risk assessments, facilitates internal and external audits, coordinates departmental information management and protection efforts, and supports delivery of security and phishing awareness training and related efforts.
Ownership / Coordination
NPC’s Risk Assessment is managed by the Information Security group (ISG), comprised of the Chief Information Officer, Chief Human Resources Officer, Vice President of Learning and Student Services, or their designated representative, along with other selected members on an ad-hoc basis.
Employee Training and Responsibilities
Employees are required to complete information security awareness training annually. NPC currently uses SAFE Colleges (https://www.safecolleges.com/) for that training. Pursuant to this training, it is the responsibility of employees to be aware of and promptly report any known or suspected Information Security Incident. Reports should be made to their direct supervisor, and in the case of technology related incidents to the ISG – (928) 532-6769 or email infosec@NPC.edu.
Information Management – Physical and Electronic
It is the responsibility of each employee and department that creates or handles sensitive or regulated data to properly protect that data, regardless of its form. The ISG, in concert with other departments, works to ensure the confidentiality, integrity, and availability of physical and electronic data in order to make sure it is available only to those with a legitimate business purpose. Employees are encouraged to securely destroy or delete data no longer necessary for business purposes, subject to state-mandated records retention policies and procedures.
Third Party Access to Data, Selection of Service Providers
NPC routinely works with third parties to deliver products and services to its customers. Some of these third parties create, share, store, or receive access to sensitive or regulated data directly from, or on behalf of, NPC. Handling of sensitive and/or regulated data by third parties is addressed in NPC’s purchasing terms and conditions, specifically in the “Data Security Addendum”. Third parties are required to promptly inform NPC of any breach to their systems involving NPC data and are not permitted to share, transfer, or sell that data, or derivative works to others, without NPC’s explicit written permission.
Incident Handling / Incident Response
When incidents occur, the ISG will coordinate with various college departments related to incident handling and response. Employees, contractors, or volunteers who suspect they have observed an Information Security Incident should contact NPC’s ISG at – (928) 532-6769 or infosec@NPC.edu promptly to report all relevant details related to the incident. For incident handling, please refer to Procedure 2214: Incident Response for general directions, Incident Checklist, and Incident Response Reporting forms.
4 – RISK ASSESSMENT
Formal and informal (ad-hoc) risk assessments are conducted annually, and throughout the year, to address reasonably foreseeable risks to security or privacy identified through internal efforts, from affiliated third parties, and from local, state, and national information sharing groups. Risk assessment focus areas include employee information security awareness, sensitive data management, system and service availability, border and internal technical protections, incident response, and vendor management.
Identification of Risk
Identifying risks and threats is a continuous effort, and the ISG will use various methods at times to identify threats to data and systems, but in general will perform the following in conjunction with department representatives:
- Review of physical storage and employee access to file rooms and/or office filing cabinets.
- External vulnerability scans from the Trust Risk Assessment (trust.org) will be performed on an annual basis, from a networking security perspective.
Internal system and equipment scans will be performed by TAS; vulnerability scanning will occur periodically, on an ad-hoc basis, against all production and non-production servers, storage systems, support systems, network equipment, and any other technology deemed appropriate. Each scan will be reviewed shortly after the scan for identified risks, and compared to past scans for trending. The ISG will meet to discuss and assess identified risks, determine mitigations, and document those efforts. A follow up scan of each system will be performed if /when mitigation efforts are completed.
Monitoring and Reporting
It is the responsibility of each employee and department that creates or handles sensitive or regulated data to properly protect that data, regardless of its form. Employees should monitor their data and immediately report any suspected incidents to their direct supervisor, and in the case of technology related incidents to th Support Center for direction.
TAS will utilize various monitoring and reporting methods that are employed to alert the ISG to possible threats and exposures in real time. Multi-State Information Sharing and Analysis Center (MS-ISAC) reporting and information, and vendor alerts, are used to keep the ISG aware of emerging and known threats and fixes. MS-ISAC monitoring provides alerts to identified vulnerabilities exposed to the Internet if they occur, and breach monitoring can provide notice of exposure of NPC email addresses, and domain information.
Any real-time alerts and information, pertinent to NPC’s data and systems, are discussed and documented with the ISG accordingly for assessment of the risk and criticality of the fix. Based on the assessment, changes in internal business practices and/or technology fixes are scheduled, or other mitigation efforts are identified and executed.
Data security incidents are reviewed and investigated for impact and exposure of NPC’s data and systems by the ISG and the CIO, with assistance from respective department heads as appropriate. Mitigations can include notification of exposure of personal (non-NPC protected) information to NPC employees, required individual NPC password resets, and education of individuals possibly using NPC email addresses inappropriately.
Any other information obtained through other measures, such as media reports, and/or from colleagues and peers, that could identify possible risks or exposure of NPC data and systems will be evaluated, as it is received for potential risk, and acted upon accordingly.
All NPC Employees, in the course of their duties and tasks, will be alert for and report any discovered risks or threats. Potential risks or threats will be brought to the ISG upon discovery for assessment and mitigation, if appropriate.
Risk and threat identification and assessment are ongoing efforts, and the ISG will remain flexible and adaptive. The mix of physical inspections, IT scans, monitoring, alerting, and other efforts that NPC employs may vary at times, based on the availability of tools and services, and applicability to NPC systems and data.
Acceptance of Risk
In the identification and assessment of some risks, it may be deemed appropriate to accept the potential risk. This acceptance may occur when the ISG believes the risk is not pertinent to the current operating environment, the balance of real threat to system stability is not compromised, or for other applicable reasons. The Executive Team may also choose to accept certain risks if appropriate.
Reporting and Visibility
The results of the annual Trust Risk Assessment, and the annual internal vulnerability scans, will be organized and documented, along with proposed or executed mitigation efforts, and shared with the NPC Executive Team for visibility and input. Other critical risks and threats identified may be shared with or reported to the Executive Team, as appropriate to the risk and exposure. Information on ongoing scans, alerts and monitoring, and mitigation efforts will be made available as requested.
Continuous Evaluation
Elements of this Risk Assessment Procedure are reviewed on an annual basis for effectiveness and relevance to the institution, and to the threats targeted to the institution and its customers.
