Vernon College Cyber Security Policy
Security is a high priority in the Vernon College (VC) system. Any user who identifies a cyber security problem is required to report it immediately to the Cyber Security Officer. Employees should never share cyber security problems to any person outside of Information Technology.
The IT department has the authority to examine all Vernon College owned computers at any time to check for inappropriate use. This includes unauthorized software or programs, inappropriate websites, inappropriate use of email, storage of inappropriate material, or any other use not authorized by Vernon College. In order to maintain network security, the College reserves the right to:
a. Limit, restrict, or terminate an account holder’s usage;
b. At any time to inspect, copy, remove, or otherwise alter any data, file, or system that threatens the security of that system or the network, with or without prior notice to the user;
c. Periodically check the systems and take any other such actions necessary to protect the College’s computers, information, and networks.
Policy brief & purpose
Vernon College’s cyber security policy outlines Vernon College guidelines and provisions for preserving the security of Vernon College’s data and technology infrastructure.
The more Vernon College relies on digital technology to collect, store and manage information, the more vulnerable Vernon College will become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize Vernon College’s reputation.
For this reason, Vernon College has implemented a number of security measures. Vernon College has also prepared instructions that may help mitigate security risks. Both provisions are outlined in this policy.
Scope
This policy applies to all Vernon College employees, contractors, volunteers, board members and anyone who has permanent or temporary access to Vernon College systems and hardware.
Policy elements
Confidential data is secret and valuable. Common examples are:
• Unpublished financial information
• Data of customers/partners/vendors
• Patents, formulas, or new technologies
• Customer lists (existing and prospective)
• Student data such as demographics, grade reports, financial aid data, and course history
All employees are obliged to protect this data. In this policy, Vernon College will give employees instructions on how to avoid security breaches.
Protect personal and college devices
By using their digital devices to access college emails or accounts, employees introduce security risks to Vernon College data. Vernon College employees must keep both their personal and college-issued computer, tablet, and cell phones secure. They can do this by doing the following:
Keep hardware and software secure
• Choose and upgrade a complete antivirus software.
• Do not leave devices exposed or unattended.
• Keep all devices password protected.
• Install security updates of browsers and systems monthly or as soon as updates are
available.
• Log into college accounts and systems through secure and private networks only.
• Avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.
Keep emails safe
Emails often host scams and malicious software (e.g. worms). To avoid virus infection or data theft, Vernon College instructs employees to:
• Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “watch this video, it’s amazing”).
• Be suspicious of clickbait titles (e.g. offering prizes, advice).
• Check email and names of senders to ensure they are legitimate.
• Look for inconsistencies or giveaways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks).
• If an employee is not sure that an email they received is safe, they can refer to the Vernon College Cyber Security Officer for instructions.
Manage passwords properly
Password leaks are dangerous since they can compromise Vernon College’s entire digital infrastructure. Passwords should be secure and secret to avoid hacking. For this reason, Vernon College employees must:
• Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays).
• Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
• Exchange credentials only when absolutely necessary. When exchanging them in-person is not possible, employees should utilize the phone instead of email, and only if they personally recognize the person they are talking to.
• Change passwords every six months.
Transfer data securely
Transferring data introduces security risks. Employees must:
• Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, Vernon College requests employees ask Run Business Solutions for help.
• Share confidential data over the college network/ system and not over public Wi-Fi or private connection.
• Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
Security breach measures
Other measures will be used in case of a suspected breach. Employees must:
• Report scams, privacy breaches and hacking attempts to the Cyber Security Officer. The Vernon College Cyber Security Officer needs to know about scams, breaches and malware to better protect Vernon College’s digital infrastructure. For this reason, Vernon College advises employees to report perceived attacks, suspicious emails, or phishing attempts as soon as possible to Vernon College specialists.
• The Vernon College Cyber Security Officer must promptly investigate, resolve the issue, and send a college-wide alert when necessary.
The Vernon College Cyber Security Officer is responsible for advising employees on how to detect scam emails. Vernon College encourages employees to reach out to the Cyber Security Officer with any questions or concerns. The Cyber Security Officer will be listed on the VC “Cyber Security” webpage.
Additional measures
To reduce the likelihood of security breaches, Vernon College employees must:
• Turn off their screens and lock their devices when leaving their desks.
• Report stolen or damaged equipment as soon as possible to Run Business Solutions.
• Change all account passwords at once when a device is stolen.
• Report a perceived threat or possible security breach of college systems.
• Refrain from downloading suspicious, unauthorized or illegal software on their college equipment.
• Avoid accessing suspicious websites.
• Vernon College employees must comply with Vernon College social media and internet usage policy.
Vernon College Cyber Security Officer/ Network Administrators will:
• Install firewalls, anti-malware software and access authentication systems.
• Arrange for security training to all employees.
• Inform employees regularly about new scam emails or viruses and ways to combat them.
• Investigate security breaches thoroughly.
• Follow the Cyber Security policies/provisions as other employees do.
• Have all physical and digital shields installed to protect information.
Remote employees
Remote employees are required to follow the Vernon College Cyber Security Policy. Since they will be accessing Vernon College’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.
Vernon College advises Remote Employees to seek advice from VC network administration specialists for assistance and initial set-up.
Disciplinary Action
Vernon College expects all VC employees to always follow this policy, and those who are responsible for security breaches may face disciplinary action:
• First-time, unintentional, small-scale security breach:
Vernon College may issue a verbal warning and train the employee on security.
• Intentional, repeated or large scale breaches (which cause severe financial or other damage):
Vernon College will invoke more severe disciplinary action up to and including termination.
Vernon College will examine each incident on a case-by-case basis.
Additionally, employees who are observed to disregard Vernon College’s security instructions will face progressive discipline, even if their behavior has not resulted in a security breach.
Take security seriously
Everyone, from Vernon College customers and partners to Vernon College employees and contractors, should trust that their data is safe. By proactively protecting Vernon College systems and databases, employees help gain and maintain this trust. All Vernon College constituents contribute to this trust equation by being vigilant and keeping cyber security as a priority.
Approved by the Vernon College Board of Trustees on May 9, 2018