Skip to page content
In This Section

Information Security Plan

Introduction

In today's digital age, safeguarding sensitive information is paramount. Yosemite Community College District (YCCD) is committed to protecting the personal and financial information of its students and employees. This Information Security Plan outlines the measures YCCD is implementing to comply with the Gramm-Leach-Bliley Act (GLBA) and ensure the security of sensitive data.
 

Gramm-Leach-Bliley Act (GLBA) Overview

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, mandates that financial institutions, including higher education institutions, protect the privacy and security of customer information. The GLBA comprises three main components: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.1 These rules require institutions to explain their information-sharing practices, develop a comprehensive information security program, and protect against unauthorized access to sensitive data.2
 

How GLBA Relates to YCCD

As a higher education institution, YCCD collects, stores, and processes a significant amount of personally identifiable information (PII) and nonpublic personal information (NPI) related to students and employees. Compliance with the GLBA ensures that YCCD maintains the confidentiality, integrity, and availability of this sensitive information.3
 

Which GLBA Provisions Apply and Do Not Apply to YCCD

The GLBA provisions that apply to YCCD include the Safeguards Rule, which requires the implementation of an information security program, and the Financial Privacy Rule, which mandates transparency in information-sharing practices.4 The Pretexting Provisions, which protect against social engineering attacks, also apply. However, certain financial-specific provisions may not be directly applicable to YCCD.
 

Security Plan

Overview

YCCD's Information Security Plan is designed to meet the requirements of the GLBA and protect sensitive information from unauthorized access, use, or disclosure. The plan includes specific measures and protocols to ensure compliance and enhance the overall security posture of the institution.
 

Qualified Individual

The Director of Information Security is designated as the Qualified Individual responsible for overseeing, implementing, and enforcing the information security program.
 

Reporting

The Director of Information Security will submit a written report to the Board of Trustees at least annually each fiscal year. This report will detail the status of the information security program, identified risks, and mitigation efforts.5
 

Risk Assessment

Each department within Information Technology will conduct a written risk assessment, with assistance from Information Security, twice a year. These risks will be evaluated and compiled into a final risk assessment for the district as a whole. The final risk assessment will include:
  • How YCCD will categorize and evaluate risks it faces
  • The criteria for assessing the confidentiality, integrity, and availability of customer information in information systems
  • The adequacy of existing controls as they relate to the risks identified
  • How identified risks will be mitigated or accepted based on the risk assessment
  • How the information security program will address the risks
The risk assessment will cover risks related to:
  • Customer, student, or employee PII or NPI
  • Information systems, including software and hardware used in the storage, access, and transmission of sensitive information
  • Employee behavior and security awareness, with additional emphasis on those encountering sensitive information
  • Any in-house developed code

Monitoring and Testing

  • Information Security will run a penetration test at least annually using either in-house staff or by contracting with a third-party cybersecurity vendor. Additionally, comprehensive vulnerability assessments will be conducted at least twice a year and after any significant changes in any system.

Policies and Procedures

  • All permanent, temporary, and contract staff will be required to undergo information security awareness training at least every fiscal year.
  • Users with access to sensitive data will undergo additional training for handling confidential information at least once every fiscal year.
  • Users with administrative access in any system will complete specialized cybersecurity training at least once every fiscal year.
  • Information security/cybersecurity training will be required before access to related systems/functions is granted.

Service Providers and Contracts

  • All vendors with any level of access to YCCD systems will undergo a risk assessment to determine their risk level before formal selection.
  • Vendors will undergo reevaluation annually to monitor changes in their risk level.
  • YCCD will ensure that contracts with covered vendors include provisions sufficiently covering data security.

Evaluation and Revision of the Information Security Program

  • The information security program will undergo review and adjustment at least once every fiscal year based on information gathered during risk assessments, emerging threats, or industry best practices. By adhering to these guidelines, YCCD demonstrates its commitment to protecting sensitive information and maintaining compliance with the Gramm-Leach-Bliley Act.
In This Section