Status: Final Draft
Last Revision Date: March 27, 2025
1. Reporting Violations
-
Non-Security Violations: Report violations such as inappropriate content, Human Resource policy breaches, general college policy infractions, or regulatory compliance issues to a supervisor and/or Human Resources (HR).
-
Security and Technical Policy Violations: Report violations related to information security and general technical policies to the ITS Service Desk by calling 503-594-3500, submitting a service desk ticket, or contacting the Chief Information Officer (CIO).
2. Protection of Sensitive Information
Clackamas Community College (CCC) manages a large volume of sensitive information daily, including student and patient data regulated under federal law. Safeguarding this information is a top priority to ensure compliance with legal and industry standards.
3. Compliance with Federal and Industry Standards
-
HIPAA & HITECH Compliance: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted under the American Recovery and Reinvestment Act of 2009, require stringent safeguards to protect Protected Health Information (PHI). As a covered entity, CCC must comply with these regulations.
-
GLBA Compliance: The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), mandates similar protections for financial information. Higher education institutions handling student information for financial aid processing must implement these safeguards.
-
FERPA & DOE Guidelines: The Department of Education (DOE) has issued guidance through "Dear Colleague" letters, reinforcing that all higher education institutions accepting financial aid funding must safeguard student Personally Identifiable Information (PII) under GLBA, the Family Educational Rights and Privacy Act (FERPA), and other applicable state and federal privacy regulations.
-
PCI-DSS Compliance: To process credit card transactions, CCC must comply with the Payment Card Industry Data Security Standards (PCI-DSS) and undergo regular audits to maintain compliance.
For a comprehensive list of governing standards and frameworks CCC adheres to, refer to ITS Security Policy 001 – Cybersecurity Governance and Standards.
4. Enforcement and Accountability
All employees, contractors, and affiliates of CCC are required to adhere to these security policies. Non-compliance may result in disciplinary action, including but not limited to termination, as well as potential legal consequences under federal and state laws.
For further guidance or clarification, contact the ITS Service Desk or the CIO.