Body
Security Policy Goals [Link]
Statement of purpose
Scope statement
The fulfillment of CCC's missions often require that public individuals and entities are granted physical access to technological resources owned and operated by CCC which introduces additional security risk. The following policy statements ensure that physical access to technological resources is managed and that the associated risks are reduced to a level tolerable to the Leadership Cabinet.
Definitions:
Public spaces: Areas of the campus open to students and the general public. These spaces include external spaces, building lobbies, open computer labs, meeting/conference rooms, auditoriums, etc.
Classroom spaces: Areas of the campus designated for instructional purposes. Classroom spaces are open to all members of the public, but differ from public spaces in that a classroom space is monitored by an instructor while in use and is unavailable to the public when classes are not in session.
Private spaces: Rooms and spaces within buildings that are designated as workspaces for CCC’s employees where any employee is allowed access, but the general public is restricted from freely entering. Examples of private spaces include single occupant offices, shared offices, work rooms, and employee break rooms.
Restricted spaces: Areas of the campus where access is restricted to individuals that require access in order to complete assigned work responsibilities. Examples of restricted spaces include locations housing network equipment (aka network closet, IDF, MDF), server rooms, and data centers.
Technological resource: A physical technology or medium that provides display, computational, network access, data transmission, and/or signaling capabilities. Examples of physical technological resources include, but are not limited to: televisions, personal computers, digital signage, wireless access points, network cabling and jacks, servers, mobile computers, IoT devices, firewalls, routers, switches, and hubs.
External locations: 3rd party hosted spaces that are leased or provided to CCC.
Physical Security Steward: An individual or group of individuals that are responsible for the day-to-day monitoring of physical equipment access and utilization. The Physical Steward is not required to be tech savvy but should be able to recognize and report abnormal use and operation and adhere to documented security controls.
Policy summary
Security controls shall be implemented for all technological resources in a manner appropriate to their intended purpose, level of exposure to physical access, and assessed risk.
Policy
Physical access controls for technological resources shall be compliant with applicable law and regulation.
Technology resources designed for portability and/or mobile use shall adhere to both the applicable provisions of the CCC mobile device policy [SW1] and the applicable provisions of this policy at all times that the technology resource is located on any premises owned, operated, or managed by CCC. The physically installed location of the mobile device shall be classified based upon the primary use location of the technology resource.
- Examples:
- Laptops in a mobile cart that are utilized for instruction would be classified based upon their use in a classroom space even if they are stored in a private or restricted space when not in use
- A laptop assigned to an individual employee would be classified based upon the intended use in a private space even if the employee occasionally accesses the device from public spaces.
The following provisions group security controls based upon the risk exposure due to the physical location of the technological resource and the technological resource’s intended use.
Technological resources installed in public spaces and intended for public access:
- Examples include kiosk computers, computers installed in open computer labs, public/guest wireless networks, guest printers, and payment card terminals
- Shall be permitted only the extent necessary to support college missions
- Shall not be used to store or process sensitive data that is owned and managed by CCC
- Where public use kiosk computers are available for students and/or potential students to access personal data (such as completing the application for FAFSA) controls shall be documented and implemented to ensure that the confidentiality, integrity, and privacy of this data is protected.
- Shall have an appointed steward which shall be responsible for:
- Monitoring usage of systems
- Reporting any loss, damage, intrusion, suspected security incidents, malicious or abnormal activity and/or behavior
- Reporting missing, ineffective, or improperly applied security controls
- Shall have a documented security control plan in place that:
- Identifies the responsible physical security steward
- States the purpose of the device(s) and the justification for installing the technology in a public area
- Identifies the physical, detective, preventive, and administrative security controls that will be implemented.
- Shall have a security procedure approved by CCC’s security team that identifies:
- controls to address known risks
- who is responsible for the implementation of the stated controls
- the frequency of control verification and the verification process
- a list of potential indicators of compromise or security violation
- the requirements for reporting and escalating security incidents
- Communication traffic shall be logically segregated from other internal communications
- Communications shall be monitored for indicators of malicious activity
- The generic and/or reusable accounts used to grant public access to these systems shall be configured for minimal rights and shall be restricted to authenticating only on the systems where the public access is needed.
- Applications white listing shall be implemented where possible
Technological resources installed in public spaces and NOT intended for public access:
- Examples include but are not limited to wireless access points, network ports, and digital signage
- Each class of technology resource shall have a documented list of approved controls that restrict or limit the ability of the public to physically interact with the device
- Each class of technology resource shall have a listed physical security steward whom is responsible for the implementation and verification of security controls
- Communication traffic shall be logically segregated from other internal traffic where possible and when not possible, it shall be encrypted using an industry standard encryption algorithm
- Equipment capable of configuration from a logical interface shall be secured using strong authentication mechanisms including Multi-Factor Authentication (MFA) where possible.
- Technology not supporting strong authentication methods shall not be connected to secure CCC networks
Technological resources installed in classroom spaces
- Examples include computers installed in classroom computer labs, projectors, and podium computers (instructor systems)
- Where the technology resource permits authentication using a shared/generic credential the technology resource shall be required to adhere to the requirements listed for technological equipment installed in public spaces and intended for public access
- Where authorized access to the technology resource can be achieved only using an individual account the following requirements shall be met:
- A physical security steward shall be appointed that shall be responsible for the following:
- Reporting any loss, damage, intrusion, suspected security incidents, malicious or abnormal activity and/or behavior
- Reporting missing, ineffective, or improperly applied security controls
- Controls shall be implemented that ensure that sensitive data cannot be permanently stored on these technological resources
- Account permissions shall be minimized to those needed to perform required CCC approved instructional activities
- Communication traffic shall be logically segregated from other internal traffic where possible and when not possible, it shall be encrypted using an industry standard encryption algorithm
- Network access provided for devices brought by guests/presenters that are not affiliated with CCC shall be segregated from CCC secure networks
- Equipment capable of configuration from a logical interface shall be secured using strong authentication mechanisms including Multi-Factor Authentication (MFA) where possible.
- Technology not supporting strong authentication methods shall not be connected to secure CCC networks
- Classrooms shall be considered a public space in regards to technology resources physically installed but not intended for public access and all provisions shall apply.
Technological Resources installed in private spaces
- Examples include CCC provided personal computers for employee use, staff printers and multi-function devices, and network jacks
- Physical access to technological resources installed in private spaces shall be granted only to the individual assigned to the technological resource, individuals assigned to work in the physical location, and to those individuals requiring physical access because they have duties to repair and maintain the technological resource.
- Controls shall be in place to ensure that the technological resources installed in private spaces cannot be readily accessed by the general public.
- Controls shall be in place to ensure that the technological resources installed in private spaces are physically secure when not in use.
- Account timeouts shall be implemented where possible to ensure that technologies are not accessible indefinitely without requiring reauthentication.
- If guest or visitor has physical access to a technological resource by permitted access to the physical location then the activities of the guest or visitor shall be monitored at all times, and in no case shall the guest of visitor be permitted unattended physical access.
Technological Resources installed in restricted spaces
- Examples include data centers, server rooms, and wiring closet
- CCC shall endeavor to create dedicated purpose restricted spaces in new construction or remodeling of existing spaces
- For each restricted space containing technological resources CCC shall:
- Identify and classify all technological resources installed in each location
- Identify the individuals authorized to access the physical location
- Identify any potential access to unauthorized individuals
- Create an access control plan and appropriate security controls approved by CCC’s security team
- Routinely audit and monitor the effectiveness of the controls
- Maintain documentation of each of the preceding items
- Restricted spaces should be clearly marked.
Exemptions
External locations will be exempted when provider implements security standards equivalent to or exceeding those specified in this policy.
Exceptions
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).
Policy violation [Link]
Complaint procedures [Link]
Governing standards, policies, and guidelines [Link]
Definitions [Link]
Responsible executive
Chief Information Officer
Last revision date
6-29-2022 srw (Final Draft Security Team)
[SW1]Needs Link or at least a reference to how to find it. (CCC 211 Personal Mobile Computing)