ITS Security Policy 005 - Security Policy Definitions

Summary

This policy defines key security policies and terminology governing the acceptable use, management, and protection of technological resources at Clackamas Community College (CCC). It ensures compliance with legal, regulatory, and institutional requirements while supporting a secure and efficient technology environment.

Body

Status: Final
Last Revision Date: May 21, 2025

Statement of Purpose

The purpose of this document is to define key terms and policies governing the acceptable use, security, and management of technological resources at Clackamas Community College (CCC). This document provides clarity on responsibilities, security measures, and access controls to ensure compliance with legal, regulatory, and institutional requirements. These definitions and policies support CCC’s mission by fostering a secure and efficient technology environment for students, faculty, staff, and affiliates.

Definitions

A

  • Acceptable Use Policy (AUP): A collection of user-facing policies outlining the proper and compliant use of technological resources in accordance with law, regulations, and CCC governance.

  • Access Control: The selective restriction of access to a place or computing resource for security purposes. Mechanisms include physical locks, authentication credentials, and authorization levels.

  • Access Control List (ACL): A set of rules on a network device, such as a router or firewall, that determines access permissions to network resources.

  • Affiliate: Any person or entity sponsored by a CCC manager to receive controlled temporary access to CCC services, often as part of a contractual relationship.

  • Anti-Malware Software: Software designed to detect, prevent, and remove malicious software, including viruses, spyware, and ransomware.

  • Application: Software designed to perform a specific function, such as Microsoft Word for document processing or Moodle for online learning.

  • Authentication: The process of verifying a user’s identity, typically through credentials such as a username and password.

  • Authorization: The process of granting or denying access to a specific resource or system function based on user roles and permissions.

  • Availability: The assurance that authorized users can access information and technology resources as needed.

B

  • Backup: The process of copying and storing data to prevent loss in case of system failure or data corruption.

  • Bandwidth: The capacity of a network to transmit data, measured in bits per second (bps).

  • Biometric Authentication: Security methods that use unique physical characteristics, such as fingerprints or facial recognition, to verify identity.

C

  • Cloud Computing: The delivery of computing services (e.g., servers, storage, databases, networking, software) over the internet.

  • Controlled Sensitive Data: Information protected by federal, state, or local regulations (e.g., FERPA, HIPAA, PCI DSS) or information governed by CCC policy that requires additional security controls. This includes personally identifiable information (PII) and protected health information (PHI) as defined by 2025 standards.

D

  • Data Breach: An incident in which sensitive or confidential data is accessed, disclosed, or stolen by unauthorized individuals.

  • Data: All information created for, by, or on behalf of CCC users in support of the institution’s mission. This includes public, private, confidential, controlled, or otherwise defined information, as well as copies, backups, metadata, and configurations. Regardless of format or location, all institutional data is subject to CCC policy.

E

  • E-commerce Environment: Any electronic system or application used to process, transmit, or store payment card data as covered by PCI DSS requirements effective March 31, 2025.

  • Encryption: The process of converting data into an unreadable format to protect it from unauthorized access.

  • Electronic Information Resources (EIR): All devices, systems, applications, and data managed or owned by Clackamas Community College.

F

  • Faculty: Paid or unpaid staff providing instructional services to CCC students, staff, or the public. This includes full-time and associate faculty, volunteer instructors, and partner organizations delivering community education. Guest lecturers and visiting instructors are excluded unless given formal access credentials.

  • Firewall: A security device or software that monitors and controls incoming and outgoing network traffic based on predefined security rules.

G

  • Guest: Individuals or entities without a formal CCC relationship, who access CCC electronic resources by staff invitation (e.g., visiting faculty using lecture podiums or projectors).

M

  • Multi-Factor Authentication (MFA): An authentication method that requires the user to provide two or more verification factors to gain access to a resource, typically something you know (password), something you have (security token), or something you are (biometric verification).

N

  • Network: A system of interconnected devices that communicate with each other, including wired and wireless connections.

P

  • Public: Individuals and entities not explicitly defined as users, including those accessing publicly available CCC resources such as websites or social media.

R

  • Risk: The potential for loss, damage, or unauthorized access to technological resources and data.

S

  • Security Incident: Any event that violates CCC's security policies, or threatens the confidentiality, integrity, or availability of CCC's information or systems.

  • Security Patch: Software updates designed to fix security vulnerabilities and protect systems from cyber threats.

  • Staff: Individuals providing services for CCC, paid or unpaid. Includes full-time and part-time classified employees, faculty, volunteers, federal work-study, CWE students, interns, tutors, temp employees, and partner organizations with CCC tech access.

  • Student: Individuals receiving instructional services from CCC. Unless otherwise specified, the term “Student” includes all types of learners.

  • Systems: Technological platforms used to store, process, move, or access data. May be physical, virtual, owned by CCC, or operated by third-party vendors. CCC remains responsible for data security regardless of system ownership.

T

  • Technological Resources: Any computing, networking, storage, communication, or other digital/electronic equipment, software, or data owned, leased, or contracted by CCC. This includes cloud services procured by the college.

  • Third-Party Service Provider: External entities providing services on behalf of CCC. This includes vendors requiring elevated access. In some cases, they may be classified as Guests or Public users based on access type.

U

  • User: A general term that includes all types of individuals who interact with CCC technology resources. This encompasses Staff, Faculty, Students, Guests, 3rd Party Service Providers, Visitors, and the Public. Specific user types are defined above for clarity and scope distinction.

V

  • Virtual Private Network (VPN): A secure connection between a user's device and a private network, often used for secure remote access.

  • Visitor: A subset of the Public with physical access to CCC facilities and tech resources. Distinguished from Guests who are invited with specific access privileges.

  • Virus: A type of malicious software that replicates itself by infecting files or programs on a computer system.

Maintenance and Review

This document is maintained by the Chief Information Officer and is subject to periodic review and updates to align with evolving security practices and regulatory requirements.

Responsible Executive

Chief Information Officer

Details

Details

Article ID: 153182
Created
Wed 7/26/23 6:02 PM
Modified
Wed 6/18/25 5:15 PM