ITS maintains polices with regard to the use and security of its computer systems, networks, and information resources. These policies provide us with guidelines to safely and responsibly use Pomona College technical resources.

Asset Management Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

In order for Pomona College leadership to make informed, business-driven decisions regarding computing assets, they must first know what assets exist, and the status of those assets. This information provides Pomona College visibility into license utilization, software support costs, unauthorized devices, vulnerabilities, threats, and compliance posture. IT assets include items such as servers, desktops, laptops, and network devices, as well as software, applications, programs and logical processes. Pomona College data, students, faculty, staff, devices, systems, and facilities that enable the organization to achieve educational, business, and operational purposes are identified and managed. The management of these assets is consistent with their relative importance to Pomona College educational, business, and operational objectives as well as Pomona College’s overall risk strategy.

Summary

  • All devices purchased with Pomona College funding will be inventoried.
  • The inventory is kept up to date either through manual inspection or automated tools
  • Unauthorized hardware detected by automated mechanisms will have its network access disabled and Information Technology Services (ITS) will be notified of its existence.
  • All software will be inventoried.
  • Automated tools will be used to detect unauthorized software and if unauthorized software is discovered, ITS will be notified.
  • ITS will protect Pomona College assets both through the use of encryption, user education and infrastructure design.
  • Any external system connections will need to be documented by Pomona College ITS in order to ensure they are secure.

Asset Management Policy Details [pdf]

Governance Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College develops, maintains, and disseminates an information security program that includes information security policies and procedures. These policies, procedures, and processes are used to manage, monitor, and support Pomona College’s regulatory, legal, risk, environmental, and operational requirements. These requirements are understood and utilized to inform senior leadership of cybersecurity risk.

Summary

  • Pomona College develops and maintains information security policies that have been approved by senior leadership to provide guidance.
  • These policies address the security controls that protect the information systems, information and assets.
  • Pomona College will assign security roles, coordinating with internal roles and external partners as necessary
  • The Security Officer is responsible for bringing risk management recommendations to executive staff.
  • The executive staff approves security policies, risk tolerance, risk mitigation and management.
  • Among the regulations requiring specific cybersecurity are payment card data, FERPA, GLBA, FTC and California security breach notification statutes.

Governance Policy Details [pdf]

Institutional Environment Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College’s objectives, stakeholders, and activities are understood and prioritized; this information is used by Pomona College to inform cybersecurity roles, responsibilities, and risk management decisions.

Summary

  • Pomona College provides services such as the Learning Management System (currently Sakai) and the Student Information System as a service to other colleges in the Claremont University Consortium.
  • Pomona College addresses security issues in support of its services.
  • Pomona College establishes alternative services as back up of essential functions in the event that part of the infrastructure or the service becomes unavailable.
  • Knowing and understanding the critical assets of the College and those consortial services facilitates the prioritization of resources.

Institutional Environment Policy Details [pdf]

Risk Assessment Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Risk assessments take into account threats, vulnerabilities, likelihood, and impact to Pomona College assets, individuals, and other organizations based upon the use of the Pomona College system. Pomona College periodically conducts assessments of risk, which include the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification and/or destruction of the Pomona College system, system components, and the information processed, stored or transmitted by the system. Risk assessment results are documented and reviewed by the Pomona College Security Official or designee. The risk assessment results are then disseminated to appropriate faculty and staff including, but not limited to, the Pomona College executive staff. Risk assessments are conducted annually by Pomona College or whenever there are significant changes to Pomona College, its system, or other conditions that may impact the security of Pomona College.

Summary

  • Physical (hardware) and software assets will be assessed as to vulnerability and those vulnerabilities will be documented.
  • From time to time a vulnerability scan on those assets will be conducted in order to assess vulnerability in either the information system or its hosted applications.
  • Pomona College uses a variety of sources in order to assist in determining asset vulnerabilities.
  • These sources can include but are not limited to US-CERT bulletins, InfraGard, the Federal Trade Commission (FTC) and the Research Education Networking Information Sharing and Analysis Center (RENISAC)
  • When threats are identified they will be documented as to type of threat, a description of the threat and the characteristics of the threat.
  • Threats will be classified in relationship to the potential for adverse impact on the College.
  • Once a risk is identified, it will be reduced or mitigated.
  • Pomona College understands that risks exist regardless of efforts and will address risks as they become suspected or evident.

Risk Assessment Policy Details [pdf]

Risk Management Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College maintains a comprehensive strategy to manage risks to its operations, assets, faculty, staff, students, and other organizations associated with the operations and use of Pomona College’s system. Pomona College’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk management decisions. Pomona College’s risk management strategy is consistently applied across the entire institution. The risk management strategy is periodically reviewed and updated, or as required, to address changes to Pomona College.

Summary

  • Risk management is a fundamental requirement to support the mission of Pomona College.
  • Risk management responsibilities are assigned to executive staff.
  • Continued recognition of risk management is a requirement.
  • Assessing the level of risk that the organization can tolerate is necessary.
  • Risk framing is part of the management process. Framing defines College’s approach to risk management by using laws, policies, regulations and contractual relationships that will inform and impact potential decisions about risk.
  • Risks will be assessed in order to identify and evaluate the risk and its likelihood of occurrence and its breadth of impact.
  • Risk response results in determining the most appropriate course of action, including prioritization and associated cost.
  • Risk monitoring helps Pomona College in monitoring continuing regulatory compliance, effectiveness of risk response and understand changes that present risks to the Pomona College information systems.
  • Risk tolerance is the level of risk or its degree of uncertainty that is acceptable to the College.
  • Risk management strategies are employed consistently across the entire institution

Risk Management Policy Details [pdf]

Data Security Policy

Purpose

To provide Pomona College with guidance in developing and implementing the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College’s information, data, and records are managed in a manner consistent with Pomona College’s risk strategy to protect the confidentiality, integrity, and availability of the assets. Data security controls are submitted to Pomona College senior leadership for review and approval, and include a cost-benefit analysis to inform the executive staff in their risk strategy decisions.

Summary

  • Data security controls are submitted to Pomona College senior leadership for review and approval
  • Data security controls will include a cost-benefit analysis to inform the executive staff in their risk strategy decisions
  • Pomona College employs cryptographic controls in accordance with applicable Federal and State laws, regulations and standards
  • Pomona College system that requires protection includes but is not limited to configuration settings, intrusion detection and prevention, various logs and password databases
  • Pomona College protects the confidentiality and integrity of sensitive data by using cryptographic mechanisms
  • Pomona College applies full disk encryption to all Pomona College-owned laptops, mobile devices and desktop workstations
  • Backups are encrypted (at rest)
  • Pomona College recommends that students enable full disk encryption on their personal devices
  • All transportable media is also encrypted
  • Papers containing confidential information must not be left out in public view and must be properly destroyed when no longer needed
  • Pomona College hardware and software assets are documented, tracked, and managed through inventory management
  • Faculty and staff status is tracked and managed by Human Resources and the Dean of the College
  • Student documentation is managed by Admissions, Registrar’s Office, the Dean of Students and the Advancement Office depending upon student status
  • Prior to disposal, sanitization techniques are applied to media
  • Pomona College ensures that there is adequate capacity to provide availability of its systems
  • Pomona College employs reasonable and appropriate methods for data loss prevention

Data Security Policy Details [pdf]

Continuous Vigilance Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate activities to identify the occurrence of an information security event.

Policy

The Pomona College system, system components, and assets are monitored at discrete intervals to identify information security events and to verify the effectiveness of protective measures.

Pomona College detection processes and procedures are maintained to provide for the identification of information security events. Detection processes are tested and revised to ensure the timely notification of anomalous events to the appropriate Pomona College responsible parties.

Summary

  • A continuous vigilance strategy has been developed that includes the establishment of monitored network metrics, ongoing security status monitoring and analysis of data gathered through assessments
  • Pomona College monitors the network to detect unauthorized connections or unauthorized use of the network
  • Pomona College reviews proposed configuration-controlled changes and either approves or disapproves them with consideration for security impact
  • Physical environment is also established and monitored by monitoring physical access to the facility housing the College system, monitoring alarms and surveillance equipment and reviewing physical access logs.
  • Personnel vigilance includes establishment of user metrics, security control assessments and status monitoring
  • Pomona College employs malicious code protection mechanisms where necessary and appropriate
  • Third parties are also monitored and assessed in accordance with the Continuous Vigilance Program
  • Providers of external system services must comply with state and federal laws and regulations and employ reasonable security controls

Continuous Vigilance Policy Details [pdf]

Maintenance Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College performs maintenance on the Pomona College system, system components and any assets providing security functionality to the system and its components. Proper maintenance is essential to the performance and availability of the Pomona College system.

Summary

  • Schedules, performs, documents, and reviews records of maintenance and repairs on the Pomona College system’s components in accordance with manufacturer or vendor specifications and/or organizational requirements
  • Pomona College approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location
  • Pomona College approves, controls, and monitors system maintenance tools.
  • Maintenance tools carried into the facility by maintenance personnel are inspected for improper or unauthorized modifications.
  • Pomona College checks media containing diagnostic and test programs for malicious code before the media are used in the Pomona College system.
  • Pomona College establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations and personnel
  • Pomona College ensures that non-escorted personnel performing maintenance on the Pomona College system have required access authorizations
  • All remote maintenance must be approved and it will be monitored

Maintenance Policy Details [pdf]

Protective Technology Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College employs and manages technical security solutions to ensure the security and resilience of the Pomona College system and its components, as well as Pomona College assets and personnel.

Summary

  • Pomona College determines events that need to be audited for the purposes of security and reviews event logs to establish the nature of these events, with particular attention to inappropriate, unusual or anomalous activities so that these can be reported to the Security official or designee.
  • Pomona College protects and controls removable media and documents and restricts activities associated with its transport.
  • Pomona College configures the systems to provide only essential capabilities, prohibiting and disabling anything unnecessary.

Protective Technology Policy Details [pdf]

Security Events and Anomalies Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate activities to identify the occurrence of an information security event.

Policy

Pomona College employs controls to detect anomalous activity in a timely manner.  Information regarding detected anomalous activity is gathered in order to understand the potential impact to Pomona College.

Summary

Pomona College will maintain a baseline configuration for network operations, reviewing that configuration and revising it on a regular basis or as required.  Approved authorizations for control will be enforced.  All outgoing network traffic must pass through at least one filtering server with the understanding that there will be a list of allowed sites that can be accessed through this server.

Pomona College employs a “deny-all and permit only by exception” for connections between it and external systems.  Each interconnection must be documented with clear characteristics, security requirements and the nature of communicated information.

Security Events and Anomalies Policy Details [pdf]

Training and Awareness Policy

Purpose

To provide Pomona College with guidance in developing and implementing the appropriate protective safeguards to support the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College faculty, staff, students, and appropriate third-parties are provided information security awareness education. Pomona College faculty and staff are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, legal requirements, regulations, and agreements. To accomplish this, Pomona College has implemented an information security awareness program that discusses common security shortcomings that can be strengthened through individual action. Pomona College reviews the information security awareness program annually and appropriate updates are applied based on the findings of the annual reviews. Pomona College requires faculty and staff to verify annually that they have completed their information security awareness training and are aware of their data security responsibilities and Pomona College’s information security policies.

Summary

  • Pomona College administers general security training that is used to enhance information security awareness for faculty, staff and students.
  • Training may include the following: posters, email advisories, log-on screen messages, classroom training or E-Learning
  • Pomona College offers role-based training to authorized users with privileged rights to minimize administrative privileges and utilization of administrative accounts only when required.
  • Physical and information security personnel are given specific training based upon the needs of their roles

Training and Awareness Policy Details [pdf]

Security Operations Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Security operations safeguard Pomona College information assets that reside within the Pomona College information system. These practices help identify threats and vulnerabilities and implement controls to reduce the overall risk to Pomona College assets. Pomona College exercises due care and due diligence by taking reasonable measures to protect its assets on an ongoing and continual basis.

Summary

  • Pomona College develops, documents and maintains baseline configurations for its information system and related components including standard software packages for all devices, current version numbers, patch information and so forth.
  • Pomona College requires Faculty and Staff to notify Pomona College ITS when traveling to locations that the College deems to be of significant risk and will issue specially configured devices and system components to travelers to mitigate potential risk. Data residing on mobile devices will be protected as part of this.
  • Only qualified and authorized individuals are permitted access for the purpose of changes or upgrades.
  • A “deny-all, permit by exception” policy is employed to allow only the execution of authorized software on the Pomona College system.
  • A configuration management plan and system is maintained that will track configuration items including hardware and software through its lifecycle.

Security Operations Policy Details [pdf]