ITS maintains polices with regard to the use and security of its computer systems, networks, and information resources. These policies provide us with guidelines to safely and responsibly use Pomona College technical resources.

Asset Management Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

In order for Pomona College leadership to make informed, business-driven decisions regarding computing assets, they must first know what assets exist, and the status of those assets. This information provides Pomona College visibility into license utilization, software support costs, unauthorized devices, vulnerabilities, threats, and compliance posture. IT assets include items such as servers, desktops, laptops, and network devices, as well as software, applications, programs and logical processes. Pomona College data, students, faculty, staff, devices, systems, and facilities that enable the organization to achieve educational, business, and operational purposes are identified and managed. The management of these assets is consistent with their relative importance to Pomona College educational, business, and operational objectives as well as Pomona College’s overall risk strategy.

Summary

  • All devices purchased with Pomona College funding will be inventoried.
  • The inventory is kept up to date either through manual inspection or automated tools
  • Unauthorized hardware detected by automated mechanisms will have its network access disabled and Information Technology Services (ITS) will be notified of its existence.
  • All software will be inventoried.
  • Automated tools will be used to detect unauthorized software and if unauthorized software is discovered, ITS will be notified.
  • ITS will protect Pomona College assets both through the use of encryption, user education and infrastructure design.
  • Any external system connections will need to be documented by Pomona College ITS in order to ensure they are secure.

Policy Details [pdf]

Governance Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College develops and maintains an information security program which includes both policies and procedures. These policies and procedures are used to manage, monitor and support Pomona College’s regulatory, legal, risk, environmental and operational requirements. These requirements are understood and utilized to inform senior leadership of cybersecurity risk.

Summary

  • Pomona College develops and maintains information security policies that have been approved by senior leadership to provide guidance.
  • These policies address the security controls that protect the information systems, information and assets.
  • Pomona College will assign security roles, coordinating with internal roles and external partners as necessary
  • The Security Officer is responsible for bringing risk management recommendations to executive staff.
  • The executive staff approves security policies, risk tolerance, risk mitigation and management.
  • Among the regulations requiring specific cybersecurity are payment card data, FERPA, GLBA, FTC and California security breach notification statutes.

Policy Details [pdf]

Institutional Environment Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

In an effort to inform cybersecurity roles, responsibilities and risk management decisions, it is important to understand and prioritize the objectives, stakeholders and activities of Pomona College.

Summary

  • Pomona College provides services such as the Learning Management System (currently Sakai) and the Student Information System as a service to other colleges in the Claremont University Consortium.
  • Pomona College addresses security issues in support of its services.
  • Pomona College establishes alternative services as back up of essential functions in the event that part of the infrastructure or the service becomes unavailable.
  • Knowing and understanding the critical assets of the College and those consortial services facilitates the prioritization of resources.

Policy Details [pdf]

Risk Assessment Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Risk assessments take into account threats, vulnerabilities, likelihood, and impact to Pomona College assets, individuals, and other organizations based upon the use of the Pomona College information system. Pomona College periodically conducts assessments of risk, which include the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification and/or destruction of the Pomona College information system, information system components, and the information processed, stored or transmitted by the information system. Risk assessment results are documented and reviewed by the Pomona College Security Official or designee. The risk assessment results are then disseminated to appropriate faculty and staff including, but not limited to, the Pomona College executive staff. Risk assessments are conducted annually by Pomona College or whenever there are significant changes to Pomona College, its information system, or other conditions that may impact the security of Pomona College.

Summary

  • Physical (hardware) and software assets will be assessed as to vulnerability and those vulnerabilities will be documented.
  • From time to time a vulnerability scan on those assets will be conducted in order to assess vulnerability in either the information system or its hosted applications.
  • Pomona College uses a variety of sources in order to assist in determining asset vulnerabilities.
  • These sources can include but are not limited to US-CERT bulletins, InfraGard, the Federal Trade Commission (FTC) and the Research Education Networking Information Sharing and Analysis Center (RENISAC)
  • When threats are identified they will be documented as to type of threat, a description of the threat and the characteristics of the threat.
  • Threats will be classified in relationship to the potential for adverse impact on the College.
  • Once a risk is identified, it will be reduced or mitigated.
  • Pomona College understands that risks exist regardless of efforts and will address risks as they become suspected or evident.

Policy Details [pdf]

Risk Management Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College maintains a comprehensive strategy to manage risks to its operations, assets, faculty, staff, students, and other organizations associated with the operations and use of Pomona College’s information systems. Pomona College’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk management decisions. Pomona College’s risk management strategy is consistently applied across the entire institution. The risk management strategy is periodically reviewed and updated, or as required, to address changes to Pomona College.

Summary

  • Risk management is a fundamental requirement to support the mission of Pomona College.
  • Risk management responsibilities are assigned to executive staff.
  • Continued recognition of risk management is a requirement.
  • Assessing the level of risk that the organization can tolerate is necessary.
  • Risk framing is part of the management process. Framing defines College’s approach to risk management by using laws, policies, regulations and contractual relationships that will inform and impact potential decisions about risk.
  • Risks will be assessed in order to identify and evaluate the risk and its likelihood of occurrence and its breadth of impact.
  • Risk response results in determining the most appropriate course of action, including prioritization and associated cost.
  • Risk monitoring helps Pomona College in monitoring continuing regulatory compliance, effectiveness of risk response and understand changes that present risks to the Pomona College information systems.
  • Risk tolerance is the level of risk or its degree of uncertainty that is acceptable to the College.
  • Risk management strategies are employed consistently across the entire institution

Policy Details [pdf]