ITS maintains polices with regard to the use and security of its computer systems, networks, and information resources. These policies provide us with guidelines to safely and responsibly use Pomona College technical resources.

Asset Management Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

In order for Pomona College leadership to make informed, business-driven decisions regarding computing assets, they must first know what assets exist, and the status of those assets. This information provides Pomona College visibility into license utilization, software support costs, unauthorized devices, vulnerabilities, threats, and compliance posture. IT assets include items such as servers, desktops, laptops, and network devices, as well as software, applications, programs and logical processes. Pomona College data, students, faculty, staff, devices, systems, and facilities that enable the organization to achieve educational, business, and operational purposes are identified and managed. The management of these assets is consistent with their relative importance to Pomona College educational, business, and operational objectives as well as Pomona College’s overall risk strategy.

Summary

  • All devices purchased with Pomona College funding will be inventoried.
  • The inventory is kept up to date either through manual inspection or automated tools
  • Unauthorized hardware detected by automated mechanisms will have its network access disabled and Information Technology Services (ITS) will be notified of its existence.
  • All software will be inventoried.
  • Automated tools will be used to detect unauthorized software and if unauthorized software is discovered, ITS will be notified.
  • ITS will protect Pomona College assets both through the use of encryption, user education and infrastructure design.
  • Any external system connections will need to be documented by Pomona College ITS in order to ensure they are secure.

Asset Management Policy Details [pdf]

Governance Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College develops, maintains, and disseminates an information security program that includes information security policies and procedures. These policies, procedures, and processes are used to manage, monitor, and support Pomona College’s regulatory, legal, risk, environmental, and operational requirements. These requirements are understood and utilized to inform senior leadership of cybersecurity risk.

Summary

  • Pomona College develops and maintains information security policies that have been approved by senior leadership to provide guidance.
  • These policies address the security controls that protect the information systems, information and assets.
  • Pomona College will assign security roles, coordinating with internal roles and external partners as necessary
  • The Security Officer is responsible for bringing risk management recommendations to executive staff.
  • The executive staff approves security policies, risk tolerance, risk mitigation and management.
  • Among the regulations requiring specific cybersecurity are payment card data, FERPA, GLBA, FTC and California security breach notification statutes.

Governance Policy Details [pdf]

Institutional Environment Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College’s objectives, stakeholders, and activities are understood and prioritized; this information is used by Pomona College to inform cybersecurity roles, responsibilities, and risk management decisions.

Summary

  • Pomona College provides services such as the Learning Management System (currently Sakai) and the Student Information System as a service to other colleges in the Claremont University Consortium.
  • Pomona College addresses security issues in support of its services.
  • Pomona College establishes alternative services as back up of essential functions in the event that part of the infrastructure or the service becomes unavailable.
  • Knowing and understanding the critical assets of the College and those consortial services facilitates the prioritization of resources.

Institutional Environment Policy Details [pdf]

Risk Assessment Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Risk assessments take into account threats, vulnerabilities, likelihood, and impact to Pomona College assets, individuals, and other organizations based upon the use of the Pomona College system. Pomona College periodically conducts assessments of risk, which include the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification and/or destruction of the Pomona College system, system components, and the information processed, stored or transmitted by the system. Risk assessment results are documented and reviewed by the Pomona College Security Official or designee. The risk assessment results are then disseminated to appropriate faculty and staff including, but not limited to, the Pomona College executive staff. Risk assessments are conducted annually by Pomona College or whenever there are significant changes to Pomona College, its system, or other conditions that may impact the security of Pomona College.

Summary

  • Physical (hardware) and software assets will be assessed as to vulnerability and those vulnerabilities will be documented.
  • From time to time a vulnerability scan on those assets will be conducted in order to assess vulnerability in either the information system or its hosted applications.
  • Pomona College uses a variety of sources in order to assist in determining asset vulnerabilities.
  • These sources can include but are not limited to US-CERT bulletins, InfraGard, the Federal Trade Commission (FTC) and the Research Education Networking Information Sharing and Analysis Center (RENISAC)
  • When threats are identified they will be documented as to type of threat, a description of the threat and the characteristics of the threat.
  • Threats will be classified in relationship to the potential for adverse impact on the College.
  • Once a risk is identified, it will be reduced or mitigated.
  • Pomona College understands that risks exist regardless of efforts and will address risks as they become suspected or evident.

Risk Assessment Policy Details [pdf]

Risk Management Policy

Purpose

To provide Pomona College with guidance in identifying and gaining an understanding of the components of the institution that make up its information security system and thereby enable Pomona College to manage cybersecurity risk to systems, assets, data, and capabilities.

Policy

Pomona College maintains a comprehensive strategy to manage risks to its operations, assets, faculty, staff, students, and other organizations associated with the operations and use of Pomona College’s system. Pomona College’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk management decisions. Pomona College’s risk management strategy is consistently applied across the entire institution. The risk management strategy is periodically reviewed and updated, or as required, to address changes to Pomona College.

Summary

  • Risk management is a fundamental requirement to support the mission of Pomona College.
  • Risk management responsibilities are assigned to executive staff.
  • Continued recognition of risk management is a requirement.
  • Assessing the level of risk that the organization can tolerate is necessary.
  • Risk framing is part of the management process. Framing defines College’s approach to risk management by using laws, policies, regulations and contractual relationships that will inform and impact potential decisions about risk.
  • Risks will be assessed in order to identify and evaluate the risk and its likelihood of occurrence and its breadth of impact.
  • Risk response results in determining the most appropriate course of action, including prioritization and associated cost.
  • Risk monitoring helps Pomona College in monitoring continuing regulatory compliance, effectiveness of risk response and understand changes that present risks to the Pomona College information systems.
  • Risk tolerance is the level of risk or its degree of uncertainty that is acceptable to the College.
  • Risk management strategies are employed consistently across the entire institution

Risk Management Policy Details [pdf]

Data Security Policy

Purpose

To provide Pomona College with guidance in developing and implementing the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College’s information, data, and records are managed in a manner consistent with Pomona College’s risk strategy to protect the confidentiality, integrity, and availability of the assets. Data security controls are submitted to Pomona College senior leadership for review and approval, and include a cost-benefit analysis to inform the executive staff in their risk strategy decisions.

Summary

  • Data security controls are submitted to Pomona College senior leadership for review and approval
  • Data security controls will include a cost-benefit analysis to inform the executive staff in their risk strategy decisions
  • Pomona College employs cryptographic controls in accordance with applicable Federal and State laws, regulations and standards
  • Pomona College system that requires protection includes but is not limited to configuration settings, intrusion detection and prevention, various logs and password databases
  • Pomona College protects the confidentiality and integrity of sensitive data by using cryptographic mechanisms
  • Pomona College applies full disk encryption to all Pomona College-owned laptops, mobile devices and desktop workstations
  • Backups are encrypted (at rest)
  • Pomona College recommends that students enable full disk encryption on their personal devices
  • All transportable media is also encrypted
  • Papers containing confidential information must not be left out in public view and must be properly destroyed when no longer needed
  • Pomona College hardware and software assets are documented, tracked, and managed through inventory management
  • Faculty and staff status is tracked and managed by Human Resources and the Dean of the College
  • Student documentation is managed by Admissions, Registrar’s Office, the Dean of Students and the Advancement Office depending upon student status
  • Prior to disposal, sanitization techniques are applied to media
  • Pomona College ensures that there is adequate capacity to provide availability of its systems
  • Pomona College employs reasonable and appropriate methods for data loss prevention

Data Security Policy Details [pdf]

Continuous Vigilance Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate activities to identify the occurrence of an information security event.

Policy

The Pomona College system, system components, and assets are monitored at discrete intervals to identify information security events and to verify the effectiveness of protective measures.

Pomona College detection processes and procedures are maintained to provide for the identification of information security events. Detection processes are tested and revised to ensure the timely notification of anomalous events to the appropriate Pomona College responsible parties.

Summary

  • A continuous vigilance strategy has been developed that includes the establishment of monitored network metrics, ongoing security status monitoring and analysis of data gathered through assessments
  • Pomona College monitors the network to detect unauthorized connections or unauthorized use of the network
  • Pomona College reviews proposed configuration-controlled changes and either approves or disapproves them with consideration for security impact
  • Physical environment is also established and monitored by monitoring physical access to the facility housing the College system, monitoring alarms and surveillance equipment and reviewing physical access logs.
  • Personnel vigilance includes establishment of user metrics, security control assessments and status monitoring
  • Pomona College employs malicious code protection mechanisms where necessary and appropriate
  • Third parties are also monitored and assessed in accordance with the Continuous Vigilance Program
  • Providers of external system services must comply with state and federal laws and regulations and employ reasonable security controls

Continuous Vigilance Policy Details [pdf]

Maintenance Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College performs maintenance on the Pomona College system, system components and any assets providing security functionality to the system and its components. Proper maintenance is essential to the performance and availability of the Pomona College system.

Summary

  • Schedules, performs, documents, and reviews records of maintenance and repairs on the Pomona College system’s components in accordance with manufacturer or vendor specifications and/or organizational requirements
  • Pomona College approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location
  • Pomona College approves, controls, and monitors system maintenance tools.
  • Maintenance tools carried into the facility by maintenance personnel are inspected for improper or unauthorized modifications.
  • Pomona College checks media containing diagnostic and test programs for malicious code before the media are used in the Pomona College system.
  • Pomona College establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations and personnel
  • Pomona College ensures that non-escorted personnel performing maintenance on the Pomona College system have required access authorizations
  • All remote maintenance must be approved and it will be monitored

Maintenance Policy Details [pdf]

Protective Technology Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College employs and manages technical security solutions to ensure the security and resilience of the Pomona College system and its components, as well as Pomona College assets and personnel.

Summary

  • Pomona College determines events that need to be audited for the purposes of security and reviews event logs to establish the nature of these events, with particular attention to inappropriate, unusual or anomalous activities so that these can be reported to the Security official or designee.
  • Pomona College protects and controls removable media and documents and restricts activities associated with its transport.
  • Pomona College configures the systems to provide only essential capabilities, prohibiting and disabling anything unnecessary.

Protective Technology Policy Details [pdf]

Security Events and Anomalies Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate activities to identify the occurrence of an information security event.

Policy

Pomona College employs controls to detect anomalous activity in a timely manner. Information regarding detected anomalous activity is gathered in order to understand the potential impact to Pomona College.

Summary

Pomona College will maintain a baseline configuration for network operations, reviewing that configuration and revising it on a regular basis or as required. Approved authorizations for control will be enforced.  All outgoing network traffic must pass through at least one filtering server with the understanding that there will be a list of allowed sites that can be accessed through this server.

Pomona College employs a “deny-all and permit only by exception” for connections between it and external systems. Each interconnection must be documented with clear characteristics, security requirements and the nature of communicated information.

Security Events and Anomalies Policy Details [pdf]

Training and Awareness Policy

Purpose

To provide Pomona College with guidance in developing and implementing the appropriate protective safeguards to support the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Pomona College faculty, staff, students, and appropriate third-parties are provided information security awareness education. Pomona College faculty and staff are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, legal requirements, regulations, and agreements. To accomplish this, Pomona College has implemented an information security awareness program that discusses common security shortcomings that can be strengthened through individual action. Pomona College reviews the information security awareness program annually and appropriate updates are applied based on the findings of the annual reviews. Pomona College requires faculty and staff to verify annually that they have completed their information security awareness training and are aware of their data security responsibilities and Pomona College’s information security policies.

Summary

  • Pomona College administers general security training that is used to enhance information security awareness for faculty, staff and students.
  • Training may include the following: posters, email advisories, log-on screen messages, classroom training or E-Learning
  • Pomona College offers role-based training to authorized users with privileged rights to minimize administrative privileges and utilization of administrative accounts only when required.
  • Physical and information security personnel are given specific training based upon the needs of their roles

Training and Awareness Policy Details [pdf]

Security Operations Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Security operations safeguard Pomona College information assets that reside within the Pomona College information system. These practices help identify threats and vulnerabilities and implement controls to reduce the overall risk to Pomona College assets. Pomona College exercises due care and due diligence by taking reasonable measures to protect its assets on an ongoing and continual basis.

Summary

  • Pomona College develops, documents and maintains baseline configurations for its information system and related components including standard software packages for all devices, current version numbers, patch information and so forth.
  • Pomona College requires Faculty and Staff to notify Pomona College ITS when traveling to locations that the College deems to be of significant risk and will issue specially configured devices and system components to travelers to mitigate potential risk. Data residing on mobile devices will be protected as part of this.
  • Only qualified and authorized individuals are permitted access for the purpose of changes or upgrades.
  • A “deny-all, permit by exception” policy is employed to allow only the execution of authorized software on the Pomona College system.
  • A configuration management plan and system is maintained that will track configuration items including hardware and software through its lifecycle.

Security Operations Policy Details [pdf]

Technology Acquisition and Disposition Policy

Purpose

To provide Pomona College with guidance to develop and implement the appropriate activities with regards to the acquisition, and eventual disposition or information technology assets, Pomona College system components, and third-party services.

Policy

Pomona College exercises due diligence and due care when engaging in the acquisition of information technology assets, including but not limited to, Pomona College system components, hardware, software, and third-party services. Pomona College recognizes that information technology assets have a limited useful lifespan and will designate appropriate End-of-Life (EoL) for information technology assets.

Summary

Pomona College requires that systems acquired for use in the Pomona College meet all Federal and State laws in addition to meeting security requirements. The acquisition begins with acceptable configuration provided by Pomona College to meet acceptable security standards as well as being appropriate for delivering the designated service, documentation that is distributed appropriately and a responsible end of life, disposed of in accordance with Pomona College policy and replaced.

Technology Acquisition and Disposition Policy Details [pdf]

Student Records Privacy Policy

Purpose

To provide guidance to Pomona College, Students, Parents, Faculty, and Staff on the student records protections of the Family Educational Rights and Privacy Act (FERPA). FERPA assigns rights to students and responsibilities to educational institutions regarding students’ education records. FERPA governs the maintenance and release of information from those records.

Policy

Pomona College is committed to the privacy and security of its students. Pomona College policies support the College’s compliance with the Family Educational Rights and Privacy Act of 1974 (FERPA) - sometimes called the Buckley Amendment - which establishes students’ rights and institutions’ responsibilities regarding the privacy of education records.

Summary

This policy covers various areas of responsibility and respect in the matter of privacy for students including student records privacy for students, student records privacy policy for parents and parent rights and student records privacy policy for Faculty and Staff.

Student Records Privacy Policy Details [pdf]

Technology-Related HEOA Compliance Statement Policy

Purpose

The Higher Education Opportunity Act of 2008 (HEOA) sets forth many requirements for colleges and universities. This statement pertains to the triad of requirements designed to address illegal peer-to-peer file sharing of copyrighted works by those using campus networks.

Policy

The Claremont Colleges’ Faculty, Staff, and Students use the Claremont Colleges facilities, equipment, materials, and information resources to facilitate The Claremont Colleges’ academic mission and college operations. Individuals are urged to exercise common sense and to use The Claremont Colleges’ resources in an appropriate manner consistent with the Colleges’ respective policies and standards of conduct.

Summary

Information resources include, but are not limited to:

  • College-owned computers and associated peripheral devices
  • Classroom presentation systems
  • Voice messaging equipment
  • Data networking equipment systems, including both remote and wireless access
  • College-owned computer software
  • Electronically stored and transmitted institutional data and messages
  • Services to maintain these resources

Faculty and Staff for each college shall contact the Information Security Officer, or designee, of their respective college prior to engaging in any activity not explicitly covered by their college’s policies.

Pomona College:

  1. Informs students annually that they may be subject to criminal and civil penalties if they engage in illegal distribution of copyrighted materials and describe the steps being taken to detect and address such activity.
  2. Certifies to the Secretary of Education that the institution has plans to effectively combat unauthorized distribution of copyrighted material.
  3. Offers alternatives to illegal file sharing.

To comply with the above requirements, Pomona College:

  1. Provides warnings online, in print, and in presentations that students who violate copyright laws may be subject to criminal and civil penalties. Instances of copyright infringement are specifically mentioned in the College’s Appropriate Use Policy.
  2. Downgrades the priority of file sharing network traffic as well as monitoring of network activity to ensure policy conformance in order to certify to the Secretary of Education that the Pomona College effectively combats illegal file sharing.
  3. Accepts and responds to DMCA notices.
  4. Provides a link on the Technology Services website to the extensive list of legal alternatives for downloading music and video files compiled by EDUCAUSE, a nonprofit association focused on information technology in higher education.

Technology-Related HEOA Compliance Statement Policy Details [pdf]

Identity Management, Authentication, and Access Control Policy

Purpose

To provide Pomona College with guidance in developing and implementing the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Pomona College assets and information.

Policy

Identity management, accounts, and access control are paramount to protecting Pomona College’s system and requires the implementation of controls and oversight to restrict access appropriately. Pomona College limits access to the system, system components, and associated facilities to authorized users, processes, and devices in support of Pomona College’s mission and business functions.

Summary

A discussion of Pomona College account types, creation, disabling and eligibility.

Identity Management, Authentication, and Access Control Policy Details [pdf]

Incident Response Policy

Purpose

To provide Pomona College with guidance to developing and implementing the appropriate activities to take action regarding a detected information security event.

Policy

Pomona College has an Incident Response Plan (IRP) that addresses the processes and procedures to be executed and maintained, to ensure timely response to a detected information security event. Analysis of detected information security events is conducted, by Pomona College, to ensure adequate response and to support recovery activities. Upon detection of an information security event, Pomona College will take the necessary actions to prevent the expansion of an event, to mitigate its effects, and eradicate the incident. Upon mitigation of an information security event, Pomona College will incorporate lessons learned into the Incident Response Plan to improve upon it.

Summary

Description of the incident detection, analysis and response policy of Pomona College including the Incident Response Plan (IRP), Incident Response Communications and containment, eradication and recovery mechanisms.

Incident Response Policy Details [pdf]

Recovery Policy

Purpose

To provide Pomona College with guidance to developing and implementing the appropriate activities, maintain plans for resilience, and to restore any capabilities or services that were impaired due to an information security event impacting the confidentiality, integrity, and/or availability of the Pomona College system and/or information.

Policy

Pomona College maintains appropriate contingency plans that address the processes, procedures, and technical measures to enable quick and effective recovery following an information security event or a disruption. Pomona College periodically reviews, tests, and improves on its contingency operations. When enacting contingency operations, Pomona College’s restoration activities are coordinated with appropriate internal and external stakeholders.

Summary

A description of the plan for supporting contingency plans in the event of a disaster or other significant interruption to business continuity.

Recovery Policy Details [pdf]