Information Security Plan
The purpose of Long Beach Community College District’s Information Security Plan is to describe the development, implementation, and management of applicable administrative, physical, and technical controls to protect the institution’s data and information systems.
The Instructional & Informational Technology Services (IITS) Information Security Plan contains the following goals:
- Protect the Confidentiality, Integrity, and Availability of data and information systems.
- Comply with applicable federal, state, and local laws and regulations.
- Align and support the institution’s goals and objectives.
To meet the goals defined above, the following five objectives have been established.
- Adopt the NIST Cyber Security Framework (CSF).
- Implement the CIS Critical Security Controls (CSC).
- Adopt or incorporate the Information Security Standards developed or promoted by the California Community College (CCC) Security Center.
- Utilize tools and services offered by the CCC Security Center.
- Implement various industry-recognized cybersecurity tools and services.
1. Adopt the NIST Cyber Security Framework (CSF)
The NIST CSF consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The framework is used by agencies such as the National Security Agency, Department of Defense, Department of Homeland Security, and California Department of Education.
The five functions of the NIST CSF are:
2. Implement the CIS Critical Security Controls
The CIS CSC are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
- They are the minimum set of security standards to be applied by all California agencies (Office of the Attorney General, California Data Breach Report 2016).
- They can be directly mapped to all primary security frameworks including the NIST CSF.
- Implementing Implementation Group 1 will mitigate approximately 85% of the most common vulnerabilities.
- The CCC Security Center bases its primary strategies upon the Controls.
- The Controls are supported by major security software vendors.
3. Adopt or Incorporate Standards Developed by the CCC Security Center
IITS Information security standards, best practices, and guidelines shall align with or be derived from the CCC’s Information Security Standard or applicable administrative regulation.
- The has been adopted.
- The CCC Data Classification Standard has been adopted.
- CCC Administrative Regulations are being reviewed and/ or revised for adoption.
Adopted best practices, standards, and guidelines can be viewed at IITS Policies, Regulations, Standards, Best Practices, and Procedures.
4. Utilize Tools and Services Offered by the CCC Security Center.
IITS shall utilize tools and services offered by the CCC Security Center to address specific aspects of a comprehensive information security program.
- Security Information and Event Management (SEIM): Splunk provides real-time security analysis.
- Vulnerability Management: Tenable Security Center performs real-time vulnerability scanning.
- Vulnerability Assessment: A service conducted by the CCC to discover weaknesses in information systems and provide recommendations for remediation.
- Data Loss Prevention (DLP): Spirion is a data inventory and monitoring solution that helps identify and protect sensitive and confidential information.
- Security Awareness Training: SANS Security the Human is a training solution that promotes awareness about topics such as phishing, malware, data security, and safe web browsing.
- Phishing Assessments: A service conducted by the CCC that measures behavior and trains awareness.
- CIS Controls Assessment: A service conducted by the CCC that measures an organization’s security posture against the Controls, and provides guidance for remediation and improvement.
5. Implement Various Industry Recognized Tools and Services.
IITS shall implement various industry-recognized tools and services designed to support information security standards, best practices, and guidelines.
- 2-Factor Authentication (2FA) and Single Sign-On (SSO): The combination helps to alleviate bad password practices while promoting a zero-trust approach to security.
- Apple Management Solution: An Apple device management software that provides services including automation and deployment of patches, upgrades, image hardening, and auditing of security events.
- ERP Application Firewall: Provides adaptive access control, transaction-level data security, and user behavior visibility for PeopleSoft.
- Managed Detection and Response (MDR): A service that actively scans the network to provide advanced threat detection and analytics, shared threat intelligence, rapid incident mitigation, and collaborative breach response.
- Next-Generation Antivirus: Software that goes beyond traditional anti-virus capabilities by searching for behavioral patterns to determine tactics, techniques, and procedures (TTP).
- Next-Generation Firewall: In addition to traditional firewall capabilities, next-generation firewalls add features such as deep packet inspection, and an intrusion prevention system.