Information Security Plan
The Long Beach Community College District protects the confidentiality, integrity, and availability of data and systems for our students, faculty, and staff. This Information Security Plan outlines the Office of Information Security’s approach to maintaining administrative, physical, and technical defenses. Because cybersecurity risks continue to evolve, the District reviews and adjusts its security practices on an ongoing basis rather than relying solely on static controls. By adopting industry-standard frameworks, using state-wide shared services, and building campus security awareness, the District works to reduce risk and maintain operational resilience.
Security priorities and control implementation are guided by risk-based analysis, regulatory obligations, institutional operational needs, and available resources.
Purpose
The Long Beach Community College District Information Security Plan defines the approach for developing, implementing, maintaining, and periodically improving the administrative, physical, and technical controls used to protect institutional data and information systems. This plan is supported by District policies, administrative procedures, technical standards, and operational guidelines that define specific security requirements and implementation practices.
This plan applies to District-owned systems, institutional data, cloud services, network infrastructure, and users who access District information resources, including employees, contractors, vendors, and other authorized parties.
Goals
- Protect the Confidentiality, Integrity, and Availability of District data and systems.
- Maintain compliance with federal, state, and local security regulations.
- Support and secure the strategic goals of the institution.
Security Principles
The District approaches cybersecurity through layered security practices, appropriate access controls, ongoing risk assessment, and periodic review of administrative and technical safeguards, including least-privilege access and zero-trust security concepts where appropriate.
Strategic Objectives
To support these goals, the District aligns its information security program with established frameworks, operational practices, and shared security services.
1. Align with the NIST Cybersecurity Framework (CSF)
The District aligns its cybersecurity program with the NIST Cybersecurity Framework (CSF) 2.0 to guide security planning and risk management activities to improve capabilities across six functions:
- Govern: Establish and monitor the District’s security risk management strategy.
- Identify: Locate and manage risks to systems, people, assets, and data.
- Protect: Implement safeguards to secure critical services.
- Detect: Monitor systems and network activity to identify potential cybersecurity events in a timely manner.
- Respond: Take action when a security incident is detected.
- Recover: Restore systems and services affected by cybersecurity incidents and incorporate lessons learned into future improvements.
2. Implement CIS Critical Security Controls
The District uses the Center for Internet Security (CIS) Controls as its technical guide, prioritizing Implementation Group 1 (IG1) for baseline cyber hygiene.
- Prioritized Defense: Prioritize CIS IG1 safeguards that help reduce exposure to common automated attacks.
- Framework Mapping: Map CIS controls to NIST CSF functions to ensure full coverage.
- State Alignment: Align with California community college security recommendations and benchmarks.
3. Incorporate CCC Security Center Standards
Information security standards and guidelines are periodically reviewed and updated in alignment with the California Community Colleges (CCC) Security Center recommendations.
- Standard Adoption: Update District policies to match the California Community College Information Security Standard.
- Data Classification: Use the CCC Data Classification Standard to categorize data and apply the right protections.
- Procedures: Review and update District Administrative Procedures based on state-wide guidelines.
4. Leverage CCC Security Center Tools and Services
The District uses shared tools and services from the CCC Security Center to improve operational consistency and support shared security capabilities:
- Microsoft 365 A5 Security Suite: Supports data protection, security monitoring, and compliance-related capabilities across Microsoft 365 services.
- Vulnerability Management: Use Tenable Security Center for regular network vulnerability scanning.
- Assessments: Engage the vulnerability scan and risk assessment services to identify and address security weaknesses
5. Deploy Industry Technical Controls
The District maintains administrative and technical safeguards intended to strengthen the security of institutional systems and data:
- Advanced Security Monitoring: Use industry-leading centralized monitoring and analytics tools, and automated detection tools to improve identification of suspicious activity across District systems.
- Device Management: Use centralized solutions for automated patching, upgrades, and system hardening.
- ERP Application Firewall: Apply access controls and user monitoring to protect PeopleSoft data.
- Identity Controls: Use Multi-Factor Authentication (MFA) and Single Sign-On (SSO) to strengthen identity verification and access management practices.
- Incident Response: Maintain incident response procedures designed to support the identification, containment, investigation, communication, recovery, and post-incident review of cybersecurity events.
- Managed Detection & Response (MDR): Use active network scanning and threat intelligence to identify suspicious activity and support incident response efforts.
- Next-Generation Firewalls: Maintain network security controls that support traffic inspection, intrusion prevention, and segmentation where appropriate.
- Security Awareness: Provide recurring security awareness training and phishing simulation exercises for employees.
- Security Operations Center (SOC): Engage a 24/7 SOC to support continuous monitoring and incident detection activities across District networks and systems.
6. Regulatory Compliance Alignment
The District updates administrative, physical, and technical controls to meet federal requirements:
- GLBA Safeguards Rule: Protect student financial data through risk assessments, access limits, and vendor vetting.
- FERPA: Protect student education records and associated Personally Identifiable Information (PII) through access controls, audit logging, and secure data handling practices.
6A. Third-Party Risk Management
The District evaluates technology vendors and service providers that access institutional systems or sensitive data. Security reviews may include contractual safeguards, risk assessments, data protection requirements, breach notification requirements, and compliance validation where appropriate.
6B. Business Continuity and Recovery
The District maintains business continuity and disaster recovery capabilities for critical systems and services through backup strategies, recovery planning, resilience testing, and coordination with operational departments where appropriate.
7. Target Security Metrics
The institution uses these benchmarks to track and improve its security posture:
- Identity Management: Maintain MFA deployment for all staff, faculty, and privileged accounts.
- Vulnerability Remediation: Work toward remediation timelines aligned with CISA, FedRAMP, and operational risk priorities by targeting Critical vulnerabilities within 14 days and High vulnerabilities within 30 days of discovery. Exceptions must be documented with a business justification, risk acceptance, and alternative controls approved by the Office of Information Security.
- Awareness Culture: Maintain annual training participation targets of 90% or greater, and keep phishing simulation click rates below 5%.
8. Phased Continuous Improvement Roadmap
Controls are deployed and optimized using a phased approach:
- Phase 1 (Baseline): Maintain MFA, run routine vulnerability scans, and conduct basic user training.
- Phase 2 (Integration): Set up MDR services, configure ERP firewalls for PeopleSoft, and check access permissions against GLBA/FERPA rules.
- Phase 3 (Optimization): Improve network visibility through advanced monitoring and analytics capabilities, automated patch management, and use CCC Security Center risk assessments.
9. Plan Governance
- Executive Oversight: The Vice President of Technology and Learning Resources, in coordination with District leadership, provides executive oversight for institutional information security strategy and risk management activities.
- Ownership: The Office of Information Security manages this plan and coordinates incident response and risk mitigation.
- Review Cycle: This plan is reviewed at least annually and may be updated as needed to address changes in technology, cybersecurity risks, regulatory requirements, or institutional priorities.
- Risk Management Coordination: Significant risks, exceptions, and remediation priorities may be reviewed through established governance or technology committees.
- Shared Responsibility: Information security is a shared responsibility among District employees, administrators, students, vendors, contractors, and third-party service providers.
If You See Something, Say Something
Cybersecurity is a shared responsibility. If you notice suspicious activity or unauthorized access to any district assets, please contact the Office of Information Security immediately.
If you need to report a potential crime or similar non-emergency situation, please refer to the Police & Campus Safety website.
Protect your password
Important: Administrative Procedure 3720 specifically prohibits sharing login credentials with anyone, including your colleagues, your manager, those who report to you, or even ITS.
Don’t be a victim of phishing!
Whether you are working from the office or remotely, please maintain your cyber vigilance by:
- Recognizing and reporting Phishing Attempts and Common Types of Scams,
- Reviewing Password and Passphrase Best Practices, and
- Implementing Cybersecurity Best Practices When Working Remotely.