Information Security Policies
Security standards and practices for the LBCCD
Information Security is the set of processes that safeguard information and its related assets, regardless of its current form or state. As such, information security encompasses more than computer security. For instance, in addition to cybercriminals attempting to gather confidential information, it includes physical risks such as theft and natural disasters.
The California State Administrative Manual (SAM) defines information security as follows:
Information security refers to the protection of information, information systems, equipment, software, and people from a wide spectrum of threats and risks. Implementing appropriate security measures and controls to provide for the confidentiality, integrity, and availability of information, regardless of its form (electronic, optical, oral, print, or other media), is critical to ensure business continuity, and protect information assets against unauthorized access, use, disclosure, disruption, modification, or destruction. Information security is also the means by which privacy of personal information held by state entities is protected.
Information security management is an ongoing process of continual improvement. The Long Beach Community College District (LBCCD) is committed to protecting and managing its information assets. Therefore, LBCCD has adopted the California Community College Information Security Standard as defined by the California Community College Security Center. LBCCD information security policies, regulations, and business processes are to be adopted, derived, or aligned with this standard.
The CIA triad (Confidentiality, Integrity, and Availability) is a model that is used to guide security policy development. In the context of the CIA triad, ISO27002 defines information security as the preservation of the following:
CONFIDENTIALITY. Ensuring that information is accessible only to those authorized to have access.
INTEGRITY. Safeguarding the accuracy and completeness of information and processing methods.
AVAILABILITY. Ensuring that authorized users have access to information and associated assets when required.
LBCCD collects, compiles, stores, and manipulates data from a variety of sources. In order to apply the appropriate security protocols for safeguarding the data, the college must first classify the data into one of three levels: (1) confidential, (2) internal use, and (3) general.
LEVEL1: CONFIDENTIAL. Protected data that is sensitive in nature, poses a severe risk if exposed, and/ or is governed by legal statute.
LEVEL 2: INTERNAL USE. Protected data that is sensitive in nature, and/ or poses a moderate risk if exposed.
LEVEL 3: GENERAL. Disclosure of this information does not expose the college to financial loss or jeopardize the security of the college’s information assets.
Further details regarding data classifications can be found in the Long Beach Community College District Data Classification Standard.
Awareness & Training
The LBCCD security awareness program shall provide and promote awareness of the following:
- LBCCD information security policies, standards, procedures, and guidelines.
- Potential threats against LBCCD protected data and information assets.
- Appropriate controls and procedures to protect the confidentiality, integrity, and availability of protected data and information assets.
- LBCCD notification procedures in the event protected data is compromised.
LBCCD shall provide basic information security training for all employees. Individuals whose job functions require access to level 1 or level 2 data will undergo training relevant to those classifications.