Policy

The College shall establish and maintain a comprehensive information security program

to protect all customer information. Customer information means any record containing

nonpublic personal information about a customer, whether in paper, electronic, or other

form, that is handled or maintained by or on behalf of the College or its affiliates. The

program shall contain administrative, technical, and physical safeguards to protect

customer information as it is collected, distributed, processed, stored, used, transmitted,

disposed, or otherwise handled. These safeguards shall be designed to achieve the

following objectives:

1. Insure the security and confidentiality of customer information.

2. Protect against any anticipated threats or hazards to the security or integrity of

such information.

3. Detect and protect against unauthorized access to or use of such information that

could result in substantial harm or inconvenience to any customer.

4. Ensure a proper response to patterns, practices, or specific activities that may

indicate identity theft or breach.

An employee or employees shall be designated to coordinate this information security

program. Currently this employee is:

Jay Olson

Director of Information Technology

jolson@tooeletech.edu

435-248-1808

Procedure

Breach Prevention:

The information security program will contain four steps carried out on a quarterly basis.

The Director of Information Technology will be responsible to make sure these steps are

carried out and that proper documentation is taking place for each step. All Employees

will be responsible to learn and follow safeguards that are put in place based on this

process. The four steps are as follows:

1. Carry out an annual risk assessment that involves representatives from

departments across the College. This risk assessment will identifies reasonably

foreseeable internal and external risks to the security, confidentiality, availability

and integrity of customer information that could result in the unauthorized

disclosure, misuse, alteration, destruction, or other compromise of such

information and assess the sufficiency of current safeguards in place to control

these risks. If current safeguard are determined to be insufficient to reduce risk to

an acceptable level, new safeguards will be designed. As part of the process

current service providers will be evaluated to make sure they are capable of

maintaining appropriate safeguards for the customer information. The risk

assessment will cover the following areas of operation:

Employee training and management.

Information systems, including network and software design, as well as

information processing, storage, transmission, and disposal.

Detecting, preventing, and responding to attacks, intrusions, or other system

failures.

2. Implementation and training of new safeguards to control the risks identify

through risk assessment. Also, re-emphasize existing safeguards in place.

3. Testing/monitoring on the effectiveness of safeguards’ key controls, systems, and

procedures.

4. Evaluate and adjust the information security program in light of the results of the

the testing and monitoring, as well as for any material changes to operations or

business arrangements or any other circumstances that may have a material impact

on the school’s information security program.

Post breach process:

In the event of a suspected/actual data breach - which is defined as any unauthorized

disclosure, misuse, alteration, destruction or other compromise of information - the

following steps will be taken:

1. Any employee aware of an actual breach or of a suspected breach will report to the

Director of Information Technology or an Executive staff member, on the day of

detection.

2. The Director of Information Technology or Executive staff member will send an

email to cpssaig@ed.gov, on the day of detection.

3. Data to included in the email:

a. Date of breach (suspected or known)

b. Impact of breach (# of records, etc.)

c. Method of breach (hack, accidental disclosure, etc.)

d. Information Security Program Point of Contact - email and phone details

e. Remediation Status (complete, in process – with detail) & Next steps (as

needed)

4. The Director of IT will contact the college’s current cyber security insurance

company and gather necessary resources to ensure proper remediation services and

post assessment/evaluation take place.