Back to Top

Purpose

The purpose of this System and Information Integrity Information Technology Requirement (ITR) is to establish information security standards for the System and Information Integrity processes relevant to Anne Arundel Community College ("College") Information Technology Resources. The discipline of information systems security relies on the practice of ensuring and maintaining the confidentiality, integrity, and availability of information systems and data transmitted, processed, and/or stored on those systems.

Scope

This ITR applies to all College Information Systems and Information Technology Resources. All Information system custodians, their designees and contractors are responsible for adhering to this ITR. The AACC Security Program will maintain safeguards aligned with NIST SP 800-171 to ensure the protection, integrity, confidentiality, and resilience of Information Technology Resources.

Definitions

  1. Authorized User: A user who has been granted authorization to access electronic Information Resources and is current in their privileges.
  2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
  3. Data: Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.
  4. Employee: College staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
  5. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
  6. Information System Custodian: A College staff member or other individual providing services to the College who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.
  7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information by the College directly or by a third party under a contract with the College which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and the College’s network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.
  8. Integrity: Ensuring records and the Information contained therein are accurate and Authentic by guarding against improper modification or destruction.
  9. User: A College community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the College, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control College data.

System and Information Integrity Requirements

System and Information Integrity Requirements address security controls that are implemented within systems and organizations to provide assurance that the system and information being accessed has not been tampered with or damaged (integrity).

In a risk-based manner, AACC will implement NIST SP800-171 and SP800-172 security controls.

  1. AACC will identify and mitigate system flaws and vulnerabilities in a timely manner.
  2. AACC will provide protection from malicious code.
  3. AACC will oversee service providers of system, subsystem, components, and application(s).
  4. AACC will monitor system security alerts and notifications and take rapid corrective action.
  5. AACC will identify and respond to unauthorized use of systems.
  6. AACC will identify and respond to unauthorized access to Information.
  7. AACC will not implement systems, subsystems, components, and applications that are banned, by laws and regulations.

Enforcement

Any user with knowledge of a potential violation shall notify IIT as soon as practicable.

Any employee, contractor or other third-party performing duties on behalf of the College who violates may be denied access to Information Technology Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

Exemptions

Exceptions should be submitted to the vice president for Information and Instructional Technology Division, through the director of Information Security for review and approval. If an exception is granted a compensating security control or safeguard will be documented.

Contingencies

None

Review Process

Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.

 

Guideline Title:  System and Integrity Information Technology Requirement

Guideline Owner: Vice President for Information and Instructional Technology

Guideline Administrator: Director, Information Security

Contact Information: John Williams, jwwilliams6@aacc.edu  

Approval Date: Jan. 8, 2024

Effective Date: Jan. 8, 2024

History: Adopted November 2023

Applies to: Faculty and Staff

Related Policies: Acceptable Use of Information Technology Resources Policy

Related Procedures: Acceptable Use of Information Technology Resources Procedures

Related Guidelines:

Forms: N/A

Relevant Laws:

  • NIST SP 800-171, 800-172