5.23.3 Information Security Requirements and Controls
Responsible Position
Chief Information Officer
RELATED ITEMS
Minnesota State Board Policy
- External Website: Minnesota State - 5.22 Acceptable Use of Computers and Information Technology Resources
- External Website: Minnesota State - 5.23 Security and Privacy of Information Resources
Minnesota State System Procedure
- External Website: Minnesota State - 5.22.1 Acceptable Use of Computers and Information Technology Resources
- External Website: Minnesota State - 5.23.1.1 Password Usage and Handling
- External Website: Minnesota State - 5.23.1.2 Encryption for Mobile Computing and Storage Devices
- External Website: Minnesota State - 5.23.1.3 Data Sanitization
- External Website: Minnesota State - 5.23.1.4 Information Security Incident Report
- External Website: Minnesota State - 5.23.1.5 Security Patch Management
- External Website: Minnesota State - 5.23.1.6 Vulnerability Screening
- External Website: Minnesota State - 5.23.1.8 Anti-malware Installation and Management
- External Website: Minnesota State - 5.23.1.10 Payment Card Industry – Technical Requirements
- External Website: Minnesota State - 5.23.1.11 Data Backup
- External Website: Minnesota State - 5.23.1.13 Breach Notification
- External Website: Minnesota State - 5.23.1.14 Review of Third-Party Vendors
- External Website: Minnesota State - 5.23.2 Data Security Classification
- External Website: Minnesota State - 5.23.2.1 Data Security Classification
- External Website: Minnesota State - 5.23.3 Information Security Requirements and Controls
- External Website: Minnesota State - 5.23.3.1 Information Security Controls
Minnesota Statutes Chapter 13, Minnesota Government Data Practices Act
PROCEDURES
Purpose
This procedure defines the roles and responsibilities regarding information security requirements and the methods for determining the appropriate security controls to meet information security requirements.
Applicability
This procedure applies to all institutional data, wherever located, regardless of media type or format (electronic, paper, or other physical form), and to all uses of that data. This procedure and associated operating instructions establish minimum requirements for classifying institutional data.
Nothing in this procedure shall be interpreted to expand, diminish, or alter academic freedom, articulated under Minnesota State board policy and collective bargaining agreements, or the terms of any charter establishing a system library as a community or public library.
Definitions
For purposes of this procedure, the following definitions apply:
Data custodian: The data custodian is appointed by the data owner to assign the security classifications for institutional data and ensuring that the appropriate controls are implemented.
Data owner: An individual with authority and accountability for specified information (e.g., a specific business function) or type of institutional data. Included in this authority is the ability to grant and deny access to data or portions of institutional data under his or her authority. This individual shall assign responsibility to the appropriate data custodian(s) to ensure the protection of institutional data. The data owner is typically in a senior or high-level leadership position. There may be more than one data owner, depending on the authority and accountability for specified information (e.g., a specific business function) or type of institutional data.
Institutional data: Data collected, manipulated, stored, reported, or presented in any format, on any medium, by any unit of the college that are created, received, or maintained by the institution.
Information security controls: Technical, administrative, management, or physical methods or safeguards that, when applied, satisfy information security requirements.
Information security requirements: Information security obligations that must be met or implemented. Information security requirements are defined by, for example, federal or state law or regulation, industry regulations, state statute, Minnesota State board policy or procedures, third-party contracts, ATCC policy, or any other information security protection requirement identified by the data owner.
Information technology service provider: An internal or external entity that provides or manages an information technology system.
Information technology system (IT system): Any computer, server, software application, networking infrastructure, storage device, or medium, etc. that provides for information processing, transfer, storage, or communications.
Procedures
Responsibilities for determining information security requirements
It is the responsibility of the data owner to identify information security requirements applicable to any institutional data or IT system for which they are responsible. Additionally, the data owner is responsible to ensure that any information technology service provider that provides an IT service meets applicable requirements.
Determining appropriate information security controls.
Data custodians, acting on the data owner’s behalf, shall use Minnesota State Operating Instructions 5.23.3.1 Information Security Controls to determine the appropriate security controls to meet information security requirements for the IT systems and data for which they are responsible. Minnesota State Operating Instructions 5.23.3.1 prescribes minimal controls needed to protect institutional data.
Application of information security controls
ATCC implements all required information security controls identified in Minnesota State Operating Instructions 5.23.3.1 and any other operating instructions under this procedure for institutional data and IT systems for which they are responsible.
Operating Instructions Development Responsibilities
Data owners and authorized administrators shall develop operating instructions to implement these procedures per Minnesota State Board Policy 1A.1.
Related ATCC Documents:
Approved by: Leadership Council
Effective Date: 7/20/2022
Next Review Date: July 2025
Archive: