ࡱ> DECQ%` 2Objbj"x"x *@@EG uuuuu4'I'I'I8_I4Il ^ J^iJXJJJK:KK []]]]]]]]]]]]]$`hjbt]uPKKPP]uuJJ]8RRRPpuJuJ[]RP[]RRrk[uu8t@t$8 '\JI E'IrP \8G\]< ^\b6Qpb'\bu'\ KLRMDNvdKKK]]QpKKK ^PPPP/D/uuuuuu Electronic Information Security Procedure (draft) If you suspect that a security breach has occurred in a district-owned computing system, contact the:Call Center at x8324 during work hoursDistrict police at x7313 after work hours / on holidaysPurpose The purpose of this procedure is to enhance the security of stored, transmitted, and distributed personal information that could be used to impersonate an individual and cause serious loss of privacy and/or financial damage. In addition to this procedure, colleges and departments are urged to establish best practices that reduce the collection, distribution, and retention of personal data, which is not necessary to perform the educational and business needs of the institution. Legal requirements and local policy require that District personnel take appropriate measures to protect personal information from inadvertent or illegal exposure to unauthorized individuals. Other legal requirements require that if certain personal information is inadvertently disclosed, the district / college must notify all individuals whose information was compromised. Refer to the table below for further details regarding legal and local requirements. Legal and Local Requirements for Safeguarding Personal Information Reference*Applies toRequired by applicable lawRequires protection?Requires notification?A - 1.All individualsCalifornia Civil Code 1798.85, 1798.29Yes**A - 2.StudentsFamily Educational Rights and Privacy Act (FERPA)YesNoA - 3. EmployeesDistrict procedureYesNo*refer to Personal Information definitions below **Civil Code 1798.29 requires state agencies, businesses and persons conducting business in California to notify affected persons in event of a breach. This section of code may not apply to California Community Colleges. Definitions Personal information: Personal information includes: For all individuals, an individual's first and last name in combination with any of the following: social security number driver's license number financial account or credit card number in combination with any password that would permit access to the individual's financial account medical information For students, all personally identifiable information not included as directory information. This would include the students name in conjunction with: the name of the student's parent(s) or other family members the address of the student's family a personal identifier, such as a social security number or student number the race or ethnicity of the student the gender of the student a list of personal characteristics of the student academic evaluations and grades of the student transcripts and other academic records of the student scores on tests required for new students the student's class schedule For employees, an individual's first and last name in combination with the: employees ID number Directory Information (ferpa definition): Information that is generally not considered harmful or an invasion of privacy if released. The primary purpose of directory information is to allow the District / College to include this type of information from a students education records in certain school publications. Examples include: A playbill, showing the student's role in a drama production The annual yearbook Honor roll or other recognition lists Graduation programs Sports activity sheets, such as for wrestling, showing weight and height of team members Security breach: An incident when an individuals unencrypted personal information has been (or is reasonably believed to have been) exposed to or acquired by an unauthorized person. (Good faith acquisition of personal information by an employee or agent for district / college purposes does not constitute a security breach, provided that the personal information is not further disclosed to unauthorized persons.) The theft of a computing system that contains or may contain personal information will be considered a potential security breach. Inadvertent access to personal information that occurs in the course of performing technical services on a computing system by an authorized technical staff member will not be considered a security breach. Computing system: Any server, desktop or laptop computer, or PDA that contains (or provides network access to) data files Computer-based information system: Any computing system that is used in the acquisition, storage, manipulation, management, movement, control, display, transmission, or reception of data (including software, firmware, and hardware), which is used to provide services to persons other than the owner. Computer-based information system manager (CBIS Manager): An individual who maintains and manages an information system, server, or other technology device that stores or transmits data. Data Resource Data (information) that is stored on a computer-based information system Data resource manager: An individual who controls the use of and access to a data resource Lead authority: An administrator who has been delegated responsibility for oversight of data security at a college or Central Services. Each president will designate a person to act as the lead authority for their college. The Vice Chancellor of Technology is the lead authority for Central Services. Control records: The records contained in a database, spreadsheet, or other electronic file that document system and application level access methods into those computer-based information systems containing personal information. Control records must contain the following for each computer-based information system: name of the computer-based information system physical location of computer-based information system name of the CBIS manager name of the data resource manager(s) who have responsibility for any data containing personal information on the computer-based information system description of logical access methods and security controls (user IDs, passwords, encryption keys, etc.) necessary to gain access to the computer-based information systems and its data or, the name of another employee (in addition to the CBIS manager) who has knowledge of logical access methods and security controls (e.g. who can gain access to the system and applications as a systems administrator) ETS Incident Response Team A team of designated ETS members who investigate and respond to security incidents Responsibilities The lead authority has oversight responsibilities to: identify computer-based information systems under their jurisdiction that contain personal information or that provide to access to personal information ensure that data resource managers and CBIS managers perform their functions as specified in this document create a secure central repository to contain control records on computer-based information systems that contain personal information know where to rapidly locate contact information (email and postal addresses) for individuals of whom personal information is retained or transmitted. (Contact information on all students and employees is kept in the districts administrative information system.) ensure that the incident response process delineated in these procedures is followed (if a security breach occurs on a computer-based information system or a data resource managed by an individual in his / her organization [college or Central Services]). rapidly notify affected individuals whose personal information may have been compromised as the result of a security breach of a computing system or actions of an employee under the jurisdiction of the lead authority as required by this procedure. Current law (as of April 2008) requires that notification be made in the most expedient time possible and without unreasonable delay. (Refer to CALIFORNIA CIVIL CODE 1798.29). The CBIS manager has responsibilities to: develop security measures, including District published best practices to reduce vulnerabilities of personal information contained in computer-based information systems within their jurisdiction including the use of appropriate encryption strategies for both transmission and storage of personal information create, retain and secure control records for computer-based information systems that contain personal information annually update control records as necessary including those kept in the central repository implement procedures and tools to monitor access to computer-based information systems that contain personal information and to indicate if unauthorized access occurs remove files containing personal information (using an industry standard secure data removal tool) from servers, which are identified to be salvaged or repurposed The data resource manager has responsibilities to: grant access to a data resource or data to individuals / positions on a need to know basis inform individuals who have access to the data resource (and any downstream users of distributed data) of their responsibilities to secure and protect personal information as well as to destroy it when no longer needed. Include applicable: district and college policies and procedures best practices All employees have responsibilities to: abide by the established procedures with regard to accessing and using personal information protect and secure personal information under their control using best practices as outlined in the publication: Information Security Best Practices which is available on the FHDA Website destroy data containing personal information when no longer needed See also: Computer and Network Use: Rights and Responsibilities Policy / Procedures 3250 / AP 3250 Other Responsibilities FHDA District Police will act as the point of contact between the district and external law enforcement agencies when external law enforcement agencies are involved ETS shall remove personal information (using an industry standard secure data removal tool) from desktop / laptop computers, which are designated to be salvaged or repurposed System hard drives may be destroyed as an alternate method of removing sensitive information Incident Response Process The incident response process consists of the following steps that must be implemented in the event that a security breach occurs: Notify key persons If a person suspects that a security breach has occurred on a computing system that contains or has network access to unencrypted personal information, the person identifying the incident must immediately contact the ETS Call Center (during work hours) or the district police (after work hours). If the security breach is reported after work hours have ended, then district police will notify the Vice Chancellor of Technology. The Vice Chancellor of Technology or designee will notify the appropriate Lead Authority. Isolate the system For Computer Based Information Systems: The CBIS manager will disconnect the computing system from the campus network without modifying any settings, files, etc. on the computing system, and leave the system powered up. For employee assigned desktop or laptop computers: If the computer is turned on, the employee should immediately disconnect the computer from the network (by removing the network cable or disconnecting from a wireless connection). The computer should not be turned on or off or otherwise modified in any way. For Stolen Computing Systems: If a stolen computing system is recovered, the person gaining possession of the system will notify the Call Center, who will arrange for the system to be picked up. The computing system should not be turned on or otherwise modified in any way. Analyze the breach The ETS Incident Response Team, in cooperation with District Police (if involved) and the CBIS manager, will look for evidence of a security breach to assess the possibility that personal information has been compromised Report the incident If the ETS Incident Response Team, in cooperation with District Police (if involved) and the CBIS manager, has sufficient reason to believe that personal information may have been acquired by or exposed to unauthorized individuals, the ETS Incident Response Team will submit written notification describing the nature of the security breach and estimated number of affected individuals to the: Chancellor President of the college (if applicable) Vice Chancellor of Technology Lead authority District and college (as applicable) communication coordinators District Police Restore and reconnect the System The CBIS manager may repair and restore system functionality to the computing system when: The computing system is no longer needed for forensic analysis or police investigation and It has been cleaned of all known malware The ETS Incident Response Team will work with the CBIS manager and District Police (if involved) to determine when the computing system can be reconnected to the campus network Special consideration for rapid restoration and reconnection will be given to computing systems that provide time sensitive functionality to support critical campus services Notify individuals whose personal information has been compromised Decide if notification is required and how notification will be made The district / college communication coordinators (as appropriate), the Vice Chancellor of Technology, the lead authority and the districts attorney will confer to determine whether or not the criteria for notification under California Civil Code 1798.29 and 1798.82 has been met and to determine which means of notification to use (e. g., email, postal mail, or website notice) Personal information not involved If information beyond the data elements defined herein as personal information is accessed by an unauthorized person, the appropriate district / college communications coordinator in coordination with the Districts attorney will determine what notification will be made to affected individuals. Required information If notification is required, the appropriate district / college communication coordinator shall notify affected individuals of the security breach and include the following information: The date(s) on which the personal information was (or could have been) acquired. A description of the personal information, which was (or could have been) acquired. The name of the department or unit responsible for the information and the relationship that the affected individual has (had) to the department (in such a way that the person receiving the notification will understand why that department or unit had their information). An indication of the likelihood that the personal information was acquired or used. An email address and phone number of a suitable college or Central Services representative with sufficient knowledge of the incident to be able to handle questions from affected individuals. A list of resources that affected individuals can use to check for potential misuse of their information. This list should include the following flyer (either as a link or a hardcopy attachment): "What to Do If Your Personal Information is Compromised" ( HYPERLINK "http://www.privacy.ca.gov/financial/sbfs021205.pdf" http://www.privacy.ca.gov/financial/sbfs021205.pdf), produced by the California Office of Privacy Protection The appropriate district / college communications coordinator will also determine what additional advice or assistance will be given to the affected individuals. Timeliness of notification Notification must occur without unreasonable delay, except when a law enforcement agency has determined that notification will impede a criminal investigation. (In this case, notification must occur as soon as the law enforcement agency determines that it will not compromise the investigation) Substitute method of notification If sufficient contact information is not available for direct hard copy or e-mail notice for some affected individuals, a substitute method of notice may be used. The substitute notice should include a prominent display on the campus' Web site or other commonly used Web site for at least forty-five days. Submit the After Notification Report The district / college communication coordinator will provide a written report describing the number of individuals successfully notified, the number of individuals for unsuccessful notifications, and which methods were used for notification, along with any issues that have arisen as a result of the breach such as press coverage, complaints from affected individuals, etc. The report will be sent to the following individuals: Chancellor President of the college (if applicable) Vice Chancellor of Technology Lead authority District communication coordinators References Information on privacy laws applicable to California  HYPERLINK "http://www.privacy.ca.gov/lawenforcement/laws.htm#twelve" http://www.privacy.ca.gov/lawenforcement/laws.htm#twelve Important legislation governing the security of confidential information Health Insurance Portability and Accountability Act of 1996 (HIPAA) - 45 CFR Parts 160 and 164 Family Educational Rights and Privacy Act of 1974 (FERPA) - 20 U.S. Code section 1232g Breach Notification Law: California Civil Code - 1798.29 (previously SB1386) Security of Personal Information: California Civil Code - 1798.85 (previously SB 25) FHDA - AP 3410 Guidelines for Classification, Retention and Destruction of Records  HYPERLINK "http://fhdafiles.fhda.edu/downloads/aboutfhda/3410ap.pdf" http://fhdafiles.fhda.edu/downloads/aboutfhda/3410ap.pdf FHDA - Policy 3250 / AP 3250 Computer and Network Use: Rights and Responsibilities  HYPERLINK "http://153.18.96.19/downloads/etac/Policy3250.doc%20" http://153.18.96.19/downloads/etac/Policy3250.doc%20 FHDA Policy 5050 Furnishing Information Concerning Students FHDA Policy 4150 Personnel Files Information Security Best Practices  HYPERLINK "http://www.fhda.edu/security" www.fhda.edu/security     PAGE  17Թ De Anza Community College District  PAGE \* MERGEFORMAT 1 Saved on:  SAVEDATE \@ "MMMM d, yyyy" \* MERGEFORMAT July 28, 2008 Educational Technology Services of  NUMPAGES \# "0" \* Arabic \* MERGEFORMAT 7 page(s) By:  LASTSAVEDBY \* Caps \* MERGEFORMAT 17Թ 2 . 8 C O Q  -@AU*.fm1JUZ`Sg0@^rо hL9>* hL96 *hL95CJhL956CJ hL95CJ *hL9 hL9>*CJ hL9CJhL95B*CJph hL95CJhL9G2ikd$$IfTl| t0644 laT $$Ifa$M1OP~ % : Q xoiioo$If $$Ifa$$^|kd{$$IfTl0 v  t0644 laT Q R Y i NE??EE$If $$Ifa$kd $$Iflrd] %K@  t0#644 la NE??EE$If $$Ifa$kd$$Iflrd] %K@  t0#644 la  NE??EE$If $$Ifa$kd$$Iflrd] %K@  t0#644 la@+A`NHHFDB^kd^$$Iflrd] %K@  t0#644 la`z&bAp9Nx(q  ^`oR)wBP2S`ly!$!Q!t!!!!!!"""z""""""8#L#Q$s$x$$E%T%Z%j%%%&U&&&'#''''(=(Q(b(q()&)m)))))* +4+++$,8,L,`, hL9>* hL95hL9 hL96]qR*ATm !!H!!L""#$ & F$&&'R((U))+**y++++9,,8---W./c/}/002,2T2 & F`,,, -!-B--h.|...///0>0000000001&1022222222334444555555556)6666666?77778889999999::::;;;;;;;; <<=O=c=>>BBjhL9CJU hL96>* hL9>* hL96hL9YT23;3=4[4O5b5?6S6778/8>8~888 9g99A::2;w;<==>R> ? & F ?]??@AA>BC&DADhEEFFHHHHHIII JJJ#KxKOLMBCCCGCHCFFTIUIIIIII]KdKKKLLLLLMLLLLLLLMMMMMM»»ףחz»g»z_jhL9U$j/hL9>*CJOJQJUhL9B*CJOJQJphjLhL9>*CJUjhL9>*CJU *hL9$jehL9>*CJOJQJU hL9>*CJjhL9>*CJOJQJU hL96hL9hL90JCJjhL9CJUj$hL9CJU hL9CJ#M]MMMMMMMMMMMMMMNNNN.O/O0O1O2O  !(]&`#$  & F^MMMMMMMMMMMMMMMMNN0N1N2NHNINJNKNLNVNWNNNNNNNNNNNNNNNNNNOO,O-O2O-|.|/|E|F|G|H|I|S|øøøܲhzfJmHnHujhzfJUhzfJ hzfJCJhL9CJmHnHujhL9CJUhL9mHnHu hL9CJhL9hL90JCJOJQJjhL9UjhL9U:30&PP/ =!"#$% ,PX&('S@,PX&',S@y$$If!vh5|#v|:V l t065|T$$If!vh5v 5 #vv #v :V l t065v 5 T$$If!vh55K5@ 55#v#vK#v@ #v:V l t0#655K5@ 5a$$If!vh55K5@ 55#v#vK#v@ #v:V l t0#655K5@ 5a$$If!vh55K5@ 55#v#vK#v@ #v:V l t0#655K5@ 5a$$If!vh55K5@ 55#v#vK#v@ #v:V l t0#655K5@ 5aADyK 3http://www.privacy.ca.gov/financial/sbfs021205.pdfyK fhttp://www.privacy.ca.gov/financial/sbfs021205.pdfDyK  yK dhttp://www.privacy.ca.gov/lawenforcement/laws.htmtwelveDyK yK rhttp://fhdafiles.fhda.edu/downloads/aboutfhda/3410ap.pdfDyK yK dhttp://153.18.96.19/downloads/etac/Policy3250.docDyK www.fhda.edu/securityyK :http://www.fhda.edu/security  !"#$%&'()*+,-./0123456789:G<=>?@ABOPHIJKLMNSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry FEF Data ;WordDocument*1Tableb  !"#$%&'()*+  FMicrosoft Office Word Document MSWordDocWord.Document.89qgenerated automatically by Word. Word requires this version to properly update the shared document.O$՜.+,D՜.+,( hp %` |P~bjbj"x"x *@@PXX4Pl'F\\\\\\\xzzzzzz$mh \\\\\\\8\\\\\\x\\x\\\\ E\\x<'\ \ \ \\\\\\\\\\\\\'\\\\ 17Թ De Anza Community College District  PAGE \* MERGEFORMAT 7 Saved on:  SAVEDATE \@ "MMMM d, yyyy" \* MERGEFORMAT June 18, 2008 Educational Technology Services of  NUMPAGES \# "0" \* Arabic \* MERGEFORMAT 7 page(s) By:  LASTSAVEDBY \* Caps \* MERGEFORMAT Fred Sherman 17Թ De Anza Community College District  PAGE \* MERGEFORMAT 7 Saved on:  SAVEDATE \@ "MMMM d, yyyy" \* MERGEFORMAT July 3, 2008 Educational Technology Services of  NUMPAGES \# "0" \* Arabic \* MERGEFORMAT 7 page(s) By:  LASTSAVEDBY \* Caps \* MERGEFORMAT Fred Sherman S|T||||||||||||||||||}}%}&}(}U}V}W}m}n}o}p}q}{}|}}}}}}}}}}~ ~ ~ ~~~~~?~@~L~M~P~hzfJmHnHujhzfJUhzfJhzfJCJmHnHu hzfJCJjhzfJCJU72O|'}(}}N~O~P~  (](/ =!"#$% SummaryInformation(RDocumentSummaryInformation8d CompObjq ,17Թ-De Anza Community College District~#E'  IntroductionPurpose Definitions Personal information:. Directory Information (ferpa definition): Security breach: Computing system:( Computer-based information system: > Computer-based information system manager (CBIS Manager):Y An individual who maintains and manageOh+'0   @ L X dpxIntroductionFred Sherman Normal.dotFaculty Staff2Microsoft Office Word@@\ @qE@qEo {;G( VT$m  &" WMFC  Ȧl UT#m EMF` 8      %  Rp@"Arial|Ӑ||3& z Arial0\08/b1?TT֮'0)0u 0u lN0u dv%  TTh~UUAČAhL P ! "  Rp@"Arial3& z Arial?d HK)0u 0u lN0u dv% T E0 UUAČA* L `Foothill   TTF W0 UUAČAF* L P T X |0 UUAČAX* #L De Anza Community College District        % TT} 2 UUAČA}* L P dTT 2 UUAČA* L P1TT 2 UUAČA* L P % T d0 UUAČA* L `Saved on:   Te + 0 UUAČAe* L hJuly 28, 2008  % TT,  C 2 UUAČA, * L P ! "  % T4 Y UUAČAS L Educational Technology Services    % TT- [ UUAČAS L P % T`4 Y UUAČAS L Tof  TT4 Y UUAČAS L P7T|4 DY UUAČAS L \ page(s)   % TTE- [ UUAČAES L P % Td4 FY UUAČAS L TBy:  TG4 + Y UUAČAGS L lFoothill College  % TT, - C [ UUAČA, S L P ! "  TTZ UUAČA L P ! "  Rp@"Arial3& z Arial?0Ls)0u 0u lN0u dv% TD *UUAČA p)L Electronic Information Security Procedure2**..)..B*..1**-'2.**..*TT*UUAČApL P $ TxfUUAČAL \(draft).*TTgUUAČAgL P * Rp@"Arial3& z Arial?0࡮)0Tu 0Tu lN0lu dv% Tf!UUAČA8Ll If you suspect that a security breach has occurred in a              T|,UUAČA,Ll \district  TTUUAČALl P- T$UUAČA$Ll owned computing system, contact the:  $  %  TTUUAČALl P  '% LdUVU!??%  % LdUVU!??%  % LdUkVU!??%  % LdlUmVlU!??%  % LdlUmVlU!??%  % LdWW!??%  % LdlWmlW!??%  % T!UUAČAL lCall Center at x   Rp@"Arial#1 0|ˮ0`1 03& z Arial?ž)0Tu 0Tu lN0lu dv%  Td#UUAČAL T8324%  TT!UUAČAL P  T4pdUUAČA[L pduring work hours   TTq&" WMFC Ȇ4dUUAČAq[L P  % TA!UUAČAALl tDistrict police at x      %  Td#UUAČALl T7313%  TT-!UUAČALl P  T4TdUUAČA[Ll after work hours / on holidays !    TTU4kdUUAČAU[Ll P  % Ld!??%  % Lda!??%  % Ld!??%  % Ldk!??%  % Ldlml!??%  % Ldu!??%  % Ldvwv!??%  % Ldvwv!??%  % Ldvwva!??%  % Ldu!??%  % Ldvwv!??%  % Ldvkwv!??%  % Ldlmul!??%  % Ldlvmwlv!??%  % Ldlvmwlv!??%  Rp@"ArialDu H g Q, , (u 0ăă-0u @̪0̪0d0x(u 4u u 23& z Arial? 8)0@u 0@u lN0Xu dv% TxUUAČAL \Purpose-)))%%TTUUAČAL P A$ Rp@"Arial3& z Arial? |O)0u 0u lN0u dv% T :UUAČA1jL The purpose of this procedure is to enhance the security of stored, transmitted, and distributed personal                &          T<oUUAČAfeL information that could be used to impersonate an individual and cause serious loss of privacy and/or &        %                 TqFUUAČAL pfinancial damage.    % TTGq^UUAČAGL P A TUUAČAL In addition to this procedured       T UUAČAML , colleges and departments are urged to establish best practices that reduce t     &              TkUUAČAdL the collection, distribution, and retention of personal data, which is not necessary to perform the                  !       &   Tx SUUAČAJ2L educational and business needs of the institution.           TT SUUAČAJL P A TeUUAČAL Legal requirements and local  %    Te UUAČAML p&" WMFC folicy require that District personnel take appropriate measures to protect      !         &     T{UUAČAcL personal information from inadvertent or illegal exposure to unauthorized individuals. Other legal   &  &              #    T,UUAČAPL requirements require that if certain personal information is inadvertently discl %          &        TUUAČAL osed, the district / college          T6UUAČA-dL must notify all individuals whose information was compromised. Refer to the table below for further &         &  ! &&              Th8{kUUAČAb/L details regarding legal and local requirements.         &  TT|8kUUAČA|bL P  Rp @"Tahoma5& zaTahoma?$h좣)0u 0u lN0u dv% ThUUAČAhBL Legal and Local Requirements for Safeguarding Personal Information    '     ( TT.UUAČAL P  % Th UUAČAh  LS$ `Reference*   TT UUAČA LS$ P  TT<QUUAČA< L&t PATRUUAČAR  L&t `pplies to TTUUAČA L&t P  TUUAČA Lv Required by applicable law    TT+UUAČA Lv P  T|UUAČA  LC `Requires   % T}UUAČA}  LC `protection   ' % Ld} } !??% ( TT!UUAČA LC P?TT"4UUAČA" LC P  T`UUAČA`  LE `Requires   % TUUAČA  LE dnotification   ' % Ld  !??% ( TTUUAČA LE P?TTUUAČA LE P  % LdQRQ!??%  % LdQRQ!??%  % LdS#S!??%  % Ld$%$!??%  % Ld&s&N!??%  % Ldtut!??%  % LdvvV!??%  % Ld!??%  % LdBu!??%  % LdCDC!??%  % LdEEu!??%  % Ld!??%  % Ld!??&" WMFC F%  % LdQR"QH!??%  % Ld$%"$H!??%  % Ldtu"tH!??%  % Ld"H!??%  % LdCD"CH!??%  % Ld"H!??%  % TX6iUUAČA`LS$ PA  TT6iUUAČA`LS$ P-T`6iUUAČA`LS$ T 1.  TT6 iUUAČA`LS$ P  T<6RiUUAČA<`L&t lAll individuals    TTS6kiUUAČAS`L&t P  T67iUUAČA`Lv xCalifornia Civil Code !   !  !  ' % Ldj>j5!??% ( T|j>UUAČALv \1798.85,  T|?jUUAČA?Lv \ 1798.29  TTj UUAČALv P  T`a6iUUAČAa`LC TYesTT6iUUAČA`LC P  ' % Ld6i6$4!??% ( TX6iUUAČA`LE P**TT6+iUUAČA`LE P  % LdQ#R$Q#!??%  % LdS##$S#!??%  % Ld$#%$$#!??%  % Ld&#s$&#N!??%  % Ldt#u$t#!??%  % Ldv#$v#V!??%  % Ld#$#!??%  % Ld#B$#u!??%  % LdC#D$C#!??%  % LdE#$E#u!??%  % Ld#$#!??%  % LdQ%RQ%!??%  % Ld$%%$%!??%  % Ldt%ut%!??%  % Ld%%!??%  % LdC%DC%!??%  % Ld%%!??%  TXUUAČALS$ PA  TTUUAČALS$ P-T`UUAČALS$ T 2.  TT UUAČALS$ P  T|<UUAČA<L&t \Students  TT UUAČAL&t P  TUUAČALv Family Educational Rights &    !    T*UUAČA!Lv |and Privacy Act (FERPA)    !TT*UUAČA!Lv P  T`aUUAČAaLC TYesTTUUAČALC P  TXUUAČALE PNo!TT6UUAČALE P  % LdQRQ!??%  % LdS#S!??%  % Ld$%$!??%  % Ld&s&N!??%  % Ldtut!??%  % LdvvV!??%  % Ld!??%  % LdBu&" WMFC &!??%  % LdCDC!??%  % LdEEu!??%  % Ld!??%  % LdQR<Q!??%  % Ld$%<$!??%  % Ldtu<t!??%  % Ld<!??%  % LdCD<C!??%  % Ld<!??%  TXPUUAČAzLS$ PA  TTPUUAČAzLS$ P-TdPUUAČAzLS$ T 3.  TTPUUAČAzLS$ P  T<PUUAČA<z L&t `Employees& TT P8UUAČA zL&t P  TPgUUAČAz Lv dDistrict pro!    TphPUUAČAhzLv XcedureTTP UUAČAzLv P  T`aPUUAČAazLC TYesTTPUUAČAzLC P  TXPUUAČAzLE PNo!TTP6UUAČAzLE P  % LdQ=R>Q=!??%  % LdS=#>S=!??%  % Ld$=%>$=!??%  % Ld&=s>&=N!??%  % Ldt=u>t=!??%  % Ldv=>v=V!??%  % Ld=>=!??%  % Ld=B>=u!??%  % LdC=D>C=!??%  % LdE=>E=u!??%  % Ld=>=!??%  % LdQ?RQ?V!??%  % LdQRQ!??%  % LdQRQ!??%  % LdS#S!??%  % Ld$?%$?V!??%  % Ld$%$!??%  % Ld&s&N!??%  % Ldt?ut?V!??%  % Ldtut!??%  % LdvvV!??%  % Ld??V!??%  % Ld!??%  % LdBu!??%  % LdC?DC?V!??%  % LdCDC!??%  % LdEEu!??%  % Ld??V!??%  % Ld!??%  % Ld!??%  Rp @"Arial3& z Arial?$䡣)0u 0u lN0u dv% ThUUAČAh L `*refer to    Rp @"Arial&" WMFC #1 0|ˮ0`1 03& z Arial  ?4̵)0u 0u lN0u dv% T=UUAČAL tPersonal Information    % T>VUUAČA>L p definitions below     TTWiUUAČAWL P  ' % Ldh  h&!??% ( T4h  UUAČAh|L D**Civil Code 1798.29 requires  state agencies, businesses and persons conducting business in California to notify affected                                  ' % Ldh * h *&!??% ( Th ) UUAČAh# DL persons in event of a breach. This section of code may not apply to                    T ) UUAČA# L California Community Colleges.        TT ) UUAČA# L P  % T[ * UUAČA L dDefinitions0%)()%TT+[ N UUAČA+ L P $ Rp @"Arial Q, < (u 0ă*ă-0u @̪0̪0d0su u Tu ի0 !# u u 3& z Arial?$h)0Tu 0Tu lN0lu dv% TX  UUAČA L PA. TT  UUAČA L P T j UUAČA L tPERSONAL INFORMATION!$!  $"& % TTk z UUAČAk L P:TT{  UUAČA{ L P ! "  Rp @"Arial3& z Arial?440~)0u 0u lN0u dv% T vT UUAČAJ L tPersonal information  & % Tw 8S UUAČAwJ L ` includes:   TT9 PS UUAČA9J L P  TXg  UUAČA L P1. TTg B UUAČA L P %TCg  UUAČAC bL For all individuals, an individual's first and last name in combination with any of the following:               &  &   !      !  TTg  UUAČA L P ! "  Rp@Symbol Q, < (u 00ă0-0u @̪0̪0d0dividuals, an individual's firt5Symbol?T@A)0Tu 0Tu lN0lu dv% TT 1 UUAČA L P% TT2 g UUAČA2 L P 6Th 1 UUAČAh L xsocial security number    &TT1 H UUAČA1 L P ! "  % TT 1& UUAČA L P% TT2 g& UUAČA2 L P 6Th >& UUAČAh L |driver's license number    &TT> V& UUAČA> L P ! "  % TT3 1k UUAČAb L P% TT28 gk UUAČA2b L P 6Th8 }k UUAČAhb L hfinancial acco   T~8 k UUAČA~b ML unt or credit card number in combination with any password that would permit     &  &   !      !  & ! "  TThl  UUAČAh ,L z&WMFCaccess to the individual's financial account           TTl  UUAČA L P ! "  % TT 1 UUAČA L P% TT2 g UUAČA2 L P 6Th  UUAČAh L tmedical information&  % TT  UUAČA L P ! "  ! " % ( 6 6 6 66 6 6 66 6 6 66 6 6 66 6 6 66 6 6 66 6 6 66 6 6 66 6 6 6  ."System-@"Arial-  2 7i ,'@"Arial-2 = 17Թ  2 _@2 e# De Anza Community College District - 2  i 2 n1 2 t -2 G Saved on: 2 u July 28, 2008- 2  ,'-:2 =Educational Technology Services- 2  -2 Wof u 2 b72 g page(s)- 2  -2 \By: #2 l17Թ- 2  ,' 2 = ,'@"Arial-I2 l)Electronic Information Security Procedure          2 lQ 2 U(draft))  2  @"Arial-_2 8,If you suspect that a security breach has occurred in a 2 ,district 2 ,-A2 $,owned computing system, contact the:    2 , - @ !-- @ !-- @ !n-- @ !,-- @ !,-- @ !&-- @ !&,--#2 qCall Center at x  @"Arial- 2 3q8324 -  2 Tq %2 qduring work hourso  2 Mq -)2 q,District police at x - 2 q,7313 -  2 q, 82 xq,after work hours / on holidays  2 &q, - @ !-- @ !-- @ !q-- @ !q-- @ !,-- @ !.-- @ !-- @ !-- @ !-- @ !.q-- @ !q-- @ !q-- @ !.,-- @ !,-- @ !,-@"Arial-2 %=Purposet  2 % @"Arial- 2 ;=jThe purpose of this procedure is to enhance the security of stored, transmitted, and distributed personal  2 J=einformation that could be used to impersonate an individual and cause serious loss of privacy and/or   &2 Z=financial damage.   2 Z 72 n=In addition to this procedures2 nM, colleges and departments are urged to establish best practices that reduce  2 ~=dthe collection, distribution, and retention of personal data, which is not necessary to perform the   V2 =2educational and business needs of the institution. 2 c 52 =Legal requirements and local 2 M policy require that District personnel take appropriate measures to protect   2 =cpersonal information from inadvertent or illegal exposure to unauthorized individuals. Other legal    2 =Prequirements require that if certain personal information is inadvertently discl  72 osed, the district / college s2 =dmust notify all individuals whose information was compromised. Refer to the table below for further        R2 =/details regarding legal and local requirements.  2 P @"Tahoma- n2 iBLegal and Local Requirements for Safeguarding Personal Information    2  -2 i cReference* 2 c  2 A2  pplies to 2  22  Required by applicable law 2 ~ 2   Requires -2   protection- @ !+- 2  ? 2   2 ) !Requires -2 R !notification- @ !/R- 2 !? 2 ! - @ !c-- @ !c-- @ !=c-- @ !-- @ !b-- @ !-- @ !-- @ !-- @ !m-- @ ! -- @ !m!-- @ !-- @ !-- @ !c-- @ !-- @ !-- @ !-- @ ! -- @ !-- 2 *rcA  2 *~c-2 *c 1.p 2 *c "2 *All individuals  2 * ,2 * California Civil Code   - @ !4- - 2 9 1798.85,2 9> 1798.29 2 9s 2 * Yes9  2 *  - @ ! R- 2 *R!** 2 *]! - @ !c-- @ !=c-- @ !-- @ !b-- @ !-- @ !-- @ !-- @ !m-- @ ! -- @ !m!-- @ !-- @ !)c-- @ !)-- @ !)-- @ !)-- @ !) -- @ !)-2 SrcA  2 S~c-2 Sc 2.9 2 Sc 2 SStudents  2 S 22 S Family Educational Rights    .2 b and Privacy Act (FERPA)    2 b 2 S Yesd  2 S  2 SO!No  2 S`! - @ !Ac-- @ !=Ac-- @ !A-- @ !bA-- @ !A-- @ !A-- @ !A-- @ !mA-- @ !A -- @ !mA!-- @ !A-- @ !(Bc-- @ !(B-- @ !(B-- @ !(B-- @ !(B -- @ !(B-2 |rcA  2 |~c-2 |c 3.  2 |c 2 | Employees  2 | 2 |  District pro 2 |Jcedure 2 |s 2 | Yesu  2 |  2 |O!No  2 |`! - @ !jc-- @ !=jc-- @ !j-- @ !bj-- @ !j-- @ !j-- @ !j-- @ !mj-- @ !j -- @ !mj!-- @ !j-- @ !kc-- @ !c-- @ !c-- @ !=c-- @ !k-- @ !-- @ !b-- @ !k-- @ !-- @ !-- @ !k-- @ !-- @ !m-- @ !k -- @ ! -- @ !m!-- @ !k-- @ !-- @ !-@"Arial- 2 i *refer to @"Arial- )2 Personal Information - &2  definitions below 2 E - @ ! >i- 2 i|**Civil Code 1798.29 requires state agencies, businesses and persons conducting business in California to notify affected - @ ! i- q2 iDpersons in event of a breach. This section of code may not apply to  82 California Community Colleges.  2 7 -2 = Definitions   2  @"Arial- 2 =A.  2 K )2 SPERSONAL INFORMATION    2 : 2  ,'@"Arial-)2 =Personal information  - 2   includes: 2  2 I1. 2 T 2 _bFor all individuals, an individual's first and last name in combination with any of the following:     2  ,'@Symbol- 2 .S- 2 .Z ,2 .isocial security number  2 . ,'- 2 BS- 2 BZ .2 Bidriver's license number  2 B ,'- 2 WS- 2 WZ  2 Wifinancial acco2 WMunt or credit card number in combination with any password that would permit       ,'M2 fi,access to the individual's financial account 2 fe ,'- 2 zS- 2 zZ (2 zimedical informationm   2 z ,','-s an information system, server, or other  Data Resource Data resource manager: Lead authority: Control records: ETS Incident Response TeamResponsibilities: The lead authority has oversight responsibilities to:. The CBIS manager has responsibilities to:7 The data resource manager has responsibilities to:, All employees have responsibilities to: Other ResponsibilitiesIncident Response Process Notify key persons Isolate the system0 For Computer Based Information Systems:; For employee assigned desktop or laptop computers:& For Stolen Computing Systems: Analyze the breach Report the incident% Restore and reconnect the SystemG Notify individuals whose personal information has been compromised References Title Headings< 8@ _PID_HLINKSA_L http://www.fhda.edu/security= [ 2http://153.18.96.19/downloads/etac/Policy3250.doc=  J9http://fhdafiles.fhda.edu/downloads/aboutfhda/3410ap.pdf= !|2http://www.privacy.ca.gov/lawenforcement/laws.htmtwelved03http://www.privacy.ca.gov/financial/sbfs021205.pdf=      Dl&Auto version for sharing This version was generated automatically by Word. Word requires this version to properly update the shared document.O$H@H Normal CJOJPJQJ_HmH sH tH DAD Default Paragraph FontVi@V  Table Normal :V 44 la (k@(No List P`,BMS|P~(1479@Q `q$T2 ?M2OP~)+,-./023568AP~*.EGS%Vmo{ ?LP!!zfJ@APp@Unknownfoothill collegeGz Times New Roman5Symbol3& z Arial[b7pLucida GrandeCourier New3z Times 0h0@P ?zfJ2@@@ NormalCJ_HaJmH sH tH Z@Z Heading 1$<@&5CJ KH OJQJ\^JaJ l`l Heading 2&$ & F7$8$@&H$gdb5;CJOJQJ\^J\@\ Heading 3$x<@&gdb5CJOJQJ\^JaJ^`^ Heading 4$ & F<@&5CJOJQJ\^JaJN@N Heading 5 <@&56CJ\]aJR@R Heading 6$PP@&5CJOJQJ\^JR@R Heading 7$PP@&6CJOJQJ]^JDA@D Default Paragraph FontVi@V  Table Normal :V 44 la (k@(No List HOH zBodyPP7$8$H$CJOJQJ^JJoJ zBullet & F<<CJOJQJ^J4o4 zBullet2  & FD @"D Footer  !CJOJQJaJF`2F Header & F ! CJOJQJBU@AB Hyperlink>*B*CJOJQJphZOZ Title of Paper $Xa$5CJ$OJQJ^JaJ$RVqR FollowedHyperlink>*B* CJOJQJphH"@H Caption P5CJOJQJ\aJ<o< zNumbered & Fgdb6O6 zHeading 1gd=&6o!6 zHeading 2gd=&:O1: zHeading 3 gd2Gt2G2 %:QRYi @+A`zEFF.G3G'v:  v:. . v:R:''s's's'V!^s^h ^0^0^>U!sssh s0s0ss!sssh s0s0ss!sssh s0s0sa'^'^''s's's'G'G''G'v:'v:'^'v:2 %:QRYi @+A`z& b  A p 9 N x  ( qR*ATmHLR U!!+""y####9$$8%%%W&'c'}'((*,*T*+;+=,[,O-b-?.S.//0/0>0~000 1g11A2223w345=6R6 7]77899>:;&<A<h==>>@@@@@AAA BBB#CxCODE]EEEEEEEFF.G/G3G00 0 00 00 0  000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 04 00+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0 + 0 + 0 + 0 + 0 + 0+ 0+4 00N  0N  0N  0N  0N  0N 4 00 4 00q4 004 0*04 004 00*4 004 0 0 0 0 0 0 04 0 0 0D 0 0 0 0 0 0 04 0 0 0  0! 0" 0#4 0 0$! 0%! 0"! 0"!4 0 0&# 0'# 0(# 0)#4 0 0*% 0+% 0W&% 00c': 0c'0(: 0c'*0*0,**0*0+*0*0=,: 0c'0O-: 0c'0?. 0,?. 0-?. 0.?. 0/?. 00?. 01?.: 0c'00 020 03000 040: 0c': 02023: 0204: 020=6 05=6 06=6 07=6 08=6 09=6 0:=6 09=60=6: 020&<: 020h=: 020 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00Z00R0@0Z00@0@0@0Z002 %:QRYi @+A`z& b  A p 9 N x  ( qR*ATmHLR U!!+""y####9$$8%%%W&'c'}'((*,*T*+;+=,[,O-b-?.S.//0/0>0~000 1g11A2223w345=6R6 7]77899>:;&<A<h==>>@@@@@AAA BBB#CxCODE]EEEEEEEEEEEEEEFFFF.G/G0G3G0@0000000000000000000000000000000000000004 00+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0+ 0 + 0 + 0 + 0 + 0 + 0+ 0+4 00N  0N  0N  0N  0N  0N 4 00 4 00q4 004 0(04 004 00*4 004 0 0 0 0 0 0 04 0 00D 0 0 0 0 0 0 04 0 0 0  0! 0" 0#4 0 0$! 0%! 0"! 0"!4 0 0&# 0'# 0(# 0)#4 0 0*% 0+% 0W&%00c': 0c'0(: 0c'(0*0,*(0*0+(0*0=,: 0c'0O-: 0c'0?. 0,?. 0-?. 0.?. 0/?. 00?. 01?.: 0c'00 020 03000 040: 0c'8 020238 02048 020=6 05=6 06=6 07=6 08=6 09=6 0:=6 09=60=68 020&<8 020h=8 020> 0;> 0<> 0=> 0>> 0?>0 0@A 0AA 0AA 0AA 0AA 0AA 0BA 0CA 0DA 0EA 0FA0A000000000000000000 FFFI`,BMS|P~(1479@Q `q$T2 ?M2OP~)+,-./023568AP~*:;G;TAAACDLDDDEEEE2GXXXXXG^`l 1BI!!8@0(  B S  ? _Hlt49991830 _Hlt62284689AD3G@@AD3GQ,Y RV SlU Tl_ U,V V,] Wl^ X^ Yl] Z,^ [^ \,_ ]lX ^W _lV `[ aU b[ iiaa,,,IAIABBBB3G     sskk,,,SASABBBB3G  B*urn:schemas-microsoft-com:office:smarttagscountry-region9*urn:schemas-microsoft-com:office:smarttagsState=*urn:schemas-microsoft-com:office:smarttags PlaceType=*urn:schemas-microsoft-com:office:smarttags PlaceName9*urn:schemas-microsoft-com:office:smarttagsplace EEEEEEEEEEEEE1FKFFF3G )MUx R""EEEEEEEEEEEE0G3G333333333EEEEEEEEEEEEE1FKFFF3GEEEEEEEEEEEEE1FKFFF3G\<&:Az%CUCZ~bfhhh^h`.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L. hh^h`o(hH.88^8`o(.L^`L.  ^ `.  ^ `.xLx^x`L.HH^H`.^`.L^`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(h ^`hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.%C\%CZ~:A:A` ,:A8 8(LL92 %:QRYi 3G@A2Gp@Unknownfoothill collegeGz Times New Roman5Symbol3& z Arial[b7pLucida GrandeCourier New3z Times5& zaTahoma?5 z Courier New;Wingdings"hkˆkˆ&o {;#~o {;#~D4dEE%2qHP ?L2 Introduction Fred Sherman Faculty Staff