Information Security Policy

1. Purpose

 

York College of Pennsylvania (YCP) operates an information technology infrastructure to facilitate the College’s mission, and provides network and Internet access, as well as information processing facilities for students, faculty, and staff. All components of this infrastructure must be maintained using accepted security principles.

 

The purpose of this Written Information Security Policy (WISP) is to formally dictate requirements for the IT department to create an overarching information security policy framework, consisting of a defined policy and supporting procedures for securing assets, complying with governance, and managing cybersecurity risk.

 

To ensure that infrastructure is maintained in a known, optimized, resilient, and secure state, policy and procedures must be implemented that meet governance requirements. YCP must comply with the Gramm-Leach Bliley Act (GLBA), Title 16 U.S.C, Chapter I, Subchapter C, Part 314 §314.4, which requires higher education institutions conform to security requirements stated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, which were used to develop this policy.

 

This policy implements sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act, and sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of information. This policy complies with Commonwealth of Pennsylvania statutes, as well as Federal laws and regulations. Nothing in this policy or its supporting procedures should be construed to conflict with higher-level Federal, State or College policies; in the event of a potential conflict, those superseding directives will take precedence.

 

2. Scope

 

This policy applies to all YCP data, regardless of where it is stored or processed. While YCP does not manage the internal configurations of external contractor systems, any such system interconnecting with YCP networks must meet the security standards outlined in our Third-Party Risk Management Policy.

 

This policy is intended to address all requirements of, as well as NIST SP 800-171, and the security controls contained therein.

 

This procedure supports all applicable information protection policies, including but not limited to:

• Data Classification Policy
• FERPA Policy
• Higher Education Opportunity Act (HEOA)
• Digital Millennium Copyright Act (DMCA)
• Acceptable Use Policy
• Artificial Intelligence Guidelines
• Email Use and Retention Policy
• Password Policy
• Virtual Private Network (VPN)
• Enterprise Information Systems and End-user Documentation
• Change Management Policy
• GLBA Information Security Policy
• Handling Unsolicited Non-Public Information Received by Email
• Incident Response Plan
• Third Party Risk Management Policy

 

3. Definitions – if not included in the Data Lexicon

 

4. Policy

 

The following summarizes the control and policy requirements that must be met under both  §314.4 and NIST SP 800-171:

 

4.1 Qualified Individual (§314.4a)

YCP must designate a qualified individual responsible for overseeing, implementing, and enforcing the information security program. The YCP Chief Information Officer (CIO) is the designated qualified individual for the College for the purposes of this policy.

 

4.2 Risk Management and Assessment (§314.4b)

YCP must base its information security program on risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. Risk assessments must be periodically performed to ensure continued compliance with this requirement

To implement this requirement, YCP must develop and implement a risk management strategy which includes standardized risk assessment and analysis methodologies. Risk policy must include:

•  Criteria for evaluation and categorization of security risks

•  Criteria for assessment of security posture of information systems and the information they process

•  Requirement for periodic, scheduled assessments of various types, to include vulnerability assessments, penetration tests, and controls testing.

 

4.3 Implement Safeguards (§314.4c)

YCP must design and implement safeguards to control the risks identified through risk assessments. Policies must include provisions for:

•  Implementing and periodically reviewing administrative, technical, physical, and operational controls

•  Strong authentication and encryption mechanisms

•  Access control policies which are based on least privilege, separation of duties, job position requirements, need-to-know, supervisory approval, and other access control elements

•  Data governance, to include classification, handling, and disposal of sensitive data

•  Change and configuration management

•  Monitoring and auditing of information systems, actions performed by authorized users, and system events

•  Security assessments

•  Security awareness and training for all personnel based on roles, responsibilities, and privileged access

•  Vendor and supply chain risk management

•  Incident response

 

4.4 Controls Monitoring (§314.4d)

Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. This includes security assessments such as vulnerability and penetration testing.

 

4.5 Personnel Security (§314.4e)

Implement policies and procedures to ensure that personnel are able to enact your information security program by:

•  Providing security awareness training at the appropriate depths and level

•  Utilizing trained, qualified information security personnel

•  Restricting access to sensitive data based upon vetting, job position, and need-to-know

 

4.6 Service Provider and Supply Chain Risk Management (§314.4f)

Oversee service providers by taking reasonable steps to select and retain vendors and providers that are capable of maintaining appropriate safeguards for any systems or information they access. This includes requiring service providers to abide by established YCP security requirements and periodically monitoring for compliance with YCP security policies.

 

4.7 Risk Response (§314.4g)

Evaluate and adjust the information security program in light of the results of security testing and monitoring required by paragraph 4.4 of this policy; any material changes to College operations or business arrangements; the results of risk assessments performed under 4.2; or any other circumstances that may have a material impact on the information security program.

 

4.8 Incident Response (§314.4h)

Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information under the College’s control. The incident response plan shall address goals, roles and responsibilities, internal response processes, external and internal communications, incident severity, remediation processes, incident documentation and reporting, and incident response plan testing and updates.

 

4.9 Board Reporting (§314.4i)

The appointed qualified individual must report in writing at least annually to the Board of Directors on the overall status of the information security program and any significant matters related to the program, such as risk, control deficiencies, and any material changes to the program.

 

4.10 Breach Notification (§314.4j)

YCP must develop policies and procedures for notifying the appropriate authorities in the event of information or information system breaches. This includes procedures for breaches of sensitive or regulated information, such as HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Education Rights and Privacy Act), and financial data under the provisions of GLBA. In accordance with §314.4j, the Federal Trade Commission must be notified of breach events involving the information of at least 500 customers, no later than 30 days after discovery of the event.

 

5. Procedure

 

6. References

 

7. Revision History and Approval History

[Version #]: [Date]: [Description of changes]

 

 

 

 

Version #	Revision / Review Date	Authored By	Reviewed/Approved By	Reason
.01	03/23/2026	Bobby Rogers		Draft initial procedure creation
.02	03/23/2026	Ilya Yakovlev		Make minor revisions
.03	04/29/2026		Data & Systems Management Board Committee	Endorsement
.03	05/21/2026		Cabinet	Approved