May 14, 2025  
Employee Handbook 
    
Catalog Navigation
  Publication Home
  Table of Contents
  About Howard College
  Former and Current Trustees Years of Service
  Membership Associations
  Guiding Principles
  Organizational Structure
  Institutional Effectiveness and Advancement
  Business and Operating Policies and Procedures
  Relationship of Full-Time Employee to College
  Relationship of Faculty to College
  Relationship of Non-Exempt Employee to College
  Relationship of Exempt Employee to College
  Relationship of Part-Time Employee to College
  Appendix
  My Portfolio
HELP
Employee Handbook

Policy: 4.8 Information Technology Resources and Acceptable Use

Business and Operating Policies and Procedures  

Policy: 4.8 Information Technology Resources and Acceptable Use

Adoption Date: March 27, 2017 Revised

Purpose

Policy 4.8 outlines Howard College Information Technology Resources as well as the Acceptable Use Policy, to comply with state and federal requirements including, but not limited to, TAC 202 and FERPA requirements.

Security Violations and Sanctions

Howard College Information Technology resources are valuable assets strategically provided to further the instructional, research, public service, and administrative functions of the college.  Individuals using Information Technology owned or managed by the college are expected to know and comply with all college policies, procedures, as well as local, state and federal laws.  Individuals are responsible for the security of any computer account issued to them and will be held accountable for any activity that takes place in their account.

  • Detecting and Reporting
  • Users of Howard College Information Technology resources are expected to report any known or observed attempted security violation.  Additionally, they must not conceal or help to conceal violations by any party.   Any actual or suspected security violation should be reported immediately to the Chief Technology Systems/Data Security Officer Services, a Cabinet member or the President of Howard College.
  • Disciplinary Actions
  • Violation of this policy may result in disciplinary action, which may include termination for employees, a termination of employment relations in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student.  Additionally, individuals are subject to loss of Howard College Information Technology resources, access privileges, civil, and criminal prosecution, as well as legal action under state and federal laws, and legal action by the owners and licensors of proprietary software for violation of copyright laws and license agreements.

 

INFORMATION TECHNOLOGY RESOURCES and ACCEPTABLE USE POLICIES

4.8.1  Responsibilities

  1. The president of the college shall appoint an Information Security Officer (ISO) who shall report to executive management of the college.  The ISO is the Chief Technology Systems/Data Security Officer Services.
  2. The Information Security Office shall ensure that ongoing information security trainings are held, and compliance assessments are completed.
  3. The Information Security Officer, in cooperation with information owners and custodians, shall develop and recommend policies, procedures, and practices necessary to ensure the security of information resources against unauthorized or accidental modification, destruction, or disclosure as maintained in the Howard College Internal Control Plan Procedures.
  4. The Information Security Officer shall ensure that an independent, third party, biennial review of the information security program is performed, including but not limited to the Internal Control Plan Procedures.
  5. Where appropriate and possible a logon banner/warning should be presented when a user logs on to a system.

 

4.8.2  Data Classification and Risk Assessment

  1. All data owners or designated custodians shall be responsible for classifying data processed by systems under their purview based on data sensitivity so that the appropriate security controls can be applied, and the information resource can be appropriately managed.  
  2. The Howard College Internal Control Plan will be used to classify data types and their need for confidentiality, integrity, and availability.

 

4.8.3  Physical and Environmental Security Policy

  1. All physical security and environmental control systems must comply with all applicable regulations such as, but not limited to, building codes and fire prevention codes.
  2. All information resource facilities must be protected against loss from both physical and environmental threats in proportion to the category of data or systems housed within the facility.
  3. Requests for access must be approved by the department head and authorized by the ISO.
  4. Access codes, and/or keys must be changed on a annually basis based on the criticality or importance of the facility.  
  5. Access codes, and/or keys must not be shared, reallocated, or loaned to others.
  6. Keys that are no longer required must be returned to HR Department.  
  7. Lost, stolen, or compromised access codes, and/or keys must be reported to ISO.  
  8. The code and/or key access rights of individuals that change roles within the college or are separated from their relationship with the college shall be removed.

 

4.8.4  Backup and Business Continuity

  1. The ISO is responsible for developing and maintaining a Disaster Recovery Plan designed to address the operational restoration of the college’s critical computer processing capability.
  2. The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
  3. All vendor(s) providing offsite backup storage, if any, for the college must be cleared to handle the highest level of information stored.
  4. Physical access controls implemented at offsite backup storage locations, if any, must meet or exceed the physical access controls of the source systems.  Additionally, backup media must be protected in accordance with the college’s highest sensitivity level of information stored.  
  5. The backup and recovery process for each system must be documented and reviewed annually by the ISO or designee.  
  6. Backups must be tested monthly by the ISO or designee to ensure that they are recoverable.
  7. Howard College IT System Administrators are responsible for backing up Howard College IT managed servers and are required to implement a tested and auditable process to facilitate recovery from data loss.
  8. Records retention is the responsibility of the Data Owner. The Howard College IT backups are not to be used to satisfy the retention of records and are not customized for all the varying retention periods.
  9. All departments should store data on network storage rather than local storage (e. g. PC or Mac hard drive). Local storage is not backed up by Howard College IT and will be the responsibility of the data owner.
  10. Howard College IT System Administrators will perform daily incremental and monthly full data backups of all Howard College IT managed servers containing critical data for the purposes listed above.

Howard College will not be responsible for data stored on non-Howard College cloud storage systems and data will be subject to that vendors’ retention terms of service.

  

4.8.5  Portable Computing and Encryption

  1. Only portable computing devices approved by the Information Technology Department may be used to access college information resources.
  2. College owned portable computing devices must be password protected.  
  3. Unattended portable computing devices must be physically secure.  This means they must be locked in an office, locked in a desk drawer or filing cabinet, or locked in a secure, out-of-sight area of a vehicle.

 

4.8.6  Acceptable Use

  1. Howard College and the Information Technology Department are finite by nature.  All users must recognize that certain uses of college owned information technology resources may be limited or regulated as required to fulfill the college’s primary teaching, research and public service missions.
  2. Users must report any weaknesses in computer security, any incidents of possible misuse or violation of this agreement to the ISO.
  3. Users must not attempt to access any data or programs contained on college systems for which they do not have authorization or explicit consent to do so.  
  4. Users must not share their college account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes.
  5. Users are responsible for all actions that take place with their account.  
  6. Users must distinguish between ideas, comments, and opinions of the individual user versus those that represent the official positions, programs, and activities of the college.
  7. The college is not responsible for the content of documents, exchanges or messages, including links to other information locations on the internet or world wide web, that reflect only the personal ideas, comments and opinions of individual members of the college community, even where they are published or otherwise circulated to the public at large by means of college information technology resources.
  8. Students, faculty and staff using information technology resources for purposes of exchanging, publishing or circulating official institutional documents must follow Howard College requirements concerning appropriate content, style and use of logos, seals, or other official insignia.
  9. Users of Information Technology resources must not use any software not provided by the college without Information Technology Department approval.  
  10. Users must not purposely engage in activity that may interference with or disrupt computer systems and networks and related services, by means including, but not limited to, the propagation of computer “worms”, “viruses” and “Trojan Horses”. Users may not harass, threaten or abuse others; degrade the performance of college information technology resources, deprive an authorized Howard College user access to a college resource, obtain extra resources beyond those allocated, or circumvent any computer security measures.  
  11. Users must not download, install or run security programs or utilities that reveal or exploit weaknesses in the security of a system.  For example, users must not run password cracking programs, packet sniffers, or port scanners or any other nonapproved programs on college information technology resources.  
  12. Use of the College’s information technology resources is strictly prohibited for unauthorized commercial activities, fraud, personal gain, and private, or otherwise unrelated to the College business or fundraising. This includes soliciting, promoting, selling, marketing or advertising products or services, reselling College resources, or political lobbying or campaigning.  
  13. Users must not intentionally create, access, store, view or transmit material which the college may deem to be offensive, indecent or obscene (other than in the course of academic research where this aspect of the research has the explicit approval of the college’s official processes for dealing with academic ethical issues).  
  14. Illegal material may not be used to perform any legitimate job or academic function and therefore may not be created, accessed, stored, viewed, or transmitted on college information technology resources.
  15. A Howard College owned, home based, computer must adhere to all the same policies that apply to use from within Howard College - facilities.  Employees must not allow family members or other non-employees access to college computer systems.
  16. Users must not otherwise engage in acts against the aims and purposes of Howard College - as specified in its governing documents or in rules, regulations and procedures adopted from time to time.  
  17. All user activity on Information Technology resources assets is subject to logging, monitoring, and review.  
  18. Privately owned information resources are subject to the Acceptable Use Policy when used or operated on campus.  
  19. As a convenience to the Howard College, user community, some incidental use of Information Technology resources is permitted.  The following restrictions apply:
    1. Incidental personal use of electronic mail, internet access, fax machines, printers, copiers, telephones, and so on, is restricted to college approved users; it does not extend to family members or other acquaintances.
    2. Incidental use must not result in direct costs to the college.  
    3. Incidental use must not interfere with the normal performance of an employee’s work duties.
    4. No files or documents may be sent or received that may cause legal action against, or embarrassment to, the college.
    5. Storage of personal email messages, voice messages, files and documents within the college’s Information Technology Department must be minimal and anything deemed to be excessive can be deleted at the discretion of the ISO.  Further, it is the responsibility of the individual to have personal data backed up on a privately owned storage device and the college is not responsible for any lost personal media or data.
    6. All messages, files and documents – including personal messages, files and documents – located on college Information Technology Department equipment are owned by the college, may be subject to open records requests, and may be accessed in accordance with this policy.

 

4.8.7  Account Management

  1. All access requests for Information Technology resources shall follow an account creation process that includes appropriate approvals.
  2. Users (Trustees, full-time and part-time employees, official retirees, students and other approved users) must sign the appropriate Howard College - Information Technology Department Security Acknowledgement and Nondisclosure Agreement before access is given.
  3. All accounts must be uniquely identifiable using a centrally assigned username from the Information Technology Department.
  4. All accounts have a password construction and expiration that complies with the college Password Security Guidelines issued by the ISO.
  5. Accounts of individuals, who have had their status, roles, or affiliations with the college change or who have become separated from the college, shall be updated or revoked to reflect their current status.  In the event that a departing individual’s account needs to remain enabled and open for access by a supervisor or a Cabinet Member, a written request will need to be submitted to the IT Help Desk requesting that the account password be reset and remain open.  The default duration of the account will be set to 90 days at which time the account will expire.  If the duration needs to be longer than 90 days, a written request by a Cabinet Member needs to be submitted to the IT Help Desk requesting a time frame up to but not exceeding 365 days.  The account will be retained for a minimum of 365 days from expiration or last use.  The IT staff will flag these accounts and will send a report to Cabinet before deletion of any accounts in case a Cabinet member determines an account needs to remain active.
  6. Accounts of individuals on extended leave may be disabled at the discretion of the Information Technology Department.
  7. Accounts should be reviewed annually or based on control procedures if more frequently by system administrators and data owners to ensure their status is correct.
  8. All vendor, consultant, and contractor accounts shall follow this policy.
  9. Faculty, staff, student workers, approved visitors, and student accounts will have access to appropriate campus file shares and email with designated quotas, appropriate file servers, personal website, wireless access, specific applications, and self-service functionality.
  10. Retiree and limited visitor accounts will have access to email with designated quotas, personal websites and self-service functionality. File shares other than the home drive and file servers are not available to this role.

 

4.8.8  Administrator/Special Access

  1. All users of system administrator or other special access accounts must be authorized by the ISO, appropriate administrators and data owners.  
  2. Users must sign the appropriate Howard College - Information Technology Department Security Acknowledgement and Nondisclosure Agreement before access is given to an administrator or other special access account.  
  3. The password for a shared administrator/special access account must change when an individual with the password leaves the department or college, or upon a change in the third-party vendor personnel assigned to a college contract.  
  4. When special access accounts are needed for internal or external Audit, software development, software installation, or other defined need, they must be:
    1. authorized by the system or data owner
    2. created with a specific expiration date
    3. removed when work is complete

 

4.8.9  Change Management Policy

  1. Significant changes to any of the college’s critical information resources, such as:  operating systems, computing hardware, networks, and applications is subject to the discretion of the college administration with guidance and leadership provided by the Chief Technology Systems/Data Security Officer.
  2. Minor changes will be made by the Information Technology Department under the leadership of the Chief Technology Systems/Data Security Officer. 

 

4.8.10  Network Access

  1. Use of the college network constitutes acknowledgement of, and agreement to abide by all policies set forth in the Acceptable Use Policy.
  2. Users are permitted to use only those network addresses issued to them by the Information Technology Department.
  3. All remote access to the college internal network must be authorized by Information Technology Department.
  4. Users must not extend or re-transmit network services in any way.
  5. Users must not install or alter network hardware or software in any way. 
  6. Network devices that pose an immediate threat to network operations, performance, or other network-connected devices must be disconnected or quarantined to minimize risk until the threat is removed.

 

4.8.11  Network Management and Configuration

  1. The Information Technology Department owns and is solely responsible for the management or administration of the college data and telephony network infrastructure including, but not limited to, the following:
    • Installation, configuration and operation of all switches, routers, wireless devices, and firewalls 
    • Installation, configuration and operation of active network management devices
    • Establishment and management of all protocols used on the college network  
    • Network address allocation and distribution
    • All connections to external third-party data and telephony networks
    • All communications cabling installation or modification
    • Extension or re-transmission of network services in any way
    • Configuration and broadcast of all wireless signals providing access to the college network
    • Installation and configuration of all telephony devices
    • Creation and maintenance of all college network infrastructure standards and guidelines
    • Creation and maintenance of a directory of network devices
  2. Any device connected to the college network is subject to Information Technology Services Department management and monitoring standards.
  3. Howard College IT may disconnect and remove any Howard College IT unauthorized network device, including wireless routers and access points.
  4. Howard College IT will perform annual vulnerability assessments and network scans to determine if assets hosted on Howard College’s network are vulnerable to any known flaws in the operating system, services or application. The results are intended to assist server and application owners in securing their assets and any College related data that they may house. Server or Application owners will be notified of any vulnerability present on their systems, and any servers whose vulnerabilities have not been remediated in a predetermined amount of time may be disconnected from Howard College’s network.
  5. Departments and individual users are prohibited from attaching or contracting with a vendor to attach port assignable, hard-wired equipment such as routers, switches, hubs, firewall appliances, wireless access points, virtual private network (VPN) servers, network address translators, proxy servers, and dial-up servers to the College network without prior authorization from Howard College IT.
  6. Howard College IT requires the registration of servers connected to the College network, which must be collocated in the Howard College IT data center. Following registration, Howard College IT will facilitate an information-technology risk assessment to ensure compliance with state and College standards and best practices. A department’s administrative head is responsible for designating a server administrator for each server. The server administrator shall collaborate with Howard College IT as necessary to:
    • Register the server with the ISO.
    • Protect the server against exploitation of known vulnerabilities.
    • Address and resolve security problems identified with any device or application for which they are responsible.
    • Utilize the protection benefits available through the College’s network edge protection mechanisms (e.g., firewall, intrusion prevention systems, etc.).
    • Accommodate risk assessments, vulnerability scans, and penetration tests of their server by Howard College IT and take steps to mitigate the risks identified by these procedures.
    • Immediately report system compromises and other security incidents to the ISO.

 

4.8.12  Information Technology Department Privacy Policy

  1. Electronic files and data created, sent, received, stored, or transmitted across computers or other information technology resources owned, leased, administered, or otherwise under the custody and control of the college are not private unless expressly stated in federal or state law and may be accessed at any time by the college administration, following a defined approval process, without knowledge of the information resource user or owner. Applicable open records requests shall follow the college standard formal request process. 
  2. The college may log, review, capture, and otherwise utilize information stored on or passing through its information technology resources as needed for the purpose of system administration and maintenance,  for  resolution  of  technical  problems,  for  compliance  with  Texas  Public Information Act, for compliance with federal or state subpoenas, court orders, or other written authorities, allow institutional officials to fulfill their responsibilities when acting in their assigned capacity, and to perform audits.  No notification is required to view this information; however, users with privileged access are expected to maintain the privacy of the individual. 
  3. Identifying information shall be removed before sharing collected information to prevent loss of individual privacy where possible.
  4. Employees, contractors, vendors, and affiliates of the college shall safeguard the privacy and security of any information owned by or entrusted to the college.
  5. Disclosure of personally identifiable information to unauthorized persons or entities is expressly forbidden.
  6. Access to personally identifiable information shall be granted through an appropriate approval process and be revalidated on a regular basis.
  7. Paper and electronic documents containing personally identifiable information shall be secured during use and when not in use.
  8. Electronic documents containing personally identifiable information shall only be stored on authorized systems.

 

4.8.13  Software Licensing

  1. Copies of software licensed by the college shall not be made without verifying that a copy is permitted via the license agreement.
  2. Software used on college-owned systems shall be properly licensed for their method of use (concurrent licensing, site licensing, or per system licensing). 
  3. The college has the right to remove inappropriately licensed software from college computers if the user is not able to show proof of license.
  4. Software license management shall be monitored by the Information Technology Services Department.

 

4.8.14  Computer Related Purchasing and Support

  1. The Information Technology Services Department must approve all information technology related software and hardware purchases regardless of source of funds, including any device capable of storing, transmitting or processing electronic college owned data. 
  2. The Information Technology Department will assist the Purchasing Department with all quotes for bids and prices.
  3. Each division, department, and office must consult with the Information Technology Department when preparing its annual budget for guidance in developing its requests for funds for hardware and software acquisitions. 

 

4.8.15  Data Disposal and Destruction

  1. Prior to the sale, transfer, or other disposal of information technology resources, the Information Technology Department will assess whether to remove data from any associated storage device. 
  2. Electronic state records shall be destroyed in accordance with state and federal guidelines.
  3. The college shall keep a record/form (electronic or hard copy) documenting the removal and completion of the process with the following information: 
    1. date
    2. description of the item(s) and serial number(s)
    3. inventory number(s)

 

4.8.16  Peer-to-Peer (P2P)

  1. Users of state computers or networks shall not download/install or use any P2P software on state computers, networks, or mobile computing device (PDA) without specific authorization in writing from the Information Technology Department. 
  2. Any permitted use of P2P software is subject to all information resource policies including the Acceptable Use policy.

 

4.8.17  Malicious Code Policy

Prevention and Detection:

  1. All desktops and laptops connected to the Howard College network must use Howard College approved virus protection software and configuration.
  2. Each file server attached to the Howard College network must utilize Howard College approved virus protection software and must be setup to detect and clean viruses that may infect file shares.
  3. Software to safeguard against malicious code (e.g. antivirus, anti-spyware, etc.) shall be installed and functioning on susceptible information technology resources that have access to the College network.
  4. All information technology resource users are prohibited from intentionally developing or experimenting with malicious programs (e.g. viruses, worms, spyware, keystroke loggers, phishing software, Trojan horses, etc.) unless a part of an approved research or academic program.
  5. All information technology resource users are prohibited from knowingly propagating malicious programs including opening attachments from unknown sources.
  6. Email attachments and shared files of unknown integrity shall be scanned for malicious code before they are opened or accessed.
  7. Flash drives, external hard drives, and other mass storage devices will be scanned for malicious code before accessing any data on the media.
  8. Software safeguarding information technology resources against malicious code should not be disabled or bypassed by end-users.
  9. The settings for software that protect information technology resources against malicious code should not be altered in a manner that will reduce the effectiveness of the software.
  10. The automatic update frequency of software that safeguards against malicious code should not be disabled, altered or bypassed by end-users to reduce the frequency of updates.

 

Response and Recovery:

  1. All reasonable efforts shall be made to contain the effects of any system that is infected with a virus or other malicious code. This may include disconnecting systems from the network or disabling service.
  2. If malicious code is discovered, or believed to exist, an attempt should be made to remove or quarantine the malicious code using current antivirus or other control software.
  3. If malicious code cannot be automatically quarantined or removed by antivirus software, the system should be disconnected from the network to prevent further possible propagation of the malicious code or other harmful impact. The presence of the malicious code shall be reported to Information Technology Services by contacting the ServiceDesk.
  4. Personnel responding to an incident should be given the necessary access privileges and authority to afford the necessary measures to contain/remove the infection.
  5. If possible, identify the source of the infection and the type of infection to prevent recurrence.
  6. Any removable media (including flash drives, external hard drives, mass storage cards, etc.) recently used on an infected machine shall be scanned prior to opening and/or executing any files contained therein.
  7. Howard College Services personnel should thoroughly document the incident noting the source of the malicious code (if possible), resources impacted, and damage or disruption to information technology resources and submit to the Information Security Officer to be included in the Department of Information Resources Security Incident Reporting System.

 

 4.8.18 User Password Policy

Users are responsible for what is accessed, downloaded, or created under their credentials regardless of intent. An unauthorized person can cause loss of information confidentiality, integrity and availability that may result in liability, loss of trust, or embarrassment to Howard College.

 

Account Holder Responsibilities:

  1. Must create a strong password and protect it.
  2. Password must have a minimum length of six (6) alphanumeric characters.
  3. Password must contain a mix of upper case, lower case and numeric characters and special characters (!@#%^&*+=?/~’;:,<>|\).
  4. Passwords must not be easy to guess, for instance, they should not include part of your social security number, your birth date, your nickname, etc.
  5. Passwords must not be easily accessible to others (e.g. posted on monitors, under keyboards).
  6. Computing devices must not be left unattended without locking or logging off of the device.
  7. Stored passwords must be encrypted.
  8. Howard College username and password should not be used for external services (e.g. LinkedIn, Facebook or Twitter).
  9. Users should never share their password with anyone, including family, supervisors, co-workers and Howard College IT personnel.
  10. Users will be required to change passwords at least once per 180 days.
  11. If you know or suspect that your account has been compromised, change your password immediately and contact the Howard College IT Service Desk for further guidance and assistance.
  12. If Howard College IT suspects your account has been compromised, your account will be deactivated, and you will be contacted immediately.

 

Any individuals responsible for managing passwords must:

  1. Prevent or take steps to reduce the exposure of any clear text, unencrypted account passwords that Howard College applications, systems, or other services have received for purposes of authentication.
  2. Never request that passwords be transmitted unencrypted. It is particularly important that passwords never be sent via email.
  3. Never circumvent this password policy for the sake of ease of use.
  4. Coordinate with Howard College IT regarding password procedures.

 

4.8.19 Electronic Data Security – Incident Response

The Importance of Securing Electronic Data

Much of the data stored or transmitted via Howard College’s computing equipment is confidential. Unauthorized access to this data may constitute a violation of federal statutes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and other laws designed to protect privacy. A breach in data security that compromises personal information can lead to identity theft, putting members of the Howard College community at risk and exposing the College to litigation. Unauthorized access to other confidential data, though not usable for identity theft, may nonetheless have serious legal, financial, or public relations implications for the College.

Preventing Electronic Data Breaches

The task of protecting confidential electronic data is shared by all members of the Howard College community who have authorized access to such data. In general, confidential data should not be accessed, copied, stored, downloaded, transmitted, or used unless it is essential to do so to conduct College business.

Confidential data should not be stored on laptops or other mobile devices for longer than necessary and should be encrypted at all times when not actually in use. Devices that contain confidential data, whether mobile or not, should be secured by strong authentication (e.g., multiple levels of passwords) as well as by physical means (security cables, locked cabinets, etc.). Mobile devices should not be put into checked luggage when traveling.

The Chain of Responsibility

Under certain circumstances, confidential electronic data –– such as student names, email addresses, or other information –– may need to be conveyed to individuals or groups who are not employees of the College. These may be vendors, contractors, professional organizations, (internal) student organizations, or others. In these circumstances, the College must require the recipient of the data to abide by the same (or stricter) guidelines to protect the data from unauthorized access or abuse. This chain of responsibility must extend to any third parties (or beyond) to whom the confidential data might be further conveyed.

Responding to Data Security Breaches

Despite explicit guidelines for securing confidential electronic data, breaches can still occur. At such times, it is important that the College respond as quickly and as professionally as possible. Computer thefts, should be reported immediately to Howard College IT. Steps that Howard College IT will take in the event of a data security breach are as follows:

1.  Determination of the nature and scope of a breach

  • identification of the person reporting the breach (name, contact info, etc.)
  • record of the location, timeframe, and apparent source of the breach
  • preliminary identification of confidential data that may be at risk

2.  Communication

  • chief information officer
  • president and senior officers (depending on sensitivity and scope of data exposed)
  • legal counsel (depending on sensitivity and scope of data exposed)
  • law enforcement (depending on the nature/scope of theft)
  • Insurance Policy (company retained by Howard College to assist with breach notification)
  • if credit card data is involved notify bankcard holder within 24 hours of confirmed breach discovery (and notify Campus Police, Inc. for assistance)

3.  Investigation

  • identify ongoing vulnerability of data to exposure from breach source (take immediate steps to address)
  • conduct preliminary forensic analysis (retain outside assistance as needed)
  • prepare inventory of data at risk
  • determine if exposed data were encrypted
  • identify security measures that were defeated (and by what means)

4.  Assessment of breach

  • identify affected individuals at risk of identity theft or other harm
  • assess financial, legal, regulatory, operational, reputational and other potential institutional risks

5.  Remediation

  • implement password changes and other security measures to prevent further data exposure
  • determine if exposed/corrupted data can be restored from backups; take appropriate steps
  • determine if value of exposed data can be neutralized by changing account access, ID information, or other measures

6.  Notification

Based on regulatory requirements (e.g., Oregon ID Theft Protection Act) and other factors, Senior Officers, CIO, and Director of Public Affairs (in consultation with legal counsel as appropriate) determine whether notifications are indicated for:

  • government agencies
  • affected individuals
  • Howard College community
  • business partners
  • public
  • other

If Senior Officers, CIO, and Director of Public Affairs determine that notifications are needed:

  • the CIO will notify the insurance policy who will coordinate notifications to affected individuals. Unless directed otherwise by law enforcement, such notifications will be made without delay.
  • the Chief Financial Officer and/or CIO will notify government agencies and business partners.
  • the Director of Public Affairs will coordinate notifications to the Howard College community, the public, and others as necessary.

Communications will address the following points:

  • nature and scope of breach
  • general circumstances of the breach (e.g., stolen laptop, hacked database etc.)
  • approximate timeline (e.g., date of breach discovery)
  • steps the college has taken to investigate and assess the breach
  • any involvement of law enforcement or other third parties
  • appraisal of any misuse of the missing data
  • college-provided credit-watch service for affected individuals
  • Insurance steps on behalf of affected individuals
  • steps that the college is taking to prevent future breaches of this nature

Post-Incident Follow-Up

In the wake of a data security breach, Howard College will:

  • take steps to ensure that missing data cannot be used to access further information or cause harm in other ways to Howard College’s electronic or other resources;
  • pursue with law enforcement all reasonable means to recover lost data and equipment;
  • review and modify as needed all procedures governing systems administration, software management, database protections, access to hardware, etc., to prevent future data breaches of a similar nature;
  • take appropriate actions if staff negligence or other’s behavior contributed to the incident.
  • modify procedures, software, equipment, etc., as needed to prevent future data breaches of a similar nature; take appropriate actions if personnel negligence caused or contributed to it.