Purpose

The Salish Kootenai College Vulnerability Management Policy establishes the rules for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.

Audience

The Salish Kootenai College Vulnerability Management Policy applies to individuals responsible for Information Resource management.

1. Policy
   1. Endpoint Protection (Anti-Virus & Malware)
      1. All Salish Kootenai College owned and/or managed Information Resources must use the Salish Kootenai College IT management-approved endpoint protection software and configuration.
      2. All non-Salish Kootenai College-owned workstations and laptops must use Salish Kootenai College IT management-approved endpoint protection software and configuration before any connection to a Salish Kootenai College Information Resource.
      3. The endpoint protection software must not be altered, bypassed, or disabled.
      4. Each email gateway must utilize Salish Kootenai College IT management-approved email virus protection software and adhere to the Salish Kootenai College rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
      5. Controls to prevent or detect the use of known or suspected malicious websites must be implemented.
      6. All files received over networks or from any external storage device must be scanned for malware before use.
      7. Every virus not automatically cleaned by the virus protection software constitutes a security incident and must be reported to Salish Kootenai College IT Services.
   2. Logging & Alerting
      1. Documented baseline configurations for Information Resources must include log settings to record actions that may affect or are relevant to information security.
      2. Event logs must be produced based on the Salish Kootenai College Logging Standard and sent to a central log management solution.
      3. A review of log files must be conducted on an established schedule. This schedule is dependent on how frequently the logs are updated. IT Services will develop and maintain this schedule.
      4. All exceptions and anomalies identified during the log file reviews must be documented and reviewed.
      5. Salish Kootenai College will use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modifications.
      6. Log files must be protected from tampering or unauthorized access.
      7. All servers and network equipment must retrieve time information from a single reference time source regularly so that timestamps in logs are consistent.
      8. All log files must be maintained per the Record Retention Schedule.
   3. Patch Management
      1. The Salish Kootenai College IT team is responsible for patch management implementation, operations, and procedures.
      2. All Information Resources must be scanned regularly to identify missing updates.
      3. All missing software updates must be evaluated according to the risk they pose to Salish Kootenai College.
      4. Missing software updates that pose an unacceptable risk to Salish Kootenai College Information Resources must be implemented within a period that is commensurate with the risk as determined by the Salish Kootenai College Vulnerability Management Standard.
      5. Software updates and configuration changes applied to Information Resources must be tested before widespread implementation and must be implemented following the Salish Kootenai College Change Control Policy.
      6. Verification of successful software update deployment will be conducted within a reasonable period as defined in the Salish Kootenai College Vulnerability Management Standard.
   4. Penetration Testing
      1. Penetration testing of the internal network, external network, and hosted applications must be conducted at least annually or after any significant changes to the environment.
      2. Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected.
   5. Vulnerability Scanning
      1. Vulnerability scans of the internal and external network must be conducted at least quarterly or after any significant change to the network.
      2. Failed vulnerability scan results rated at Critical or High will be remediated and re-scanned until all Critical and High risks are resolved.
      3. Any evidence of a compromised or exploited Information Resource found during vulnerability scanning must be reported to the Salish Kootenai College Information Security Officer and IT Services.
      4. Upon identification of new vulnerability issues, configuration standards will be updated accordingly.

References:

• ISO 27002: 12, 18

History:

Approved 3/17/2023

Scope

This policy applies to those responsible for managing user accounts or access to shared information or network devices. Such information can be held within a database, application, or shared file space. This policy covers departmental accounts as well as those managed centrally.

Purpose

The purpose of this policy is to define required access control measures for all College systems and applications to protect the privacy, security, and confidentiality of College information technology resources.

Audience

The Salish Kootenai College IAM Policy applies to individuals responsible for managing Salish Kootenai College Information Resource access and those granted access privileges, including special access privileges, to any Salish Kootenai College Information Resource.

1. Policy
   1. Access Control
      1. Access to Salish Kootenai College Information Resources as defined in Policy 860.00 must be justified by a legitimate business requirement prior to approval.
      2. Where multi-factor authentication is employed, user identification must be verified in person before access is granted.
      3. Salish Kootenai College Information Resources must have corresponding ownership responsibilities identified and documented.
      4. Access to confidential information is based on a “need to know.”
      5. Confidential data access must be logged.
      6. Access to the Salish Kootenai College network must include a secure log-on procedure.
      7. Workstations and laptops must force an automatic lock-out after a pre-determined period of inactivity.
      8. Documented user access rights and privileges to Information Resources must be included in disaster recovery plans whenever such data is not included in backups.
   2. Account Management
      1. All accounts created must have an associated and documented request and approval.
      2. Segregation of duties must exist between access request, access authorization, and access administration. In other words, the people that request access must not be the people that authorized the access and the people that administer the access must be different than the people that authorized access.
      3. Information Resource owners are responsible for the approval of all access requests.
      4. User accounts and access rights for all Salish Kootenai College Information Resources must be reviewed and reconciled annually, and actions must be documented.
      5. All accounts must be uniquely identified using the username assigned by Salish Kootenai College IT Services and include verification that redundant user IDs are not used.
      6. All accounts, including default accounts, must have a password expiration that complies with the Salish Kootenai College Authentication Standard.
      7. Only the level of access required to perform authorized tasks may be approved, following the concept of “least privilege.”
      8. Whenever possible, access to Information Resources should be granted to user groups, not granted directly to individual accounts.
      9. Employee accounts to access Information Resources must not be shared.
      10. User accounts set up for third-party cloud computing applications used for sharing, storing, and/or transferring Salish Kootenai College confidential or internal information must be approved by the resource owner and documented.
      11. Upon user role changes, access rights must be modified promptly to reflect the new role.
      12. Creation of user accounts and access right modifications must be documented and/or logged.
      13. Any accounts that have not been accessed within a defined period will be disabled.
      14. Accounts must be disabled and/or deleted promptly following employment termination, according to a documented employee termination process.
      15. System Administrators or other designated personnel:
          1. Are responsible for modifying and/or removing the accounts of individuals that change roles with Salish Kootenai College or are separated from their relationship with Salish Kootenai College.
          2. Must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes, and permission changes.
          3. Must have a documented process for periodically reviewing existing accounts for validity.
          4. Are subject to independent audit review.
          5. Must provide a list of accounts for the systems they administer when requested by authorized Salish Kootenai College IT Services management personnel.
          6. Must cooperate with authorized Salish Kootenai College Information Security personnel investigating security incidents at the direction of Salish Kootenai College executive management.
   3. Administrator/Special Access
      1. Administrative/Special access accounts must have account management instructions, documentation, and authorization.
      2. When technically feasible, Administrative/Special access accounts should employ multi-factor authentication for all account logins.
      3. Personnel with Administrative/Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete their job function.
      4. Personnel with Administrative/Special access accounts must use the account privilege most appropriate with work performed (i.e., user account vs. administrator account).
      5. Shared Administrative/Special access accounts should only be used when no other option exists.
      6. The password for a shared Administrative/Special access account must change when an individual with knowledge of the password changes roles, moves to another department, or leaves Salish Kootenai College altogether.
      7. If a system has only one administrator, there must be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency.
      8. Special access accounts for an internal or external audit, software development, software installation, or other defined need must be administered according to the Salish Kootenai College Authentication Standard.
      9. General users will not be assigned Administrator privileges or special accounts except for the following:
         1. Special use computers such as instrument control computers
         2. Special use Internet of Things (IoT) devices
         3. Computers and Virtual Machines used in IT Education courses
         4. Other specialized computers require non-IT Service personnel to have administrative rights to accomplish their duties.
   4. Authentication
      1. All passwords, including initial and/or temporary passwords, must be constructed according to the Salish Kootenai College Authentication Standard,
      2. Unique passwords should be used for each system whenever possible.
      3. Where other authentication mechanisms are used (i.e., security tokens, smart cards, certificates, etc.), the authentication mechanism must be assigned to an individual, and physical or logical controls must be in place to ensure only the intended account can use the mechanism to gain access.
      4. Stored passwords are classified as confidential and must be encrypted.
      5. All vendor-supplied default passwords should be immediately updated and unnecessary default accounts removed or disabled before installing a system on the network.
      6. User account passwords must not be divulged to anyone. Salish Kootenai College support personnel and/or contractors should never ask for user account passwords.
      7. Security tokens (i.e., Smartcard) must be returned on demand or upon the termination of the relationship with Salish Kootenai College if issued.
      8. If the security of a password is in doubt, the password should be changed immediately.
      9. Administrators/Special Access users must not circumvent the Salish Kootenai College Authentication Standard for ease of use.
      10. Users should not circumvent password entry with application remembering, embedded scripts, or hardcoded passwords in client software. Exceptions may be made for specific applications (like an automated backup) with the approval of the Salish Kootenai College IT Services.
      11. If a password management system is employed, it must be used in compliance with the Salish Kootenai College Authentication Standard.
      12. Computing devices should not be left unattended without enabling a password-protected screensaver or logging off of the device.
      13. Salish Kootenai College IT Services password change procedures must include the following:
          1. change to a strong password
          2. require the user to change the password at first login.
      14. If a user’s password is compromised or discovered, the password must be immediately changed, and the security incident reported to Salish Kootenai College IT Services.
   5. Remote Access
      1. All remote access connections to the Salish Kootenai College networks will be made through the approved remote access methods employing data encryption and multi-factor authentication.
      2. Remote users may connect to the Salish Kootenai College networks only after formal approval by the requestor’s manager and Salish Kootenai College IT Services.
      3. The ability to print or copy confidential information remotely must be disabled.
      4. Users granted remote access privileges must be given remote access instructions and responsibilities.
      5. Remote access to Information Resources must be logged.
      6. Remote sessions must be terminated after a defined period of inactivity.
      7. A secure connection to another private network is prohibited while connected to the Salish Kootenai College network unless approved in advance by Salish Kootenai College IT Services.
      8. Non-Salish Kootenai College computer systems that require network connectivity must conform to all applicable Salish Kootenai College IT standards and must not be connected without prior written authorization from IT Management.
      9. Remote maintenance of organizational assets must be approved, logged, and performed in a manner that prevents unauthorized access.
   6. Vendor Access
      1. Vendor access must be identifiable, provide non-repudiation, and comply with all existing Salish Kootenai College policies. Non-repudiation means that the form of vendor access provides assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
      2. External vendor access activity must be monitored.
      3. All vendor maintenance equipment on the Salish Kootenai College network that connects to the outside world via the network, telephone line, or leased line, and all Salish Kootenai College Information Resource vendor accounts will remain disabled except when in use for authorized maintenance.

References

• ISO 27002: 6, 7, 8, 9, 12, 15
• NIST CSF: PR.AC, PR.IP, PR.MA, PR.PT, DE.CM
• Policy 841.00, Data Access and Security
• Policy 705.00, Incident Management and Recovery

History:

Approved: 3/17/2023

Graduate students seeking exceptions from established graduate policies such as admission, retention, or graduation requirements may do so by submitting a written appeal to the Dean of Graduate Studies.  Graduate students must notify the Graduate School that they are seeking an appeal. 

The appeal packet must include the following:

• A letter from the graduate student stating the policy or decision that is being appealed and the reasons you believe the decision should be changed or policy be waived.
• A letter from the graduate students Graduate Committee Chair stating either approval or disapproval of the appeal and reasons to support their decision.

The Dean of Graduate Studies will consult with the Vice President of Enrollment Management and Student Services or the Vice President of Academic Affairs as appropriate. The Dean of Graduate Studies will respond in writing to the student within ten (10) working days or provide written notice of the timeline for response if a delay is needed.

Appeal approval or denial will be made by the Dean of Graduate Studies.

History:

Adopted: 4/16/2021
Revised:  

Purpose

Salish Kootenai College will have an annual external audit of accounts, accounting procedures, grants, and other fiscal-related items as required by current federal audit standards. The audit will be compliant with the Federal Single Audit Act. The external audit is a key component of the College’s risk management processes. The audit will be conducted by an independent firm of certified public accountants who are familiar with college and tribal accounting practices.

Definitions

Audit – An independent and objective appraisal to examine or review the fair presentation of financial statements, economy and efficiency of operations, effectiveness of achieving program results, compliance with laws and regulations, and/or the detection of fraudulent activities.

External Auditor – An auditor not employed by or connected to a Salish Kootenai College individual or entity.

I. Selection of Audit Firm

1. On a periodic basis, but not less than every five (5) years, the College will issue a Request for Proposal (RFP), utilizing SKC procurement policies for a certified public accounting firm to perform annual financial audits.
2. SKC administration will present the chosen audit firms to the SKC Board of Directors for review and approval The President is authorized to extend the contract one fiscal year at a time for additional fiscal years provided that funds have been authorized, the quality of past services has been acceptable to the College, and the fee for the extended contract is considered reasonable by the College.

II. Audit Process

The SKC Business Office will prepare and coordinate all audit processes and requirements. SKC employees shall adhere to preparation timelines and requirements. The timing of the audit will be coordinated between the SKC Business Office and the external auditor.

III. Audit Reporting

The external auditor’s report and recommendations will be provided to the Board of Directors, along with any recommendations from the President and Vice President of Business Affairs regarding any findings presented.

The external audit will be available to SKC employees for the purposes of complying with grant applications, audits, or such purposes.

IV. Full and Fair Disclosure

College employees are prohibited from improperly influencing, or attempting to influence, the audit process and shall comply with this process by providing full and accurate disclosure of college information.

History:

Adopted: 1/15/2021
Reviewed:
Revised:

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!