- home
- About
- District Board of Trustees
- policies
- 6Hx-18-6.01
Palm Beach State College Board Policy
Title: Information Security Policy
Policy Number: 6Hx-18-6.01
Legal Authority: F.S. 1001.64; F.S. 1001.65; FS 501.171, 16 C.F.R. § 314.3
Date Adopted/Amended: Adopted 4/11/2017; Amended 9/16/2025
Purpose
This policy sets the direction for protecting data, technology infrastructure, and Information Systems owned and used by Palm Beach State College, its employees, subsidiaries, affiliates, service providers and students.
Scope
This policy applies to all departments, data processing platforms and systems owned, leased or managed by the College or by third party providers on behalf of the College.
Definitions
Information System: Any electronic system that stores, processes, or transmits information.
Security Risk: The likelihood a vulnerability in a system will be exploited by a threat actor that causes significant impact to the organization.
Sensitive Information: All non-public data entrusted to the College for the purpose of meeting its strategic objectives and mission. It refers to information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information.
Written Information Security Program (WISP): A set of comprehensive policies, standards, procedures and guidelines designed to safeguard sensitive information entrusted to the College, and to comply with applicable laws and regulations.
Policy Statement
The Director of Information Security, under the direction of the Chief Information Officer, shall lead the development and implementation of a Written Information Security Program (WISP) applicable to College technology, devices, users, and data. The IT Security Policies will be developed in coordination with applicable Board Policies and legal or regulatory requirements to ensure consistency and compliance across the College’s governance framework.
a. Written Information Security Program (WISP)
The Chief Information Officer, unless another is designated by the College President,
shall develop a Written Information Security Program (WISP) to safeguard sensitive
information entrusted to the College and to comply with applicable laws and regulations.
The WISP shall include reasonable policies and related standards, procedures and guidelines to detect and mitigate security risks to sensitive information and information systems including, but not limited, to the following areas:
- Acceptable Use of IT Resources
- Access Control
- Artificial Intelligence (AI) Use and Governance
- Business Continuity & Disaster Recovery
- Cloud and Third-Party Vendor Security
- Computer Incident Response
- Data Classification
- Data Retention
- Encryption and Secure Data Transmission
- Endpoint Security
- Information Security Awareness and Training
- Mobile Device Security
- Network Security and Monitoring
- Password Safety
- Risk Management
b. Governance and Oversight
The President, or designee, shall establish a governing committee composed of various
personnel from key departments to provide input and prioritization to policies and
procedures, and review requests for exceptions. The WISP shall be governed by that
committee. The committee shall also function as an advisory group on matters of information
security and privacy for groups or persons charged with the review and implementation
of information technology and services at the College.
The Chief Information Officer shall function as the committee’s sponsor and the Director of Information Security shall serve as its chair.
Incident Reporting and Response
- The College is committed to timely and effective response to information security incidents in order to protect College systems, data, and stakeholders. All suspected or confirmed security incidents must be reported immediately to the College Service Desk or the Office of the Director of Information Security.
- Users are prohibited from independently investigating, mitigating, or otherwise responding to suspected security incidents unless expressly authorized by the Director of Information Security.
- Detailed incident response procedures, including escalation protocols and defined roles, will be maintained in the College’s Written Information Security Program (WISP).
Review and Maintenance
This policy and the College’s Written Information Security Program shall be reviewed periodically by the Director of Information Security. Revisions shall be made in response to changes in law, emerging security threats, significant changes to College operations, or at the direction of the College President or Chief Information Officer.