Safeguarding Customers' Information

Imperial Community College District (IVC) takes very seriously the responsibility of safeguarding its
customers' information. We appreciate and protect the privacy of our students, faculty, staff, and other
third parties. As such, IVC has been establishing an Information Security Program to ensure and protect
all confidential information.

The foundation of the Information Security Program is the Information Protection Operation Procedure
document that went through the governance process and was approved by the Technology Planning
Committee is December of 2018. The Information Protection Procedures document is supported by the
Information Technology Department Policies, Procedures and Processes manual. The overall goal for
the program is to:

• Meet regulatory compliance
• Restrict access to personal information to only those who need it to conduct their work.
• Put safeguards in place to prevent unauthorized access to personal information.
• Ensure appropriate employee training
• Detect, prevent, and remediate attacks, intrusions, or other information security risks.

In accordance with GLBA Safeguards Rule, IVC's information security program incorporates the following
objectives:

• Designate an information security officer and related oversight responsibilities for the
institution's security.
• Assess the risks to confidential information, assess the level of mitigating controls in place, and
identify action plans to accept or further mitigate remaining risks.
• Implement an information security program, including various technical and physical underlying
controls, such as data encryption and secure shredding processes.
• Oversee vendor relationships to ensure confidential data are secured at their locations when
applicable and access is controlled when vendors connect to the institution.
• Perform an ongoing evaluation of their program to keep content current with an ever-evolving
security environment.

Imperial Community College District's Chief Technology Officer is the designated information security
program coordinator (ISPC). The ISPC reports to and takes guidance from the Technology Planning
Committee and the President's Cabinet.

The ISPC, on a yearly basis, contracts with a third-party vendor to conduct a cyber security audit to
identify and assess likely external and internal risks to the security, confidentiality, and integrity of
protected information that could result in the unauthorized disclosure, misuse, alteration, destruction,
or other compromise of such information. This audit is based on the Cyber Security Framework from
the National Institute of Standards and Technology (NIST).

The audit looks at IVC's security program holistically, reviewing the policies and procedures, auditing the
electronic system and security measures that have been implemented, testing the physical securities
that are in place, and testing the end user cyber security knowledge through email phishing campaigns.
At a minimum, the audit includes consideration of risks in each relevant area of IVC operations,
including:

• Foundational policies, procedures and practices
Cybersecurity practices that provide the foundation for how the business aligns with cyber
security, such as a cybersecurity governance program containing the policies and procedures
allowing the organization to maintain adherence to legal and regulatory requirements.
• Employee training and management
Consider the effectiveness of current employee training and management procedures relating
to the access and use of covered information.
• Information systems, information processing, and disposal
Controls and safeguards to protect or deter a cybersecurity threat from materializing, such as
data at rest, in motion and in use is protected.
• Detecting, preventing, and responding to attacks and system failures
Continuous monitoring to provide proactive and real-time alerting of cybersecurity-related
events, such as detection processes and procedures which includes periodic testing to validate
awareness and unusual incidents.
• Ability to respond and recover
Response activities which are executed during a cybersecurity incident and Incident Response
Plans/Business Continuity Plans which allow you to recover services impacted by a cyber breach.

The Information Security Program is built on the assumption that over time a program will lose its'
effectiveness and eventually will fail if it is not continually reviewed and updated. As such we use the
yearly audit as an opportunity to review the program and adjust it to reflect changing college business,
measurements of program effectiveness, and lessons learned from the implementation of security
safeguards.