Rule 3357:15-16-15 | Cybersecurity policy.

(A) Purpose: To meet each requirement for the minimal risk profile in the cybersecurity assessment tool (CAT) of the federal financial institutions examination council (FFIEC), to comply with the information technology examination handbook (IT handbook) and the national institute of standards and technology (NIST) cybersecurity framework, and to continue to increase cybersecurity maturity from baseline to evolving and beyond, as those terms are described in the instructions of the CAT.

(B) Authority: C.F.R. Title 16 Chapter I Subchapter C Part 314, which implements sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of college information.

(C) Scope: The college shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to our size and complexity, the nature and scope of its activities, and the sensitivity of any college information at issue. The information security program shall include the administrative, technical, or physical safeguards the college uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle college information. Such safeguards shall include the elements set forth in paragraph (D) of this rule and shall be reasonably designed to achieve the following objectives:

(1) Ensure the security and confidentiality of college information;

(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and

(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the college.

(D) Program: The college shall develop, implement, and maintain its information security program in the following manner:

(1) Designations: The college designates its vice president for business, finance and information technology and cybersecurity administrator to coordinate the college's information security program.

(2) Assessments: The cybersecurity administrator will identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of college information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of college operations, including:

(a) Employee training and management;

(b) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and

(c) Detecting, preventing and responding to attacks, intrusions, or other systems failures.

(3) The cybersecurity administrator will ensure that the college designs and implements information safeguards to control the risks it has identified through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.

(4) The cybersecurity administrator will oversee service providers, by:

(a) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the college information at issue; and

(b) Requiring the college's service providers by contract to implement and maintain such safeguards.

(5) The cybersecurity administrator will evaluate and adjust the college's information security program in light of the results of the testing and monitoring required by paragraph (D)(2)(c) of this rule; any material changes to college operations or business arrangements; or any other circumstances that the college knows or has reason to know may have a material impact on its information security program.

(E) Public records: Procedures shall be documented and utilized by the college. To the extent such documentation meets the definition of "security record" or "infrastructure record" as identified by division (B)(1) of section 149.433 of the Revised Code, those records shall not be public records and shall not be subject to release or inspection by the public.