Software Installation and Support
Information Security Standard
Information Security Standards (ISS) are developed to support and enforce both District Administrative Regulations and the California Community College Information Security Standard.
This ISS is an extension of the Vulnerability Management Information Security Standard.
LBCCD Information Technology Services (District IT) reserves the right to disable, quarantine, shut down, or remove any account, application, device, service, or system that disrupts, undermines, or otherwise compromises the confidentiality, integrity, or availability of the District’s information technology systems.
Individuals found to be in violation of Information Security Standards may be subject to disciplinary actions as described in Administrative Regulation 6006.
An Extention of Vendor Risk Management
As detailed in the District IT’s Vendor Risk Management Information Security Standard, LBCCD relies upon a variety of vendors, third-party applications, and services (systems) to support many of its core business functions. Because these systems often have direct access to institutional devices, data, networks, and other information systems, the inclusion of specific information security controls is not only paramount in managing and mitigating cyber-based threats but also mandated by federal and state policy.
Requests for Software
As required by the Gramm-Leach-Bliley Act (GLBA), under the Safeguards Rule (16 CFR §314.4[d]), the District must take reasonable steps to:
- Select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
- Require service providers by contract to implement and maintain such safeguards.
As a result, requests for software shall be completed through the District IT’s Requests for Information and Communication Technology (ICT) Procedure.
District-supported software refers to those applications and services that have been licensed, purchased, subscribed to, or otherwise acquired through the District’s purchasing process and approved through the District IT’s Request for ICT Procedure. Due to the broad nature of services provided by the District, additional constraints above and beyond foundational security controls may be required for any given ICT.
For example, devices that present greater risk (e.g., a workstation that provides access to Protected Data) may require greater controls than others within the same department, and Office computers are generally subject to more stringent controls than Lab computers.
Although District-supported software is generally licensed for District devices only, a few applications are available for installation on staff members’ personal computers.
Unsupported software shall only be installed on District devices when district-supported software cannot fulfill a specific business need, which has been approved through the District IT’s Request for ICT Procedure.
Non-District-supported Software and Protected Data
Non-district-supported software that processes, stores, or transmits protected data shall not be installed, purchased, subscribed to, or otherwise utilized by the District.
For example, although offline storage services like dropbox.com and box.com have specific security certifications, the District would remain prone to confidential data leakage without procuring Enterprise licenses in order to enable necessary security features. As a result, only District IT approved storage services shall be available for use on District devices.
District IT currently provides OneDrive via Office 365 to facilitate secure cloud storage. OneDrive has been configured to alert the District to potential data leakage and help comply with federal and state mandates.
The Administrative Network
Due to its inherent nature, the Administrative network (as opposed to the Academic, Student, Operational Technology, etc. networks) may be subject to additional and/ or specialized security controls.
Software and Services Prohibited by the District
The following software and services are prohibited from being installed on District devices (desktops, laptops, phones, etc.) due to the severity of past or potential abuse.
End-of-Service-Life (EoSL) for Software, Services, and Hardware
The Project Owner (the individual or business unit endorsing the software, service, and hardware) plays an important role in vulnerability management by being responsible for ensuring that an appropriate plan of action is in place for the ongoing maintenance and replacement of software, services, and hardware before the ICT is no longer supported.
Because EoSL technologies put LBCCD at risk by exposing the District to present and future security vulnerabilities, and violations of regulatory compliance, District IT may terminate the functionality of any such ICT at any time.