DATA SECURITY POLICY

Original Adoption: January 2, 2028

Effective Date: January 2, 2018

Last Revision: January 1, 2023


INTRODUCTION 
Today, information technology (IT) permeates all aspects of teaching, learning, research, 
outreach, and the business and facilities functions of the College. Safeguarding information and 
information systems is, therefore, essential to preserving Northwest Louisiana Technical 
Community College’s ability to perform its missions and meet its responsibilities to students, 
faculty, staff, and the constituents whom it serves. Federal and State statutes, rules, and 
regulations, State Office of Information Technology policies and standards, Louisiana Board of 
Regents policies, Louisiana Community and Technical Colleges System (LCTCS) policies and 
other explicit agreements also mandate the security of information and information systems. 
Failure to protect the College's information technology assets could have financial, legal, and 
ethical ramifications. 


PURPOSE 
Northwest Louisiana Technical Community College (NLTCC) is committed to preserving the 
security, confidentiality, integrity and availability of all forms of information used and 
maintained on behalf of faculty, staff, and students consistent with Northwest Louisiana 
Technical Community College’s mission. Improper disclosure, modification, or destruction of 
information may result in harm to the operation of NLTCC in support of its mission. As a result, 
specific procedures have been implemented to help administer and manage the storage, 
processing, and use of information.  

NLTCC executed an open letter of engagement effective 7/1/2019 for the LCTCS Board Office 
IT to provide NLTCC with the following services: 
• 1 full time IT staff supporting NLTCC facilities including but not limited to: 
o Desktop Support 
o Server Support 
o Network support 
• Help Desk ticketing system 
• 2nd tier support as needed by Board Office IT Staff 
o Advanced network support including wide area networking and firewall 
management 
o Virtualization support (VMWare) 
• Strategic IT support as needed by LCTC System CIO 
The Vice Chancellor of Finance and Administration serves as the Liaison between 
NLTCC/Campuses and LCTC IT. 


INFORMATION TECHNOLOGY ENFORCEMENT OF SECURITY  
NLTCC acknowledges that no individual is immune from investigation when there are 
reasonable suspicions of theft, fraud, or misuse of its information technology resources.  
In accordance with the Louisiana Community and Technical College System (LCTCS) Use of 
Technology Resources Policy Statement and Northwest Louisiana Technical College Network 
and Computer Access Agreement, use of all NLTCC computer resources is limited to NLTCC 
faculty, staff, currently enrolled students, and authorized guests, for legitimate academic and 
business purposes consistent with the College's mission. Use of technology resources of this 
institution is a privilege and not a right. Abuse of these privileges may result in the loss of such 
privileges, possible employment termination, student expulsion, and/or prosecution.  
The unauthorized use of another's logon id and password is considered a theft of a College 
resource and computer fraud. The result of such abuse may be the loss of all computer privileges 
and/or other disciplinary action. 


POLICY STATEMENT 
It is the policy of NLTCC to protect personally identifiable information of employees and 
students. The electronic restrictions and safeguards outlined in this policy provide guidance for 
students and employees that have access to protect personally identifiable information retained 
by the College to ensure compliance with state and federal regulations such as: 
• Family Education Rights to Privacy Act (FERPA) - federal law that protects the privacy 
of student education records. 
• Health Insurance Portability and Accountability Act (HIPAA) - federal act that sets 
standards for protecting privacy of patients’ health information. 
• Gramm–Leach–Bliley Act (GLBA) - federal law that imposes restrictions on the 
disclosure of consumers’ personal financial information.  


Reason for Policy  
To ensure that anyone that collects or uses personally identifiable information at NLTCC does so 
in compliance with state and federal regulations and best practices for information security in 
higher education.  


Entities Affected by this Policy Who should Read it 
This policy will affect all students and employees who have access to resources containing 
personally identifiable information.  


Definitions 
A. Personally Identifiable Information - is any information pertaining to an individual that can be 
used to distinguish or trace a person’s identity. Some information that is considered Personally 
Identifiable Information is available in public sources such as telephone books, public websites, 
College listings, etc.  Public Personally Identifiable Information and includes:  
1. First and Last name  
2. Address  
3. Work telephone number  
4. Work e-mail address  
5. Home telephone number  
6. General educational credentials  
7. Photos and video  


B. Protected Personally Identifiable Information - defined as any one or more of types of 
information including, but not limited to:  
1. Social security number 
2. User name and password 
3. Credit card number/Banking information  
4. Driver’s License number  
5. Date and place of birth  
6. Mothers maiden name  
7. Criminal, medical, and financial records  
8. Educational transcripts  
9. Photos and video including any of the above  

C. NLTCC Information System – a collection of computing resources that are accessible through 
privileged access such as a login or key. Usually a software package designed to store student 
and employee data. Examples: Banner, Canvas, Document Imaging, and Databases.  


D. Secure Deletion – Secure deletion of an electronic file is accomplished by overwriting the full 
file contents with random data multiple times.  


E. Breach of Data Security - means the compromise of the security, confidentiality, or integrity 
of computerized data or physical files containing data that result in the unauthorized acquisition 
of and access to personal information maintained by an agency or person.  Good faith acquisition 
of personal information by an employee or agent of the agency for the purposes of the agency is 
not a breach of security of the system, provided the personal information is not used for, or is 
subject to, unauthorized disclosure. 


SECURITY POLICY OBJECTIVES AND METHODS  
This policy attempts to outline security practices and how NLTCC intends to manage, protect 
and distribute its sensitive information and the framework for securing its technology resources 
while participating in the world-wide cyber space community.  


As a means of securing its technology resources, the College utilizes one or more of the 
following measures:  


Authentication  
Traditionally, a logon id and password is used as assurance or verification that the 
resource (human or machine) at the other end of the session really is what it claims to 
be before being granted access to College resources. Authenticated users may have 
different types of permissions based on their authorization levels. As a means of 
authentication and control, a user may be required to provide proof of identification 
before being granted access to any College computer resource.  


Authorization  
Most computer security systems are based on a two-step process with the first stage 
being authentication and the second stage being authorization. The authorization 
process allows a user access to various resources based on identity. It protects against 
unauthorized access to a system or to the information it contains by the types of 
permissions granted – Access Control.  


Confidentiality  
Recognizing that confidentiality is critical to total data security, a number of tools are 
used to safeguard the confidentiality of NLTCC’s information, integrity, and non-
repudiation of data (proof to receiver that sender is the originator of the information) 
and to assure that sensitive information remains private and is not visible to an 
eavesdropper. This includes but is not limited to:  
• Encryption ensures that classified information is not adversely affected;  
• Virus Control helps protect against file corruption;  
• Electronic Data Exchange by use of secure protocols, digital certificates 
and the Secure Socket Layer (SSL) to help ensure confidentiality and 
integrity when transmitting data across the network.  


Audit  
Security-relevant events are monitored to provide logs of access attempt.  
Audit service tools will be provided to audit personnel to generate reports to analyze 
and review information technology security.  


Administration  
The management of technology resources protection scheme ensures that only 
authorized users can access objects on the system. This is handled by creation, 
maintenance, and monitoring security information such as access control policies, 
authorized user profiles, security parameters, and ownership identification.  


NETWORK/CYBER SECURITY  
NLTCC utilizes a multi-layered approach as protection of its data and technology resources 
against unauthorized access from untrusted network environments, as well as, malicious attacks 
from untrusted cyberspace environments. These network security strategies include but are not 
limited to:  
• Firewalls  
• Intrusion prevention and detection  
• Anti-virus  
• Anti-spam  
• Access control lists  
• Network monitoring  


In the event of a network/cyber security incident, the following approach is utilized in response 
and implemented: 


Step 1 - PREPARATION  

The amount of preparation one does before an event occurs to successfully handle an 
incident.  


Step 2 – DETECTION  
Determine whether or not an actual incident has occurred.  


Step 3 – CONTAINMENT  
Limit the scope and magnitude of an incident in order to keep it from getting worse.  


Step 4 - ERADICATION  
To ensure that the problem and vulnerabilities that allow re-entry to the system are 
eliminated.  


Step 5 - RECOVERY  
Ensure that the system is returned to a fully operational status.  


Step 6 - FOLLOW-UP  
Meet, discuss, identify lessons learned and make recommendations that will prevent 
future incidents. 


EMAIL 
In accordance with the NLTCC Network and Computer Access Agreement, 
http://www.NLTCC.edu/wp-content/uploads/2017/01/7.001-Northwest-LTC-Network-and
Cmputer-Access-Agreement.pdf, NLTCC employees and students have access to electronic mail 
(E-Mail) both internally and through the Internet. This E-mail access is the property of the 
College and may be subject to auditing and monitoring.  
• Use of NLTCC’s E-mail system provides communication between staff, faculty, students, 
external entities, clients, and others.  
• It is intended for business and academic use only.  


E-mail Privacy  
• Users should not have any expectation of privacy when using and storing information on 
any computer resource of the College.  
• The College reserves the right to review and copy any data or other information stored on 
any computer resource without notice to the user. E-mail created or distributed through 
NLTCC’s E-mail system is the property of NLTCC .  
• Users should be aware that under certain circumstances, the Office of Information 
Technology staff may need to access and review E-mails sent and received.  
• Users should remember that all E-mail sent or received through this system is the 
property of NLTCC , and is subject to audit and monitoring.  
• There is no guarantee of security or confidentiality for inappropriate use of the E-mail 
system.  


E-mail Usage  
• E-mail should be transmitted based on business or academic need.  
• Under no circumstance is it permissible for NLTCC employees to conduct business of 
any kind that would infringe on the beliefs of the College.  
• Users should not use E-mail to transmit messages that contain remarks, images, or 
content that can be considered defamatory, offensive, harassing, disruptive, derogatory, 
racial or ethnic slurs or as pornographic comments or images.  
• It is strongly recommended that E-mail is not used to transmit passwords or any other 
authentication information for NLTCC’s systems.  
• It is strongly recommended that confidential information is not sent in detail via the E
mail system when communicating with the Human Resource office (i.e., Password, SSN, 
DOB, Pin, etc.)  
• It is prohibited that student grades or any sensitive material be transmitted in violation of 
FERPA guidelines.  
• Users should never E-mail or otherwise transmit any attachment that is suspect of being a 
virus.  
• Inappropriate use of the E-mail system may result in immediate loss of E-mail privileges 
and possible disciplinary action up to and including termination.  
• Examples of inappropriate usage include, but are not limited to, sending electronic chain 
mail or mass unsolicited mail, and altering email or Internet headers to hide the identity 
of the sender/poster or to attribute the email or posting to someone other than the 
sender/poster or intended recipient.  
• Only responsible administrators or their designees are authorized to send broadcast e
mail communications to all faculty and staff. These general office email accounts have 
been set up to allow certain academic and administrative departments to disseminate 
highly targeted communications throughout the NLTCC community. All NLTCC 
responsible administrators and designees will retain their individual e-mail accounts.  
• The Responsible Administrator for each area must sign a Network and Computer Access 
Agreement form that states his/her responsibility. The user agreement authorization form 
is kept on file in the Office of Human Resources.  
• Canvas Community users are expected to adhere to the same policies regarding sending 
broadcast email communications to all faculty and staff.  
• Only specifically identified email accounts are authorized to send broadcast email 
communications to students  
• Email accounts are provided to adjunct faculty when requested by the division for the 
time period as specified on the request.  
• Only individuals authorized by their respective divisions are allowed to retrieve and 
distribute access letters to adjunct faculty.  


INTERNET 
NLTCC provides Internet access for its employees so they can obtain up-to-date information that 
may be useful in performing their job responsibilities and duties.  
Proper Internet Usage  
• No illegal or pirated information or software should be downloaded or viewed.  
• Passwords for personal use should be of different variation from those used within 
NLTCC.  
• NLTCC prohibits employees from using the Internet to visit sites that are pornographic, 
sexually explicit, racial or ethnically biased or harassing or offensive in any way, either 
graphic or in text form, other than authorized academic purposes.  
• NLTCC reserves the right to monitor any and all network activities to and from your 
computer including Internet access. Such activities may be archived and monitored at a 
future date.  
• Similarly, the unauthorized copying of commercial software packages for which the 
College is liable through licensing agreements or the introduction of any unauthorized 
software to a College computer is considered inappropriate and a violation of Internet 
usage and/or copyright laws and may be prosecuted.  
• The NLTCC website on the Internet is an official publication of the College. All web 
pages linked to it are also official publications of the College. As such, the content of 
these pages should promote the College, its programs, faculty and staff in a positive light, 
consistent with its mission.  
• The creation and maintenance of web pages by units within the College are encouraged 
as a means of promoting NLTCC, its programs, faculty, and staff.  
• These pages require the Director and Public Relations Committee’s before publication 
and must be administered according to the College’s Internet Web Pages policy.  
• Inappropriate Internet usage will result in the loss of Internet access and may result in 
further disciplinary action, up to and including termination.  


WIRELESS ACCESS  
Wi-Fi Purpose  
• NLTCC is the host to a Wi-Fi network that is available to employees, students, and 
authorized guests.  
• Employees and students use their NLTCC email account username to connect to the Wi
Fi network.  
• Upon request, a special user account can be set up for doing business with the college for 
a specified time period.  
Wi-Fi Usage  
• Wi-Fi coverage is campus-wide at all NLTCC locations.  
• Access is available to connect to the Internet via devices such as laptops and mobile 
phones.  
• Individual users must configure personal devices for wireless network connection.  
END USER ACCOUNTS 
The College is linked to the Internet and to other networks either directly or indirectly. Access to 
these networks by faculty, staff, and students is granted because of employment or enrollment at 
the College.  
NLTCC faculty and staff members may be granted access to the College's network and 
mainframe if deemed appropriate for their position or department. For detailed instructions on 
how to become a user of the College's network and/or mainframe systems, employees should 
refer to the College’s Technology Services policy.  
Since user account access is an integral part of security for the College’s technology 
infrastructure, access is granted based on a number of general practices. The following 
guidelines have been established. 
Account Creation  
• A request for account access is submitted electronically via the IT Help Desk system. 
When a request is submitted, it is electronically routed for approval to the employee's 
supervisor and data manager, if applicable.  
• The employee’s job function and department requirements will determine the level of 
access to system resources.  
• At a very minimum, all accounts require both a username and a password.  
• Sharing of end-user accounts between users is prohibited.  
• When an account has been established, electronic notification will be sent to the requestor 
and the new employee’s supervisor.

 
Account Logons and Passwords  
NLTCC faculty, staff and students may be issued logon ids that are used to access various 
information technology systems and resources provided by the College. This logon id will 
remain valid for the period the individual is associated with the College.  
All users with logon ids and passwords to the College’s technology resources should be aware of 
the following:  
• The logon id owner is responsible for all actions and functions performed by his/her 
logon id.  
• Passwords used in association with the logon ids are to be safeguarded and neither logon 
ids nor passwords are to be shared by any two individuals. (with the exception of general 
office email accounts)  
• Logon ids or passwords may not be shared with another person other than a designated IT 
representative.  
• Proper use of the logon id is the responsibility of the individual under whose name it has 
been assigned.  
Password Selection and Management  
Potentially, serious damage can occur if a user’s password is not safeguarded. Therefore, 
passwords should be changed regularly. Passwords are used to authenticate an end-user’s 
identity and to establish accountability. A password that is easily guessed is not an effective 
password and compromises security and accountability of actions taken by the logon id, which 
represents the end-user's identity.  
• All end-users with logon ids and passwords to the College’s technology resources should 
practice the following:  
• The recycle or re-use of passwords shall be reasonably limited.  
• Users are advised to change the initial password on a new account immediately.  
• Passwords should be selected that are difficult to guess by others.  
• Mainframe passwords should be at least eight (8) characters in length, must be in lower 
case, and may consist of a combination of letters, characters, and numbers 
(alphanumeric).  
• Network passwords should be at least eight (8) characters in length.  
• Network password complexity must contain at least 3 of the following 4 categories: 
English upper case characters (A-Z), English lower case characters (a-z), Base 10 digits 
(0-9), and non-alphanumeric characters (e.g. %, &, !).  
• It is strongly suggested that passwords should not include your logon id, your name, your 
spouse’s name, children’s or pet's name, or any other names commonly known to others.  
• Users will be held accountable for password selection and protection.  
• A user’s password must not include anything derogatory, offensive, or defamatory.  
• It is strongly suggested that passwords are not written down or stored in a place that can 
be accessed easily by others.  
• All passwords shall be changed whenever it is determined that a system security may 
have been compromised.  
• When requesting a password reset, individuals will be asked a security question(s) to 
verify the identity of the person requesting the action.  
• Passwords are encrypted and will not display when typed.  
Mainframe passwords should periodically be changed. However, it will automatically expire 
every 180 days; the system will prompt you when the time approaches. Note: The 180th day for 
each individual may be different.  
Network passwords should periodically be changed.  


Some general management rules to practice are:  
1) do not leave your computer logged on and unattended for an extended period of time, 
2) do not log on to your system if someone can see you keying in your password,  
3) turn off your computer when you leave for the day,  
4) if you use a remote access program and you need to leave your computer on, be sure that it is 
in a locked room, and  
5) use a screen-saver access program to secure the computer from unauthorized access.  
Temporary or Contracted Employees  
All temporary and contractual employees with access to the network or mainframe should be 
aware of the following:  
• Accounts are created for Temporary or Contracted employees using the same process as 
regular employees.  
• All Temporary or Contracted employees must be set up with a temporary account 
containing an account expiration date, if applicable.  
• Upon approval, the Office of Information Technology will provide a logon id and 
password for temporary access and application use.  


Account Modification  
Current employees may request changes to their access by contacting Computer Analyst/IT 
Technician. The employee’s supervisor must approve the request electronically. However, this 
does not automatically guarantee that the request will be granted, as it may require the approval 
of a data manager, if applicable.  

Account Removal  
All employees with access to the network or mainframe should adhere to the following:  
• When IT is notified of an employee’s separation from the College, access to technology 
resources will be disabled. Access is not removed until confirmation of separation is 
received from the Human Resources office.  
• Access to technology resources will be restricted by the close-of-business on the 
employee’s last working day, unless otherwise instructed by Human Resources.  
• In the event of immediate access suspension, an authorizing College administrator 
contacts the Office of Information Technology Assistant Vice Chancellor/CIO or the 
Executive Director. The Assistant Vice Chancellor/CIO or Executive Director notifies the 
appropriate security personnel so that the access to technology resources is immediately 
disabled.  
• Retirees will not retain access to their email account upon separation from the college.  
• Student email accounts are purged annually. Student email accounts are purged from the 
email database based on criteria provided by the College Registrar.  
Remote Access  
• NLTCC adheres to the Louisiana Community and Technical College System’s policy 
regarding remote access.  
• Remote access users shall not violate any college policies, perform any illegal activities, 
and be used for outside business interests.  
• Remote access privileges will be strictly limited and evaluated on a case by case basis.  


PRIVACY OF STUDENTS  
The Family Educational Rights and Privacy Act (FERPA) protect educational records of a 
student from public disclosure without written permission of the student. NLTCC  adheres to 
these rules and guidelines to protect the rights of its student body. The College’s computing 
information and network resources are used in a manner that complies with this privacy. 


CONFIDENTIALITY  
All computer information is considered confidential unless a user has received permission to use 
it. Accessing or attempting to access confidential data is strictly prohibited. Confidential 
information should only be used for its intended purpose. Using confidential information for 
anything other than its intended use, without prior approval, is prohibited.  


NLTCC strives to maximize the confidentiality and security of its information systems and 
services within the limitations of available resources. As with paper-based systems, no 
technology can be guaranteed to be 100% secure. All users should be aware of this fact and 
should not have an expectation of total privacy regarding information that is created, stored, sent, 

or received on any networked system. The College reserves the right to review and copy any data 
or other information stored on any computer resource without notice to the user. This also 
includes the monitoring of all Internet use, email, and other activities accessed on or through 
computer resources of the College. Such monitoring, without limitation, may include, but is not 
limited to, review of all sites accessed by a user and e-mails transmitted and/or received.  
The Internet environment offers tremendous opportunities to provide convenient access to 
information and services to authorized individuals wherever they may be. Users who serve as 
data managers of institutional information should be particularly aware of the potential for 
unauthorized access to or tampering with online information and services in the Internet 
environment.  


DATA SECURITY & BACKUPS  
Data of value (data that would be missed if lost and cannot be easily recreated as from an OS 
installation) must be backed up on a regular basis. The Computer Analyst/IT Technician must 
ensure that a means of backing up and restoring vital data is provided; in keeping with this 
responsibility, a backup strategy for the College’s network and mainframe systems is conducted 
on a daily basis. 


Networking  
The entire backup process is hosted by NLTCC.   DataVault Agents are installed on each 
server/workstation requiring backup. Each agent is configured to transmit and store the backed
up data at the secure data vault located at NLTCC.  


The backup process is completely automated requiring minimal intervention from the Computer 
Analyst/IT Technician The backup process consists of two strategies, which are the 
“incremental” and “full” backup strategy. The incremental backup runs daily and full backup 
runs on Saturday evenings. 


Mainframe  
• Daily backups of the College’s mainframe computing system are performed to ensure 
availability and integrity of data. The backup process consists of basically two strategies, 
“incremental” and “full” backups.  
• Each day incremental backups are taken of all DASD datasets to which modifications 
have been made since the last backup taken.  
• Periodically, full volume backups are made of each disk pack. These full volume backups 
occur automatically as a new generation of backups.  
• In addition to the generation that is currently being built, four complete generations are 
available from which restorations may be done.  
• Two copies of each backup/archive are made. One copy is vaulted offsite for disaster 
recovery purposes and the other copy remains onsite for system restoration, if needed.  
• A Tape Management System (TMS) vaulting procedure is used to automate the vaulting 
rotations.  


DATA SECURITY – AUDITING AND MONITORING  
The Office of Information Technology is responsible for the monitoring and periodic audits of 
the College’s technology resources including, but not limited to, technology systems, software 
development, and operating systems. To facilitate this effort, a number of tools are used, such as:  
• Audit Logs – logs are maintained that can provide sufficient data to reconstruct events 
and actions, such as dates, times, individual and/or process authorizing an 
activity/operation.  
• Archives – information is archived to ensure that important assets are maintained in a 
reliable long-term retrieval state for specified periods that may be utilized for special 
needs (i.e. – legislation, statutes, government, etc.).  
• Monitoring Products – a number of monitoring utilities are used to monitor the 
College’s network infrastructure. These tools allow for the monitoring of Internet 
connectivity, servers, routers, switches, ports and the like. 
• Audit Files – are available through the College’s administrative applications that allow 
for audit tracking of data elements in the databases. Reports can be generated indicating 
the before and after values of the data element. Event logs on the network automatically 
record network activity and ‘flag’ possible suspicious activity or concerns.  


DATA SECURITY – ENCRYPTION  
As stated in the State of Louisiana IT Policy #IT-POL-014, sensitive data, defined as data not 
subject to the Louisiana Public Records Act (L.R.S. 44:1 et seq), is to be encrypted on all 
approved portable storage devices. The state’s preferred encryption freeware is “TrueCrypt,” 
which is available to download and view tutorials at http://www.truecrypt.org.  


DATA SECURITY – RETENTION AND COMPLIANCE  
It is recommended that data/files are maintained for a period of five (5) academic/calendar years. 


TECHNOLOGY SECURITY VIOLATIONS  
Reporting incidents is an ethical responsibility of all members of the NLTCC community. A 
critical component of security is to address security breaches promptly and with the appropriate 
level of action. Below are guidelines for reporting and handling security incidents:  
All users of NLTCC technology resources computers have the affirmative obligation to report, 
directly and without undue delay, any and all information concerning conduct that they know to 
involve corrupt or other criminal activity or conflict of interest to the College.  

Activities that should immediately be reported include, but are not limited to:  
• Attempts to circumvent established computer security systems;  
• Use, or suspected use, of virus, Trojan Horse, or hacker programs;  
• Obtaining, or trying to obtain, another user’s password;  
• Using the computer to create and/or disseminate harassing or defamatory messages;  
• Using the computer to communicate inappropriate messages or jokes that may be 
considered offensive by others;  
• Illegal activities of any kind;  
• Attempts to breach facility security should be reported to Campus Dean;  
• Incidents of security violations, willful or intentional, of secured resources are considered 
to be misconduct under applicable student and employee conduct standards. Users 
engaged in such conduct may be denied access to technology resources and may be 
subject to other penalties and disciplinary actions including termination or expulsion.  
Under appropriate circumstances, NLTCC may refer suspected security incidents to law 
enforcement authorities, and provide access to necessary data for investigation as permitted by 
law.  


Technology security violations should be reported immediately to NLTCCs Vice Chancellor of 
Finance and Administration. 


Procedures 
A. Maintaining and discarding Personally Identifiable Information.  
All electronic files that contain Protected Personally Identifiable Information will reside within a 
protected NLTCC information system.  All physical files that contain Protected Personally 
Identifiable Information will reside within a locked file cabinet or room when not being actively 
viewed or modified. Protected Personally Identifiable Information is not to be downloaded to 
personally owned, employee workstations or mobile devices (such as laptops, personal digital 
assistants, mobile phones, tablets or removable media) or to systems outside the protection of the 
college. Personally Identifiable Information will also not be sent through any form of insecure 
electronic communication such as e-mail or instant messaging systems. Significant security risks 
emerge when Personally Identifiable Information is transferred from a secure location to a less 
secure location or is disposed of improperly. When disposing of Personally Identifiable 
Information the physical or electronic file should be shredded or securely deleted. For help with 
secure deletion please contact the Campus Dean. 


B. Exceptions  
If there is an operational or business need to store protected Personally Identifiable Information 
outside a NLTCC controlled information system please contact the Campus Dean or Director for 
assistance in securing the information.  


Containment, Classification, and Reporting 
The first priority after a breach of data security is discovered is to contain the breach and notify 
supervisory personnel as quickly as possible.  The data must be secured and the reasonable 
integrity, security, and confidentiality of the data or data system must be restored.   
The exact nature of the breach of data security in terms of its extent and seriousness must be 
determined. The supervisor of the department where the breach occurred must take immediate 
action to determine the extent of the breach and to contain it or recover the missing data.  
Assistance from the IT Department or other personnel should be requested as soon as possible if 
necessary.  The department supervisor should document the breach, the scope of the breach, 
steps taken to contain the breach, names and categories of the persons whose personal 
information was, or may have been, accessed or acquired by an unauthorized person. 
The Vice Chancellor of Finance with convey relevant information to LCTCS CIO for further 
action.   


Enforcement  
An employee found to be in violation of this policy may be subject to disciplinary action as 
deemed appropriate based on the facts and circumstances giving rise to the violation.  
Retirees & Emeritus Retirees 


NLTCC Retirees shall not have active email accounts through NLTCC unless the retiree is 
designated an 'emeritus retiree' by vote and approval of the LCTCS Board of 
Supervisors.  Emeritus retirees may be provided an active NLTCC email for life.