University General Course Catalog 2020-2021 
    Jul 13, 2024  

NSHE Policy Regarding Information Security


December 2017
  1. It is the policy of the Board of Regents that sensitive data maintained or transmitted by a Nevada System of Higher Education (NSHE) institution, the Chancellor’s Office or the NSHE Computing Services must be secure. Further, as data collectors, NSHE institutions, the Chancellor’s Office and NSHE Computing Services are required to comply with Nevada Revised Statutes (NRS) 603A.010-603A.910 (Security of Personal Information). Accordingly, the Board of Regents hereby establishes this policy in order protect sensitive data from unauthorized access, use, and disclosure, and establishes standards for the maintenance and handling of sensitive data and other information.
  2. Definitions
    For purposes of this section:
      a) “Unit” means the combined administrative unit consisting of the Chancellor’s Office and the Nevada System of Higher Education Computing Services.
    ​  b) “Sensitive data” refers to personal information as that term is defined in NRS 603A.040, including but not limited to social security number, and any other data identified in state and federal law that the Unit or any NSHE institutions are required protect from unauthorized access, use, or disclosure.
  3. NSHE Standards for Security Controls
    NSHE hereby adopts the National Institute of Standards and Technology (NIST) Cybersecurity Framework, currently in effect and as otherwise amended or updated, as the NSHE standards for security controls.
  4. NSHE Chief Information Security Officer
    The Chancellor shall appoint a Chief Information Security Officer (“CISO”) for NSHE who shall be responsible for development and management of an information security program for the Unit and NSHE institutions. In addition, the NSHE CISO:
      a) Shall establish appropriate management and governance structures related to information security or NSHE;
      b) May establish system-wide committees to assist in the development and management of the NSHE information security program;
      c) Shall work with NSHE Internal Audit on any testing or validation related to the NSHE information security program and Unit and institutional compliance with the program; and
      d) May develop an operations manual or similar document providing technical guidance to the Unit and NSHE institutions for the development of information security plans required by this section that includes, but is not limited to, provisions for compliance with the Graham Leach Bliley Financial Services Modernization Act of 1999 (15 U.S.C. § 6801 et seq. and 16 CFR §314.1 et seq.), the Health Insurance Portability and Accountability Act of 1996 (HIPPA), and Payment Card Industry Data Security Standard (PCI-DSS).
  5. Unit and Institutional Information Security Plans
    The Unit and each NSHE institution shall:
      a) Prepare and maintain a written information security plan that incorporates the NIST Cybersecurity Framework and includes, but is not limited to, the following:
         i. An inventory of the Unit’s or institution’s current cybersecurity controls aligned with the NIST Cybersecurity Framework (the “Current Profile”); and
         ii. A plan for maintaining alignment with the NIST Cybersecurity Framework that addresses any necessary improvements or emerging threats (the “Target Profile”).
      b) Update their Current Profile and Target Profile, every two years or sooner if required by the NSHE CISO.
  6. The Unit and each NSHE institution shall comply with any notification requirements applicable in the event of a breach of sensitive data or other information, including, without limitation, NRS 603A.220 (Disclosure of breach of security of system data; methods of disclosure) and any other applicable state or federal laws and regulations. Any Unit or institutional breaches of sensitive data or other information shall be reported to the NSHE CISO within 24 hours of the Unit’s or institution’s discovery of any such breach.
  7. Any use of social security numbers by the Unit or an NSHE institution shall comply with the Privacy Act of 1974 (codified at 5 U.S.C. § 552a). The Unit and each NSHE institution requesting that an individual disclose his or her social security number must inform that individual whether that disclosure is mandatory or voluntary, by what authority the number is solicited, and what uses will be made of it.
  8. The Unit and each NSHE institution shall comply with the disclosure requirements set forth in NRS 239B.030 (Disclosure of Personal Information to Governmental Agencies: Recorded, filed or otherwise submitted documents).