Data security action plan

In response to the identity theft incident in March 2016, Tidewater Community College outlined a plan of action to improve data security.

To maintain its commitment to being transparent and upfront in its communications with employees, the college is publishing this checklist of action items.

The items checked have been completed. Those without checks are in process.

This page will be updated regularly to show continued progress in this most important and sensitive area. Feel free to check for updates.

Questions? Contact Christine Damrose-Mahlmann, TCC's privacy officer, at cmahlmann@tcc.edu.

Incident management

Refer matter and coordinate with IRS and law enforcement
Establish free credit monitoring for employees for two years
Establish Campus Assistance Centers on all campuses and Workforce Solutions to help employees file forms and affidavits
Establish Call Center for employee information
Inform employees of ongoing and new threats to data security
Establish communications methods for employees to report on issues and concerns
Make immediate notifications to all employees upon learning of new information
Establish Frequently Asked Questions (FAQ) page on website and update as new information is learned

Transparency

Notify media of newsworthy events
Communicate with employees on all campuses through town hall-style meetings and web-based options

Data security

Establish a Secure File Transfer application to reduce the potential that sensitive information is shared/breached with scammers
Implement the use of encryption software for sending information to external constituents
Implement the use of encryption software for receiving information from external constituents
Implement encryption software on all TCC laptops
Launch secure online form system to encrypt and secure sensitive information on TCC servers
Establish process for annually assessing departments on their safeguards of sensitive data
Move email signature generator to the college's secure intranet
Develop a tool for intercepting outgoing mail that may include social security number, credit card number, and other personal identifiable information

Policy

Revise Privacy Policy 1104 in collaboration with the VCCS and the Attorney General’s Office to strengthen protection of personally identifiable information
Revise Crisis and Emergency Management Plan (CEMP)
Revise College Network and E-Mail Accounts Policy 5104
Revise Information Technology Security Program 5200

Training

Produce and distribute training video
Enhance MOAT training with security access training
Investigate purchase of a system to assess personnel vulnerability to phishing