Responsible Office: Operations
Policy Type: Information Security
Document Owner: Director of Operations

Objective: Define the primary standard of guidance for implementing the AAMI Information Security Program; define campus’s responsibility for information security; and establish a hierarchy of related policy and procedures.

Audience: AAMI Staff, Administration, Board of Directors, Contracted Informational System Services, and Students.


  1. Pursuant to federal and state laws and AAMI policy and procedures, AAMI must maintain an effective, comprehensive information security program (Program) that addresses the full range of information security issues that affect the College and that align the College’s practices with applicable laws, regulations, policies, and standards of practice.
  2. The Program must:
  • lead and assist the College’s workforce and students in preserving the confidentiality, integrity, and availability of all forms of information declared sensitive by AAMI, herein referred to as sensitive information.
  • give special attention to preserving the confidentiality of information that bears directly on the privacy, health, and property rights of persons with whom AAMI has business transactions, including workforce, students, alumni, applicants, contractors, vendors, and customers.
  • lead and assist the College’s workforce and students in protecting the physical and digital components that shelter, store, process, or transmit sensitive information, herein referred to as sensitive systems. These assets include both technical and physical containers, such as computers, networks, databases, applications, buildings, rooms, safes, cabinets, closets, and other components of the infrastructure.
  • engage all workforce and students, as appropriate to their roles, in actively anticipating and addressing threats and hazards to the security of sensitive information and sensitive systems.


  1. The Director of Operations is primarily responsible for assuring an effective Information Security Program.
  2. The Director of Operations is primarily responsible for enforcement. This responsibility may be delegated.
  3. All supervisors and department heads must implement and monitor procedures, as appropriate to their business unit’s work, to support and encourage the proper treatment of sensitive information or sensitive systems.
  4. All workforce and students, as appropriate to their jobs, must treat sensitive information and sensitive systems in accordance with the principles and procedures established by the Program.
  5. Responsibility for developing, deploying, and managing the Program lies with the President’s Academic Council and Chief Information Security Officer (CISO) who will work the College’s Counsel, and the Accounting firm conducting an Internal Audit.
  6. The CISO will work with the relevant stakeholders to formulate specific policies, guidelines, standards, and procedures in support of various risk management strategies. The College’s President, President’s Council, or Director of Operations may further establish advisory or working groups to assist in implementing this policy.
  7. Compliance is determined via periodic risk assessments consisting of audits, scans, and reviews, and is measured against published policies, procedures, and standards. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations. The Risk assessment analysis addresses, but is not limited to
    (1) Employee training and management;
    (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
    (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures
  8. Department heads are responsible for the compliance of their departments with this policy, related policies, and their applicable standards, guidelines and procedures.
  9. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and written notifications sent to responsible parties. These notices will include recommendations for corrective action. A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action. Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions.
  10. Nothing in this section will be construed as an impediment to responding to a security
  • AAMI uses third-party providers for certain security solutions and can provide specific information upon request.