Privacy & Security of Sensitive
Information
at Sterling College
Updated 7-29-2014
Policy Objective
and Scope
The
objective of the Sterling College Sensitive Information
Policy is to advise and
govern faculty, staff, and
students on the storage and release of sensitive information at
Sterling College.
Definitions
For the purposes of this
policy, sensitive information is an
individual's name,
address,
or telephone
number combined with any of the following:
• Social
security number or taxpayer ID
number
• Financial account, credit or debit card
number
• Financial/salary data
• Driver's license number
• Date of birth
• Medical or
health information protected
under state or federal law
(e.g. HIPAA)
• Student data protected
under state or federal law (e.g. FERPA)
• Access codes, security codes
or passwords that would
permit access to sensitive information
In addition, the security of other types of sensitive or confidential
information is provided
for
in this policy.
This includes, but is not limited to,
information relating to
any of the following:
• Current or
future fundraising campaign
strategies
• Donor information
such as wealth, asset
holdings, and giving history, internal
and external
to Sterling College
• Information regarding Sterling College’s current or projected
financial
matters, including
its schools and programs
• Vendor proprietary information
(e.g.
information from
a third-party held
confidential
by
agreement)
• Information
explicitly marked
as
confidential (e.g.
documents prepared
for the
Board of Trustees)
Stor age
and Access of
Sensitive Infor
mation
Remote Access
All remote access to sensitive information contained
in applications and servers must be managed and secured exclusively by Warrior
Innovation and Technology Services. Henceforth referred to as
“WITS”. WITS provides encrypted VPN
authenticated remote access
to applications and servers for this
purpose.
Physical Access
Often times,
gaining physical
access to or
observing the use of a computer can result
in impermissible disclosure of sensitive information. Sterling
College requires steps
to reduce the possibility of accidental
disclosure in this manner including:
• Using an automatically activated screen saver password to secure the
computer when it is unattended.
• Positioning monitors to prevent inadvertent disclosure of sensitive
information on screens.
• Securing computer and portable media physically from
theft or tampering by
locking them within a secure area.
• Implementing tools that
aid in the identification
of persons who unlawfully gain access
to sensitive information
to facilitate disciplinary action and/or prosecution
by
law enforcement agencies.
• Allowing access from only designated wired
VLANS.
Virus Protection
Virus
and malware constitute a significant
threat to sensitive information
and may allow unwanted
disclosure. All Sterling
College computers are equipped with virus and malware protection.
Faculty and staff with
Administrative Rights
to Sterling College computers
shall not alter or disable this
protection.
All computers,
including those personally owned and attached
to the campus network
or
used for the processing or storage of sensitive information,
must have virus protection installed and up to date. Additionally, all computers must
have their operating system and software security patches
up
to date.
Permissions and Passwords
Remote access to applications
and systems is granted
by authentication and authorization systems
managed by WITS. In
most cases, access
is allowed via username and
password. Faculty,
staff and students must take precautions
to safeguard
usernames and
passwords including:
• Not
writing usernames and
passwords down or keeping them where others could
gain access.
• Never sharing or divulging to any anyone usernames
or passwords
• Choosing
strong passwords,
including both letters and numbers,
and
at least one non-alphanumeric character (e.g. “W8rr10rS!”)
• Not
entering passwords
on computers that
have potential
to be compromised, such as
public computers in Internet cafés
or
airports.
• Refraining from
saving or caching passwords in browsers or
other applications.
E-mail
Frequently,
sensitive information
in documents is sent between
people and stored in email for later retrieval. This may result in sensitive information being vulnerable while stored on email servers,
local
computers both at work
or home, and during transition. Users should avoid transmission
or storage of sensitive information in email unless
absolutely necessary, and only after the
data is adequately encrypted.
WITS is available to
advise users on
alternatives
to storing sensitive information
in email.
Servers and Network
Server rooms are to remain locked and
secure at all times. Physical access can only be granted by an accompanying
WITS representative. Hosted servers are stored in a secure facility in
Cleveland, OH with the CampusEAI consortium.
• Servers
are protected by uninterruptable power supplies.
•
Servers both physical and virtual
are backed up daily.
•
Networks are protected with unified
threat management (UTM) equipment.
•
Hosted network software is
accessible only via VPN.
Retention and Destr uction of
Sensitive Infor
mation
In
some cases, the retention
of data may be mandated by government
and/or other regulations. In
such cases, retention of
data shall comply with
these rules.
Otherwise, copies
of sensitive information
that are made for a specific purpose must be deleted
after that purpose has been
fulfilled. In
the case of paper or other disposable
media, such as CDs,
floppies, or
magnetic tape,
destruction should be complete and permanent.
For assistance
please contact
the WITS Help Desk.
If you
have access
to or copies of sensitive information in
your possession or under your control, you are responsible for surrendering that information upon termination of your
employment.
Your manager,
Dean,
Vice President,
or a member of Human Resources
will work with you to assist you
in this critical task prior to your last day of work.
No Sterling College employee – faculty or
staff – should delete information
at the conclusion of employment
without consulting his/her supervisor.
Note: If your position
gives you access to sensitive information
as defined in
this policy, your Sterling College e-mail, computer, and
network access shall
be terminated immediately
upon the conclusion of your employment.
Policy Compliance
All persons with access
to sensitive information
at Sterling
College are responsible for compliance with this policy. Violations
of this policy are serious and may result in disciplinary action up to and including termination
of employment.
Any disclosures
of sensitive information
that are not for Sterling College business purposes, shall be reported expeditiously to the Director of Innovation and Technology, the Office of the President,
or the Vice President
over of your department. Such
report shall include:
• The type and
scope of information disclosed (who, what,
when)
• Circumstances under which
the disclosure occurred
(where,
how)