Privacy & Security of Sensitive Information

at Sterling College

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Updated 7-29-2014


 

 

 

 

Policy Objective and Scope

 

The objective of the Sterling College Sensitive Information Policy is to advise and govern faculty, staff, and students on the storage and release of sensitive information at Sterling College.

 

 

 

Definitions

 

For the purposes of this policy, sensitive information is an individual's name, address, or telephone number combined with any of the following:

 

• Social security number or taxpayer ID number

• Financial account, credit or debit card number

• Financial/salary data

• Driver's license number

• Date of birth

• Medical or health information protected under state or federal law (e.g. HIPAA)

• Student data protected under state or federal law (e.g. FERPA)

• Access codes, security codes or passwords that would permit access to sensitive information

 

In addition, the security of other types of sensitive or confidential information is provided for in this policy. This includes, but is not limited to, information relating to any of the following:

 

• Current or future fundraising campaign strategies

• Donor information such as wealth, asset holdings, and giving history, internal and external to Sterling College

• Information regarding Sterling College’s current or projected financial matters, including its schools and programs

• Vendor proprietary information (e.g. information from a third-party held confidential by agreement)

• Information explicitly marked as confidential (e.g. documents prepared for the

Board of Trustees)


 

 

 

 

 

Stor age and Access of Sensitive Infor mation

 

Remote Access

 

 

All remote access to sensitive information contained in applications and servers must be managed and secured exclusively by Warrior Innovation and Technology Services. Henceforth referred to as “WITS”. WITS provides encrypted VPN authenticated remote access to applications and servers for this purpose.

 

Physical Access

 

 

Often times, gaining physical access to or observing the use of a computer can result in impermissible disclosure of sensitive information. Sterling College requires steps to reduce the possibility of accidental disclosure in this manner including:

 

• Using an automatically activated screen saver password to secure the computer when it is unattended.

• Positioning monitors to prevent inadvertent disclosure of sensitive information on screens.

• Securing computer and portable media physically from theft or tampering by locking them within a secure area.

• Implementing tools that aid in the identification of persons who unlawfully gain access to sensitive information to facilitate disciplinary action and/or prosecution by law enforcement agencies.

• Allowing access from only designated wired VLANS.

 

Virus Protection

 

 

Virus and malware constitute a significant threat to sensitive information and may allow unwanted disclosure. All Sterling College computers are equipped with virus and malware protection. Faculty and staff with Administrative Rights to Sterling College computers shall not alter or disable this protection.

All computers, including those personally owned and attached to the campus network or used for the processing or storage of sensitive information, must have virus protection installed and up to date. Additionally, all computers must have their operating system and software security patches up to date.

 

Permissions and Passwords

 

 

Remote access to applications and systems is granted by authentication and authorization systems managed by WITS. In most cases, access is allowed via username and password. Faculty, staff and students must take precautions to safeguard usernames and passwords including:

 

 

• Not writing usernames and passwords down or keeping them where others could gain access.

• Never sharing or divulging to any anyone usernames or passwords

• Choosing strong passwords, including both letters and numbers, and at least one non-alphanumeric character (e.g. “W8rr10rS!”)

• Not entering passwords on computers that have potential to be compromised, such as public computers in Internet cas or airports.

• Refraining from saving or caching passwords in browsers or other applications.

 

E-mail

 

 

Frequently, sensitive information in documents is sent between people and stored in email for later retrieval. This may result in sensitive information being vulnerable while stored on email servers, local computers both at work or home, and during transition. Users should avoid transmission or storage of sensitive information in email unless absolutely necessary, and only after the data is adequately encrypted. WITS is available to advise users on alternatives to storing sensitive information in email.

 

Servers and Network

 

Server rooms are to remain locked and secure at all times. Physical access can only be granted by an accompanying WITS representative. Hosted servers are stored in a secure facility in Cleveland, OH with the CampusEAI consortium.

 

• Servers are protected by uninterruptable power supplies.

•        Servers both physical and virtual are backed up daily.

•        Networks are protected with unified threat management (UTM) equipment.

•        Hosted network software is accessible only via VPN.

 

 

Retention and Destr uction of Sensitive Infor mation

 

In some cases, the retention of data may be mandated by government and/or other regulations. In such cases, retention of data shall comply with these rules.

 

Otherwise, copies of sensitive information that are made for a specific purpose must be deleted after that purpose has been fulfilled. In the case of paper or other disposable media, such as CDs, floppies, or magnetic tape, destruction should be complete and permanent. For assistance please contact the WITS Help Desk.

 

If you have access to or copies of sensitive information in your possession or under your control, you are responsible for surrendering that information upon termination of your employment. Your manager, Dean, Vice President, or a member of Human Resources will work with you to assist you in this critical task prior to your last day of work. No Sterling College employee – faculty or staff – should delete information at the conclusion of employment without consulting his/her supervisor.

 

Note: If your position gives you access to sensitive information as defined in this policy, your Sterling College e-mail, computer, and network access shall be terminated immediately upon the conclusion of your employment.

 

Policy Compliance

 

All persons with access to sensitive information at Sterling College are responsible for compliance with this policy. Violations of this policy are serious and may result in disciplinary action up to and including termination of employment. Any disclosures of sensitive information that are not for Sterling College business purposes, shall be reported expeditiously to the Director of Innovation and Technology, the Office of the President, or the Vice President over of your department. Such report shall include:

 

• The type and scope of information disclosed (who, what, when)

• Circumstances under which the disclosure occurred (where, how)