Privacy & Security of Sensitive Information
at Sterling College
Policy Objective and Scope
The objective of the Sterling College Sensitive Information Policy is to advise and govern faculty, staff, and students on the storage and release of sensitive information at Sterling College.
For the purposes of this policy, sensitive information is an individual's name, address, or telephone number combined with any of the following:
Social security number or taxpayer ID number
Financial account, credit or debit card number
Driver's license number
Date of birth
Medical or health information protected under state or federal law (e.g. HIPAA)
Student data protected under state or federal law (e.g. FERPA)
Access codes, security codes or passwords that would permit access to sensitive information
In addition, the security of other types of sensitive or confidential information is provided for in this policy. This includes, but is not limited to, information relating to any of the following:
Current or future fundraising campaign strategies
Donor information such as wealth, asset holdings, and giving history, internal and external to Sterling College
Information regarding Sterling Colleges current or projected financial matters, including its schools and programs
Vendor proprietary information (e.g. information from a third-party held confidential by agreement)
Information explicitly marked as confidential (e.g. documents prepared for the
Board of Trustees)
Stor age and Access of Sensitive Infor mation
All remote access to sensitive information contained in applications and servers must be managed and secured exclusively by Warrior Innovation and Technology Services. Henceforth referred to as WITS. WITS provides encrypted VPN authenticated remote access to applications and servers for this purpose.
Often times, gaining physical access to or observing the use of a computer can result in impermissible disclosure of sensitive information. Sterling College requires steps to reduce the possibility of accidental disclosure in this manner including:
Using an automatically activated screen saver password to secure the computer when it is unattended.
Positioning monitors to prevent inadvertent disclosure of sensitive information on screens.
Securing computer and portable media physically from theft or tampering by locking them within a secure area.
Implementing tools that aid in the identification of persons who unlawfully gain access to sensitive information to facilitate disciplinary action and/or prosecution by law enforcement agencies.
Allowing access from only designated wired VLANS.
Virus and malware constitute a significant threat to sensitive information and may allow unwanted disclosure. All Sterling College computers are equipped with virus and malware protection. Faculty and staff with Administrative Rights to Sterling College computers shall not alter or disable this protection.
All computers, including those personally owned and attached to the campus network or used for the processing or storage of sensitive information, must have virus protection installed and up to date. Additionally, all computers must have their operating system and software security patches up to date.
Permissions and Passwords
Remote access to applications and systems is granted by authentication and authorization systems managed by WITS. In most cases, access is allowed via username and password. Faculty, staff and students must take precautions to safeguard usernames and passwords including:
Not writing usernames and passwords down or keeping them where others could gain access.
Never sharing or divulging to any anyone usernames or passwords
Choosing strong passwords, including both letters and numbers, and at least one non-alphanumeric character (e.g. W8rr10rS!)
Not entering passwords on computers that have potential to be compromised, such as public computers in Internet cafιs or airports.
Refraining from saving or caching passwords in browsers or other applications.
Frequently, sensitive information in documents is sent between people and stored in email for later retrieval. This may result in sensitive information being vulnerable while stored on email servers, local computers both at work or home, and during transition. Users should avoid transmission or storage of sensitive information in email unless absolutely necessary, and only after the data is adequately encrypted. WITS is available to advise users on alternatives to storing sensitive information in email.
Servers and Network
Server rooms are to remain locked and secure at all times. Physical access can only be granted by an accompanying WITS representative. Hosted servers are stored in a secure facility in Cleveland, OH with the CampusEAI consortium.
Servers are protected by uninterruptable power supplies.
Servers both physical and virtual are backed up daily.
Networks are protected with unified threat management (UTM) equipment.
Hosted network software is accessible only via VPN.
Retention and Destr uction of Sensitive Infor mation
In some cases, the retention of data may be mandated by government and/or other regulations. In such cases, retention of data shall comply with these rules.
Otherwise, copies of sensitive information that are made for a specific purpose must be deleted after that purpose has been fulfilled. In the case of paper or other disposable media, such as CDs, floppies, or magnetic tape, destruction should be complete and permanent. For assistance please contact the WITS Help Desk.
If you have access to or copies of sensitive information in your possession or under your control, you are responsible for surrendering that information upon termination of your employment. Your manager, Dean, Vice President, or a member of Human Resources will work with you to assist you in this critical task prior to your last day of work. No Sterling College employee faculty or staff should delete information at the conclusion of employment without consulting his/her supervisor.
Note: If your position gives you access to sensitive information as defined in this policy, your Sterling College e-mail, computer, and network access shall be terminated immediately upon the conclusion of your employment.
All persons with access to sensitive information at Sterling College are responsible for compliance with this policy. Violations of this policy are serious and may result in disciplinary action up to and including termination of employment. Any disclosures of sensitive information that are not for Sterling College business purposes, shall be reported expeditiously to the Director of Innovation and Technology, the Office of the President, or the Vice President over of your department. Such report shall include:
The type and scope of information disclosed (who, what, when)
Circumstances under which the disclosure occurred (where, how)