Policy Subject: Data Security Policy
Date
Revised:
I. Background and Purpose
A federal law enacted in 1999, the Gramm-Leach-Bliley Act (GLB Act), requires colleges and universities to implement policies for protecting student financial information. The law primarily targets banks and other financial institutions, but colleges and universities are covered to the extent they provide “financial products or services” such as processing student loans. Financial data, such as parental income, and other personal data, such as social security numbers, obtained in connection with such transactions must be protected against computer hackers and other security risks.
The GLB Act charged the Federal Trade Commission with issuing regulations regarding the accuracy and security of financial information. The FTC issued two sets of implementing rules, known as the Privacy Rule and the Safeguards Rule. Colleges and universities that comply with the Family Educational Rights and Privacy Act (FERPA), are deemed in compliance with the Privacy Rule, There is, however, no corresponding FERPA safe harbor for the Safeguards Rules. Colleges and universities there must implement data security policies to comply with the rule.
The Safeguards Rule requires covered institutions to implement a data security policy with five elements:
II. Constraints
III. Definitions
IV.
Policy Statements
Data contained in the University’s systems are the property of the
University of Wisconsin-Superior and represent official University
records. Exceptions to this policy are:
faculty developed curricular material, student developed curricular material,
or certain licensed information such as electronic journal subscriptions. Questions regarding exemptions should be
discussed with the University Legal Counsel.
Users who accept access to University data, regardless of the medium,
also accept responsibility for adhering to certain principles in the use and
protection of that data. These
principles are:
1.
Information systems within the University shall be
used only for and contain only data
necessary for fulfillment of the University’s mission.
2.
University data shall be used solely for the legitimate business of the University.
3.
Due care shall be exercised to protect University data
and information systems from unauthorized use, disclosure, alteration or
destruction.
4.
University data
regardless of who collects or maintain it, shall
be shared among only those faculty
or staff whose responsibilities require
knowledge of such data.
5.
University policies
and procedures are being developed
to address federal and state laws concerning
storage, retention, use, release, transportation and destruction of data
and/or all information systems.
6.
University computerized information systems shall
be constructed in such a manner to assure that:
a.
Accuracy and completeness of all system
contents are maintained during storage and processing;
b.
Data, text and software stored and processed can
be traced forward and backward for audit
ability;
c.
Information systems capabilities can be reestablished within an acceptable time due to loss or damage by accident,
malfunction, breach of security or act of God; and
d.
Actual or attempted breaches of security can be detected promptly.
7.
Appropriate university
procedures shall be developed for reporting any breach of security or
compromise of safeguards
8.
Any faculty or staff member engaging in unauthorized use, disclosure, alteration
or destruction of information systems or data in violation of this policy shall
be subject to appropriate disciplinary
action, including possible dismissal. The disciplinary actions are defined
in the “appropriate use” and the “Faculty/Staff “ handbook. System policies www.uwsa.edu/spp.htm
9.
Any student
engaging in unauthorized use, disclosure, alteration or destruction of
information systems or data in violation of this policy shall be subject to
appropriate disciplinary action,
including possible expulsion. The disciplinary actions are defined in the
“appropriate use” and the “student” handbook.
System policies.
10. Users may not use, query,
release or print data in any application which they have not been given deliberate access to, which can
include but is not limited to
a.
Transcripts, grade reports, enrollment reports;
b.
Financial Aid information;
c.
Personnel or leave reports
d.
Reports for government or funding agencies;
e.
Fund-raising activities;
f.
Mailing lists and labels(University relations);
and
g.
Private or public release of data to outside
parties such as student, parents, and the news media.
11. All requests for information
under the Freedom of Information Act, the Wisconsin Public Records Law, law
enforcement agencies, subpoenas, etc. must
be referred to the Provost (http://www2.uwsuper.edu/infotech/IITS/Policy/response_to_subpoenas.doc) before releasing any records.
V. Policy Procedures
Safeguarding of University information systems and data shall be the
responsibility of each faculty, staff or student with knowledge of the system
or data. Specific responsibilities are
as follows:
·
Management – All levels of management are responsible for
ensuring that system users within their area of accountability are aware of
their responsibilities as defined in this policy. Specifically, managers are responsible for validating the access requirements of
their staff according to their job functions prior to submitting requests for
access, and for ensuring a secure office environment with regard to University
information systems. Managers of major
University offices should appoint an individual within their staff to ensure
these responsibilities are observed.
Managers are also responsible for ensuring that their staff
attend appropriate training sessions offered by the University to ensure
compliance with laws, regulations and local policies.
·
Employees – Faculty, staff, and student employees,
are responsible for the protection,
privacy, and control of all University data they access or create,
regardless of the data storage medium.
All employees must ensure that the data and data media are maintained
and disposed of in a secure manner. All
employees are responsible for understanding the meaning and purpose of the data
to which they have access, and may use this data only to support the normal
functions of the employees’ administrative and academic duties. All employees are responsible for all
transactions occurring under his/her userid and/or password. Passwords and userids may not be shared with
anyone under any circumstances.
·
Students – Students are responsible for protecting their userids and passwords
so that no unauthorized persons would have access to their University
records.
·
Any user
with access to University data should
participate in University sponsored training
sessions to improve their understanding of how to safeguard their own privacy and should be familiar with all IT Policies
including but not limited to:
o
Disconnecting
from the Network
VI.
Compliance
The Gramm-Leach-Bliley (GLB) Act
requires financial institutions to ensure the security and confidentiality of
personal information that is collected from customers, such as their names, addresses and phone numbers; bank and credit
card account numbers; income and credit histories; and Social Security numbers. As part of its implementation of the GLB Act,
the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions
under FTC jurisdiction to secure customer records and information. The FTC has ruled that colleges and
universities are financial institutions for the purposes of this Rule, and must
be in compliance. Listed below is a compliance assessment for the
University of Wisconsin-Superior.
|
Requirement |
Progress |
|
Designate one or more employees to coordinate
the safeguards. |
Chancellor’s Cabinet |
|
Identify and assess the risks to customer
information in each relevant area of institution’s operation, and evaluate
the effectiveness of the current safeguards for controlling data risks. |
Completed for centralized network,
administrative, academic and web-based systems. An assessment of local office
databases must be undertaken. |
|
Design and implement a safeguards program, and
regularly monitor and test it. |
Completed for IITS and core functional offices
including the Registrar, Financial Aids, the Bursar, and |
|
Select appropriate service providers and
contract with them to implement safeguards. |
Each functional should review its current
contracts for compliance. All new
contracts should contain safeguard language. |
|
Evaluate and adjust the information security
program in light of changing laws or circumstances. |
The program will be evaluated and monitored by
the IITS Council and the University Technology Committee. |
|
Check references and do security checks on
employees who will have access to customer information. |
(Check with HR) Reference checks and criminal
background checks are completed for new employees with access to customer
information. |
|
Confidentiality agreement. |
Is active and available from the web |
|
Employee training program |
In development. Combination of IT Customer Service Staff and Registrar. |
|
Inform employees and users of privacy policy and
security measures. |
In development.
Combination of IT Customer Service Staff and
Registrar. |