Body
Note: In this policy the term ‘customer’ includes all students regardless of physical location or instructional modality.
The Jenzabar Student Information System (SIS) is the primary data store of Eastern Mennonite University (EMU). The university has made a substantial investment in human and financial resources to obtain and manage this system. The following procedures have been established to protect this investment and the good reputation of the university, to develop data stewardship to safeguard the information contained in these systems, and to enhance the fulfillment of the mission of the university.
Further, the Federal Trade Commission (FTC) requires colleges and universities to establish policies and procedures for protecting information in compliance with the Gramm-Leach-Bliley Act (GLB Act). This act requires that financial institutions, including colleges and universities, develop plans and establish policies to protect customer financial information (customer information).
Information Systems (IS) staff members are responsible for the administration of these security procedures, in accordance with all university information policies dealing with security, access and confidentiality of university records.
All users of EMU information systems and applications that depend on those systems’ data (e.g. Jenzabar EX, Moodle, myEMU, PowerFAIDS, etc.) are required to comply with these security procedures.
Information Security Plan
Information Systems leadership, specifically the Director of Technology Systems, will be responsible for the coordination and execution of the Information Security Plan at (EMU).
Possible Internal and External risks to security
This section identifies anticipated threats to customer information including but not limited to unauthorized access, eavesdropping, electronic student record protection, non-electronic student record protection and disposal of information.
A list of possible threats to customer information follows; the list is not comprehensive. This plan has been created in part to mitigate the risks identified in the list:
- Unauthorized read/write access through software applications.
- Unauthorized access to extracted or downloaded data.
- Unauthorized copying of data files.
- Weak password selection.
- Improper protection of passwords.
- Unrestricted physical access to servers.
- Unrestricted physical access to storage media.
- Unrestricted physical access to networks.
- Unauthorized printing of data.
- Improper storage of printed data.
- Unauthorized viewing of printed data.
- Unauthorized viewing of computer displayed data.
- Unprotected documentation usable by intruders to access data.
- Improper destruction of printed material.
- Improper disposal of magnetic media.
- Uncontrolled changes in technology or configuration.
- Accidental viewing of data.
Information Systems (IS) Responsibilities
Electronic access to customer information
Access to Customer Information is protected by usernames and passwords. The IS department is responsible for the administration of all access controls for the information systems.
Employees are granted access to resources based on the principle of least privilege: only the minimal set of resources necessary to complete their job responsibilities are permitted. Access to specific resources is granted by Information Systems administrators only by request of the employee's supervisor or by request of executive-level leadership (members of the President's cabinet or deans). Requests that do not originate from these sources require approval from supervisors or executive-level leadership before access will be granted. Removal of access privileges is performed by Information Systems administrators at the request of supervisors, executive-level leadership, or upon notification from the Human Resources office of a change in employment status. Information Systems staff run daily processes to ensure that accounts of former employees and unused accounts are deactivated.
Programmers and other technical staff with application or programmatic access to customer information are to be authorized by Information Systems leadership.
Information Systems staff will reset account passwords only when a user is positively identified.
Network access to systems with customer information is controlled by restrictions on unauthorized networks and computers within routers or firewalls protecting these systems.
Access to systems with customer information over the internet is secured by SSL encryption. All financial transactions over the internet are likewise secured by SSL encryption.
Access to backup and test servers storing customer information is tracked, just like production servers.
Descriptive names for systems with customer information, which identify them as storing customer information, are to be avoided in public lists like Domain Name Service (DNS) records.
When a subset of customer information is downloaded or extracted from files or databases to a local computer, the computer is identified and protected with the same care as customer information on the original servers.
Physical access to customer information
Customer information media to which these procedures apply include hard copy files, electronic files, servers, media and networks.
Production and backup servers with customer information are housed in secure areas. Access to core server area is to be authorized by Information Systems leadership. Only authorized staff have keys to the data center. Unauthorized personnel in secure areas are to be escorted by authorized personnel.
Access to networking equipment closets is restricted by lock and key. All network closet keys and the master key are kept in the secured lockbox located in each IS suite. Keys are signed out to IS employees under supervision of Information Systems leadership.
Lost or stolen keys to secure areas must be reported to Information Systems leadership and to campus security immediately. If there have been stolen or lost keys, the affected locks will be changed.
Media used to store customer information must be properly erased in a manner which prevents the restoration of deleted files.
Documentation handling
Administrative and network system documentation which can be used by intruders to discover the location of and/or methods of access to customer information will be handled by the same standards as customer information itself.
Passwords of systems with customer information must be mailed only in an opaque, sealed envelope.
Printed copies of documentation must be shredded when no longer in use.
Department Responsibilities
Data stewardship has, as its main objective, the management of the university's data assets in order to improve their usability, accessibility and quality. This is accomplished through the role of the department directors who have planning and policy level responsibility for data within their areas, and management responsibilities for defined segments of the institutional data. In the simplest terms, the data stewards are the “owners” of the data. Ultimately, data stewardship is the responsibility of departmental directors and their designees, in conjunction with IS staff.
Access to customer information is protected by user names and passwords. In addition, the director of each department has control over who has access to individual areas.
Authority to access customer information is given by the security officer or the head of the department. For example, in the case of financial aid information, the financial assistance director approves access to customer information on a person by person basis reflected by the privileges associated with the user’s account in the Financial Aid Office.
Supervisor and Manager Responsibilities
Supervisors and managers will:
- Provide appropriate support and guidance to assist employees in fulfilling their job responsibilities under these security procedures.
- Promote and provide appropriate data stewardship in their areas of responsibility.
- Work with the IS staff to create and validate proper authorizations for access to customer information for current and new employees.
- Create appropriate control practices, standards and methods designed to provide reasonable assurance that all employees observe these security procedures.
Department heads will email the names of users who are no longer authorized to access customer information to helpdesk@emu.edu as soon as is practical.
Students with access to customer information must sign Technology Code of Responsibility for Employees. Signed copies of the code should be submitted to IS along with the access request.
All individuals with access to customer information will receive regular reminders of their obligations when they stop working with customer information.
Human Resources Responsibilities
HR will notify IS of employee new-hires, transfers and terminations in a timely fashion. Involuntary terminations will be reported concurrent with the termination.
Human Resources office will email the names of users who are no longer authorized to access customer information to helpdesk@emu.edu as soon as is practical.
Training for faculty and staff
Training for new faculty and new staff will include, at a minimum, an explanation of the purpose of the GLBA, a synopsis of the GLBA, the contents of the Plan, their responsibilities stated by the GLBA and the use of encryption as a method of protecting transmissions of customer information.
Existing faculty and staff with access to customer information will receive the same training as new faculty and staff and be reminded, at a minimum, yearly of their responsibilities under the GLBA.
Oversight of Service Provider Arrangements
EMU will select appropriate service providers that are given access to customer information in the normal course of business and will contract with them to provide adequate safeguards. In the process of choosing a service provider that will have access to customer information, the evaluation process must include the ability of the service provider to safeguard customer information. Contracts with service providers must include the following provisions:
An explicit acknowledgment that the contract allows the contract partner access to customer information.
A specific definition of the customer information being provided.
A stipulation that the customer information will be held in strict confidence and accessed only for the explicit business purpose of the contract.
A guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract.
A guarantee from the contract partner that it will protect the customer information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers’ customer information.
A provision allowing for the return or destruction of all customer information received by the contract partner upon completion of the contract.
A stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract.
A stipulation that any violation of the contract's protective conditions amounts to a material breach of contract and entitles the university to immediately terminate the contract without penalty.
A provision allowing auditing of the contract partners’ compliance with the contract safeguards requirements.
A provision ensuring that the contract’s protective requirements shall survive any termination agreement.
Employee Responsibilities
Electronic information handling
Employees will ensure that all information systems access is requested and used for professional reasons and is required to fulfill the requester’s current job responsibilities.
Employees will use and protect their personal user account passwords and privileges, and will not share those with other persons (employees or non-employees). Employees will use strong (hard to guess) passwords. Passwords will not be shared by users or within departments.
Employees will be responsible for the content of all institutional data that are transmitted over the Internet, sent through email or passed to other departments for university use. They will avoid transmission of protected information. If it is necessary to transmit protected information, employees are required to take steps to reasonably ensure that the information is delivered securely to the proper person who is authorized to receive such information for legitimate university use.
Know and abide by all university information policies dealing with security and confidentiality of university records.
Image files and other representations of customer information must be protected with the same care as regular data files and printed materials.
Employees will secure their workstation by logging off or locking the screen before leaving it unattended for extended periods of time.
Controlling viewing access/inquiry access
Placement of computer terminals which display customer information will be done in such a way as to prevent casual viewing or eavesdropping by unauthorized personnel.
Computer terminals used to display customer information will not be left unattended by the user with customer information still displayed.
Employees will positively identify all customers requesting access to customer information.
Lost or stolen keys to secure areas must be reported to Information Systems leadership and to campus security immediately. If there have been stolen or lost keys, the affected locks will be changed.
Attempts to break into secure areas will be reported to campus security and Information Systems leadership.
Printed material handling
Printed copies of customer information:
- Are to be handled or viewed only by authorized personnel.
- If used in unrestricted areas, copies in use by authorized personnel are to be put away in lockable storage when unattended.
- Will be stored in secure areas.
All printed copiers of customer information that are no longer needed must be shredded.
Responsibility and Review
Responsible Party
Responsibility for this policy lies with the provost. Policy implementation is the responsibility of Information Systems leadership.
Policy Review
This policy is to be reviewed by the Provost's Council.