Statement on Aurora University’s Information Security Program

 

 

PHILOSOPHY:

Aurora University (AU) sincerely values the wide array of data with which it has been entrusted.  While we are committed to the security of all of our data, we are particularly committed to protecting the wide range of personally identifiable information (PII) in our databases.  The minimum standards that Aurora University employs for the protection of all data, especially PII, are defined by federal law including the Family Educational Rights and Privacy Act, the Higher Education Act, and the Graham-Leach-Bliley Act. AU will take the necessary steps to implement management responsibility, quality equipment deployments, meaningful evaluations, and business strategies designed to protect all secure information, especially PII.

 

RESPONSIBLE AUTHORITY:

AU designates its Chief Information Officer as its official responsible for the implementation, coordination, evaluation, and remediation of its information security program.  As indicated in 16 CFR 314.4 it is the information security officers duty to: “identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of AU operations”.

 

While the Chief Information Officer is ultimately responsible for information security, each constituent department plays a significant role. 

 

PROCEDURES:

Each set of University data will be classified as having an “owner”. The owner will be represented by a specific individual within the University department responsible for that data. Any time a department or individual wishes to gain access to another department’s data, they must obtain permission from the official responsible for the data sought.  Permission will only be granted if there is a demonstrable and legitimate educational need to know. Permission must be explicit, written, designate any expiration date, and be provided to the Chief Information Officer for filing.

 

ENFORCEMENT OF POLICY:

Each department is responsible for enforcing this data security policy.

 

It is AU policy that confidential information is to be used only when necessary for University, college, or departmental business. Refusal to adhere to this policy is a clear violation of the Family Educational Rights and Privacy Act of 1974, The Higher Education Act, and /or the Graham, Leach, Bliley Act. Offenders will be subject to disciplinary action and possible referral of the violation to the proper authorities.

 

In the event that a breach of information security policy is discovered, the Chief Information Officer is to be immediately notified.  The Chief Information Officer will then apply the University’s Data Breach Policy as deemed necessary.

 

CONFIDENTIAL DATA:

Confidential data includes any information subject to University or legally imposed confidentiality regulation. Examples include, but are not limited to, personally identifiable information (PII) such as Social Security, Driver’s License, or Passport Numbers; Birth Date; financial information; individual’s medical or academic information; any data covered by FERPA, HIPAA, GLB, or PCI regulations and standards.  Unauthorized access, transmission, collection or storage of confidential data is prohibited.  Access to and storage of confidential information on personal (user owned) devices can pose substantial risk to the University (as well as the individual) and is prohibited.

 

TYPES OF CONFIDENTIAL DATA:

For the purposes of this policy, types of confidential information are categorized as follows:

 

  • Student Information
  • Student Financial Aid Information
  • Student Prospect, Inquiry or Applicant information
  • Student Housing Information
  • Administrative Financial Information
  • Human Resources Information
  • University Analytics Information

 

Within these general categories, the different types of data are broken down into subsets; an AU official is identified as the custodian for each type of confidential data.

 

 

Student Information

Data Owner – University Registrar

The  Office  of  the  Registrar  is  the  official  custodian  of  information  on  individual  students.  For security purposes, student information is divided into the two categories of directory and academic.

 

Directory Information

University personnel may have access to directory information and may, without restriction, disseminate information for official use on and off campus. The Family Educational Rights and Privacy Act of 1974 specifies the following as directory information:

 

  • Student’s name, address, telephone number, e-mail address, photograph, date and place of birth;
  • Major, dates of enrollment, degree conferred and dates of conferral, any honors and awards;
  • Most recent institution attended prior to admission to AU;
  • Grade level such as Freshman or Sophomore, and Enrollment status such as graduate or undergraduate;
  • Participation in  officially  recognized  activities  and  sports  and  weight  and  height  of members of University athletic teams

 

If a student does not wish any of the above information released to non-institutional persons or organizations, a Non-Disclosure of Directory Information must be completed in the Registrar’s office. Once the student has completed the form, the confidential flag is marked in Colleague. A ‘Confidential’ comment will appear in the upper left hand corner on all Colleague screens. This request will remain in effect until the student notifies, in writing, the Registrar’s office to remove the flag.

 

Academic Information

Academic information, including grades, academic status, class schedules, etc., cannot be released to third parties without the student’s written permission. Academic information can be used by AU employees having a legitimate educational interest in the student and who are acting within the limitations of their need to know may access student educational records without prior consent of the student. This includes personnel in academic offices as well as student support offices, such as Admissions, Student Accounts, Financial Aid, Registrar, etc.). This is true even if the student has been granted non-disclosure.

 

Academic information not available from Colleague should be requested from the Office of the Registrar. Requests for information from students or from agencies or individuals outside the University should also be referred to the Office of the Registrar.

 

Summary Student Information

The office of University Analytics is the official source of aggregate or summary student information, such as enrollment or credit hour data intended for on- or off- campus dissemination. Requests for reports and analyses involving summary student data to be produced through internal systems will be developed in conjunction with the office of University Analytics. This will ensure that reports and analyses are based upon the most accurate information and will enhance the consistency and integrity of information generated by colleges and departments.

 

Student Disability Information

Student disability information is the responsibility of the Disability Resource Officer.  Any requests concerning student disability information should be referred to the Disability Resource Officer in the Academic Support Center

 

Student Health Information

Information requests concerning student physical health are governed by the Director of the Wellness Center.  Information requests concerning student mental health are the responsibility of the Director of the Counseling Center.  Such requests should be referred accordingly.

 

Student Athlete Information:

Information concerning student athlete is under the governance of the Athletic Director.  All requests concerning student athletic information should be referred to the Athletic Director.

 

Student Prospect and Applicant Information

 

Data Owner: Senior Director of Enrollment Services

Enrollment Services is the official source of information on individual student prospects, inquiries and applicants. All requests for this type of information should be addressed to the Senior Director of Enrollment Services.

 

Student Financial Aid Information

 

Data Owner: Dean of Student Financial Services

The Financial Aid Office is the official source of information on individual University students receiving financial assistance from various aid programs, including grants and scholarships and loans. All requests for this type of information should be addressed to the Dean of Student Financial Services.

 

Student Housing Information

Data Owner: Assistant Dean of Resident Life

Any information pertaining to student housing on campus should be requested from the Director of Resident Life.

 

Donor Information

Data Owner: Assistant Vice President for Advancement Operations

Advancement Operations is the official source of donor and alumni information.  All requests for this confidential information should be submitted to the Assistant Vice President for Advancement Operations.

 

Payroll Information

Data Owner: University Controller

The Business Office is the official source of financial information on individual University employees. All requests for this confidential financial information should be submitted to the University Controller.

 

Human Resources Information

Data Owner: VP for Human Resources

Information concerning specific job positions (classifications, descriptions, etc.) at the University is maintained by the Human Resources department. All requests for employee information (excluding payroll information) should be sent to the VP for Human Resources.

 

 

 

University Analytics Information

Data Owner: Director of University Analytics

University Analytics information includes data on student enrollment, faculty reports, credit hour production, surveys (e.g., retention of students), government reports, etc. The official source for this type of information is the office of University Analytics, and all requests for such information should be submitted to the Director of that office.

 

Financial Accounting Information

Data Owner: University Controller

Revenue, expenditure and budget information is maintained for each account.  Requests for access to information should be submitted to the University Controller.

 

DATA RETREIVAL AND DISSEMINATION:

Data classification indicates what the user is able to do with the data. Specific restrictions are outlined and enforced by individual departments responsible for the data. Specific levels of access clearance include the following:

 

  1. Read only
  2. Maintenance (Update, Add, Delete)

 

Various user classifications will have access to data through one or a combination of these clearance levels. Each user ID is restricted by the forms that the user has been granted to access, i.e., their clearance level will provide them the ability to access a limited number of forms. If a user tries to access a form inappropriate to his/her clearance level, a security violation message will appear on the screen.

 

N.B.: Data should not be downloaded to other storage medium without permission from the departmental owner of that data. Downloading of administrative data requires a separate authorization from the data owner. Individual users will be held responsible for any violation of this procedure.

 

SECURITY:

Departmental Security

Each department will designate an “owner” for the data it maintains. Appropriate procedure for retrieval and dissemination of University data will be followed as outlined in the previous section, Data Retrieval and Dissemination.

 

Departments storing data subject to University regulations are responsible for ensuring all such data is protected in accordance with institutional regulations. This applies to all such data from any source, whether electronically transferred from the administrative systems, or entered by the individual department from printed documents.

Specifically, departments must ensure that access to individual workstations or servers containing this information or access to output generated from departmental systems, is restricted to individuals authorized to access the data. Password security on individual stations or servers is not sufficient to ensure compliance; any such systems on which regulated data is stored must also be in secure, supervised areas, such as departmental or individual offices.

 

Backup tapes, disks or copies of data on printed or electronic media must be similarly protected. Under no circumstances shall confidential data or access to it be granted to personnel from other departments or non-University personnel without express written authorization from the appropriate administrative office. Any unauthorized storage and/or reproduction of confidential University data (e.g., grades, transcript files, etc.) is strictly prohibited.

 

Physical Security

Deans and department/division heads are responsible for ensuring the physical security and responsible use of computers located in departments and offices under their authority. The following policy statements should be made available and/or posted prominently so that all personnel working with computers know the extent of their responsibility.

 

  1. Computers must be located in physically secure areas which can be locked when not in use;
  2. Access to computers will be limited to individuals engaged in official University business;
  3. Use of computers by student workers should be restricted to those cases in which student workers are absolutely necessary to supplement regular University staff Student workers should be thoroughly instructed in the proper and responsible use of computers;
  4. Each individual with access to administrative information is assigned his/her own user id (username) and The owner of the code should not pass on this information to anyone else; the owner is responsible for any misuse of his/her sign-on credentials;
  5. Under no circumstances will the aforementioned codes be posted on or near computers;
  6. Computers which are “signed on” should never be left unattended; and,
  7. Requests for improvement of computer security, as well as suspected violations, should be addressed to the Chief Information Officer.

 

Computers which are routinely used by individuals not cleared for access to such data are inappropriate locations for confidential data (e.g. computers in student labs or other public locations.) Placing confidential information on systems of this nature constitutes a clear violation of University regulations.

 

Because of the possibility of theft and discovery of data, neither portable computers (notebooks, laptops, etc.) nor portable storage devices, including USB keys and portable disks, should be used to store sensitive or regulated data, unless such data is encrypted using an encryption process approved by Information Technology Services.

 

If accessing University information systems, you should not configure your software to use a stored password or otherwise bypass entering a password unless your computer is controlled by Active Directory or other University authentication systems and requires a logon before use. Furthermore, you should log off your computer when not actively using it (for example, when leaving the office for a meeting or lunch).

 

Data Security

Any individual who accesses University data, through a computer or a report, is responsible for the confidentiality of that data. Likewise, any individual who stores University data on a personal computer will be held accountable for the confidentiality of that information.

 

Server Security

Information subject to University or confidentiality regulation should not be placed on the main University web server without prior written approval from the appropriate administrative offices as well as the Chief Information Officer. Such data should, in general, be placed on Web only if absolutely essential to University business and only if appropriate safeguards, including appropriate file permissions, access controls and security patch procedures are in place.

 

Email Security

Electronic mail poses additional risks in the handling of confidential data. Data may quite readily be transmitted to unintended recipients through misaddressing or similar error. In addition, the routine maintenance of mail systems may require or inadvertently lead to viewing of some pieces of mail by mail systems administrators. Information Technology Services will respect the privacy of all such mail and will not reveal the contents of such mail to any other parties. However, if activities in violation of law or University regulations are discovered through this procedure, ITS may report such information to appropriate authorities.  Further, users are advised that electronic mail accounts may be scanned for specific data required by properly issued subpoenas or as otherwise ordered by the President of the University or their delegate.

 

Departments are advised that information subject to confidentiality regulations should not be transmitted via electronic mail without prior written approval from the appropriate administrative offices.

 

Cloud Services Security

No cloud services should be engaged for the storage of confidential data without gaining concurrence from Information Technology Services and the following written assurances from the cloud vendor:

 

  1. Contractual agreement to conform to minimum data security standards dictated herein; and,
  2. Receipt of annual SOC 2 reports for the vendor’s auditors attesting to their care of confidential and PII data.

 

Data Loss Prevention

Information Technology Services will use software that detects and intercepts improper transmittal of confidential information internal and external to the University’s network.  If a system detects improper transmittal of confidential information, the account involved will be suspended as soon as possible, including hours outside regular working hours. Consequences, such as reports not being run timely, may result.  Managers of those persons who have improperly transmitted protected information will be notified so appropriate re-training or disciplinary action may be taken.  An account suspended because of improperly transmitted confidential data will be reinstated upon request of the offending employee’s manager.

 

Users are cautioned against using insecure publicly available wireless to access confidential information.  If a user learns that they have accidentally accessed such a network, they must change their passwords immediately on a secure network and notify the Chief Information Officer.

 

 

Training:

New employees and student workers shall be trained on this information security policy during the onboarding process performed by Human Resources.  Employees of The Learning House who have access to confidential information, contractors, and remote workers should also be trained on this policy.  Current employees shall be asked to review and acknowledge the policy at least biennially. 

 

Testing Security Measures:

Twice per year Information Technology Services will evaluate department at random to assure compliance with the information security policy.  The evaluation will be done in accordance with a consistent and appropriate audit program.  Documentation will be stored indefinitely.  Two outcomes of each evaluation will be a report of findings and recommendations for better protecting information assets.