Policies

Information Technologies: Academic Year 2009-2010

 

Projects and Initiatives

 

·         Collaborative Faculty/Staff Projects (i.e., email service/data storage; electronic portfolios; etc.)

·         Small group (2-5 people) faculty and staff training and support opportunities

·         Monthly IT Town Hall Conversations (third Mondays; time/location TBD)

·         Monthly IT Tech Introduction (first Fridays; time; location TBD)

·         Online Workshops and Seminars (data management; information security; online collaboration, etc.)

·         Expanded College data website

·         Develop intranet to facilitate College communication

·         Collaborative tools for departmental/program use

·         Completion of College-wide technology continuity plan

 

 

 

 

Challenges

 

·         Meeting increased demand for network and storage resources

·         Maintaining state and federal PII and PCI regulatory compliance

·         Supporting offsite classroom locations

·         Increasing instructional design and user support offerings

·         Leveraging and renegotiating contractual agreements to realized increased services and costs savings

·         Increasing faculty and staff collaboration in long-term strategic planning activities

 

Information Security Breach Notification

 

Purpose

To define the circumstances under which the college shall provide notice regarding a breach in security of college information. 

 

 

Statement

Suspected or confirmed information security breaches must be reported immediately to the College's Chief Information Officer.  A breach is defined as unauthorized access of College information.

 

 

Description

Information Technologies will investigate all reports of security breaches of electronic private and/or highly sensitive information.   Reports of potential information breaches will be reported to Chief Information Officer, who will coordinate the College's investigation.  Based on the results of the College's investigation, internal and/or external parties may be notified, as necessary and appropriate.

 

 

 

Additional Information

 

 

Procedure

Upon notification of a suspected breach of information, Information Technologies will:

• Report the breach to the College's Chief Information Officer
• Block or deny the escalation of the breach, when possible
• Follow communication instructions as determined by the College's Chief Information Officer
• Repair all damage associated with the information breach
• Implement processes and procedures to prevent similar breaches from occurring in the future.

 

 

Internal Notification

• The College's Chief Information Office will report all suspected cases of significant information breaches to the College's President.
• Working in coordination with the College's President and Executive Leadership Team, Information Technologies will establish an appropriate response strategy.
• Based on the results of Information Technologies' investigation of the information breach, the Chief Information Officer will report the breach to the appropriate student judicial body and/or College Counsel, depending on whether criminal activity has taken place.

 

 

External Notification

External notification will be based on the following considerations:

• Has unencrypted private or sensitive information be compromised
• Has a physical device that contains unencrypted private or sensitive information been lost or stolen
• Is there evidence that unencrypted private or sensitive information has been copied or removed
• Is there evidence that the intrusion was intended to acquire unencrypted private or sensitive information
• The applicability of College policies, local, state, and federal laws

Based on the considerations above, the College's President and Counsel will determine if external notification will be required in the event of an information breach.

 

Information Classes

Private Information includes a name (first and last name, or first initial and last name) in combination with:

• Social Security number
• Driver license number
• Bank account, credit, or debit card account number

Public information, such as address, telephone number, and email address is not considered private information.

 

Highly Sensitive Information includes:

• Name, address, date of birth
• Information protected by FERPA, HIPPA, and other local, state, and federal regulations
• Security codes, combinations, passwords
• Research data/results prior to publication, patent application, or board review
• Information subject to contractual confidentiality and non-disclosure provisions

 

 

Institutional Data Classification

 

Purpose

To categorize College data according to a common scheme to ensure compliance with federal, state, and local guidelines.

 

 

Assessment Criteria*

 

Level One-Legal Requirements

• Protection of the data will avoid negative publicity and/or low to moderate embarrassment to the College
  
  

Risk

• Loss of personal data with no impact to the person or College
• Inaccurate general information
• Short-term loss of reputation

 

Data Examples

• Published “white pages”
• Directory information
• Academic course descriptions
• Campus maps
• Institutionally published public data

 

Storage Requirements

• May be stored on local devices, encryption strongly encouraged

 

 

Level Two-Legal Requirements

• Protection of data will prevent poor business decisions, inaccurate research conclusions, potential liability, and moderate to high negative publicity.

 Risk

• Short-term loss of reputation

• Short-term loss of research funding

• Increase in regulatory requirements

• Short-term loss of dept. services

• Unauthorized tampering of research data

 

Data Examples

• Project data

• Human resources not including sensitive data

• Research data or results that are not sensitive

• Business  transactions that do not include sensitive data

• Student grade books

 

Storage Requirements

• May be stored on local devices, encryption required
• Storage in campus network share with defined permissions strongly encouraged.

Level Three-Legal Requirements

 

• Protection of data is required by law (e.g. HIPAA, FERPA, GLBA data elements), reduces liability, severe negative  publicity, and loss of reputation of College

  

Risk

• Long-term loss of reputation
• Long-term loss of research funding
• Increase in regulatory requirements
• Long-term loss of critical campus or dept. services
• Unauthorized tampering of research data

 

Examples

• Medical records
• Health related research
• Personnel info
• Financial data
• Credit cards
• Social security numbers
• Official transcripts
• HR Records

 

 

Storage Requirements

• May not be stored on local devices under any circumstances
• Storage in campus network share with defined permission required; encryption of data required

 

 

*Assessment criteria and examples are based on the College of Iowa’s Institutional Data Classification Guidelines