In order to protect the institution and its private information
and data and to comply with federal law, Whitman College (the
College) has adopted this Information Security Program for critical
and private financial and related information. This security
program applies to customer financial information received by
the College, as well as other confidential financial information
the College has chosen to include within the scope of the program.
This document describes procedures that various departments
will follow while handling this information.
This program covers the input, maintenance and output of covered
information within the Administrative Information System. This
program also addresses the protection of information in paper
reports or other computer files, as well as the inadvertent
release of information via computer screen or verbal communication.
This program and the Staff Handbook prohibit purposeful release
of confidential information to any unauthorized person or entity.
Program Administrators
The College Controller and the College Director of Administrative
Technology are jointly responsible for the coordination of
Whitman’s Information Security Program.
Definition of Customer & Administrative Information
Protected or covered information under this program is any
data related to the business of the College including, but
not limited to, financial, personnel, student, alumni, and
physical resources. It includes data maintained at the departmental
or office level as well as centrally, regardless of the media
on which they reside. Covered information generally does not
include library holdings or instructional materials.
The College recognizes information is a College resource
requiring proper management in order to permit effective planning
and decision-making and to conduct business in a timely and
effective manner. Employees are charged with safeguarding
the integrity, accuracy, and confidentiality of this information
as part of the condition of employment.
Access to administrative computer systems is granted based
on the employee’s need to use specific data, as defined
by job duties, and subject to appropriate approval. As such,
this access cannot be shared, transferred or delegated. Failure
to protect these resources may result in disciplinary measures
being taken against the employee, up to and including termination.
Customer & Administrative information is categorized
into three levels:
1. Confidential information
Requires a high level of protection due to the risk and magnitude
of loss or harm that could result from disclosure, alteration
or destruction of the data. This includes records about individuals
requiring protection under the Family Educational Rights and
Privacy Act of 1974 (FERPA) or any other law or regulation
governing personal information as well as information that
if treated or disclosed improperly could adversely affect
the ability of the College to accomplish its mission.
Confidential information includes, for example, salary information,
social security numbers, alumni gift amounts and student grades.
2. Sensitive information
Requires some level of protection because its unauthorized
disclosure, alteration, or destruction might cause damage
to the College. It is assumed that all administrative output
from the administrative database is classified as sensitive
unless otherwise indicated.
Sensitive information includes, for example, class lists,
facilities data and vendor data.
3. Public Information
Can be made generally available both within and beyond the
College. It should be understood that any information that
is widely disseminated within the campus community is potentially
available to the public at large.
Public information includes, for example, student directory
information, financial statements and IRS Form 990.
Administrative Information System
Administrative information available in a client/server environment
provides Whitman College with abundant opportunities for easy
and efficient access to data. This fluid environment also
poses significant risk to the security of such information.
Protecting this college resource is a shared responsibility
between the college administrative staff, faculty, and the
Information Technology staff (WCTS).
Network security, including firewall technology, has been
implemented to protect administrative servers and departmental
workstations from unauthorized access through the Internet.
Staff in administrative offices are connected to secured computers
through an administrative subnet on the campus network.
Desktop computers in administrative offices provide one of
the most vulnerable points of access to administrative systems.
Staff in administrative offices must physically protect their
computers, including laptops, from unauthorized access and
theft
System privileges will be authorized by the department head
or designated department security manager and centrally assigned
by System Administrators in WCTS. Inquiry Access to administrative
information will be authorized on a ‘need to know’
basis. Maintenance Access to processes will be authorized
based on job responsibilities.
Employee Information
All aspects of personnel records are confidential. Directory
information for faculty and Staff as published in the Whitman
College Telephone Directory is public. Directory information
may include some or all of the following: name, home address,
home telephone, spouse/partner name, department, position
title, campus address, campus phone and email address. Employees
may request of the Human Resources Department, that all personal
information except their name be classified as confidential.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) of 1974
governs all information about students, current and former,
maintained by Whitman College. FERPA generally requires that
Whitman College have the student's written permission to release
any information from their records except certain types of
"directory information."
Student “Directory Information,” as defined
by FERPA
Certain information, classified as “directory information,”
is available for public consumption unless the student specifically
directs that it be withheld. A student wishing to withhold
such information should convey those instructions to the Office
of the Dean of Students. Former students should contact the
Alumni Office.
Public or directory information includes: student’s
name, address, telephone number, date and place of birth,
major field of study, participation in officially organized
activities and sports, weight and height (for members of athletic
teams), dates of attendance, degree and awards received, and
the most recent previous educational institution attended.
Individual Office Security Administration
Department heads or their designees are responsible for authorizing
system access by employees. System Administrators in Technical
Services will enable, modify or remove user privileges based
on authorization from the department head.
On a daily basis, System Administrators will review reports
identifying failed login attempts, “super user”
logins and origins of login.
Passwords
The most effective way to protect administrative information
is through the vigilant use of user-defined passwords.
Passwords must:
- Be changed by the user on-line every sixty days
- Be changed by the user no more frequently than every seven
days
- Consist of both letters and numbers
- Be six characters in length, minimum
- Be eight characters in length, maximum
- Significantly differ from prior passwords
It is the employee’s responsibility to protect their
password from disclosure. Every individual, including student
employees, must have a unique user login. Passwords must not
be shared with any other person. If it is suspected that a
password has been compromised, the System Administrator must
be contacted. Web browsers allow you to save passwords used
to access external sites. You should be wary of using this
feature. Please be aware that after five consecutive failed
login attempts, accounts will be automatically deactivated.
The System Administrator will be contacted automatically in
that event.
OFFICE RESPONSIBILITIES
Office Specific Security Plans
It is advisable that those offices dealing extensively with
external customer information prepare and distribute among
staff, security plans directed to the procedures and format
of the individual offices. At a minimum such plans should
outline how the specific office is maintaining compliance
with FERPA.
Employee responsibilities
Employees, including students, granted access to institutional
data may do so only to conduct College business. In this regard,
employees must:
- Respect the confidentiality and privacy of individuals
whose records they access
- Observe ethical restrictions that apply to the data to
which they have access
- Abide by applicable laws or policies with respect to
access, use, or disclosure of information
Employees may not:
- Disclose data to others, except as required by their
job responsibilities
- Use data for their own personal gain, nor for the gain
or profit of others
- Access data to satisfy their personal curiosity
Employees and students who violate this policy are subject
to the investigative and disciplinary procedures of the College.
The offices of the Dean of Students and the Dean of Faculty
generally handle complaints against students and faculty,
respectively. Complaints against staff and administrators
are usually handled through supervisors and Human Resources.
The Human Resources Department is responsibility for notifying
WCTS promptly of any employee terminating from employment
at Whitman College.
Anti-Virus Software
Up-to-date anti-virus software is essential to protecting
information in a client/server environment. It is critical
that employees install updates to campus-wide anti-virus software
as it becomes available. Virus software should be set to scan
all files, not simply program files, on a daily basis. If
it is suspected that a PC has a virus, the WCTS Help Desk
(x4976) must be notified immediately. Installing/downloading
software that is not supported by the College should be handled
with caution. There is a risk that such software may contain
a virus or otherwise degrade the host computer in some way.
Unattended PC’s
The use of a password protected monitor is highly recommended.
Employees must logout from the administrative software (“Datatel”)
when a PC is left unattended. Once logged in, all authorized
applications are available to anyone with access to that PC.
Equipment Security
All office computer equipment should be reasonably secured
from theft. Laptops and other portable devices are the most
vulnerable. Administrative data should be stored on the network
drive rather than physical drive on your PC. Caution should
be used when storing administrative information on portable
computers.
The System Administrator should be notified immediately of
any known or suspected administrative systems security breaches.
Printed reports
Reports containing confidential and sensitive data, either
test data or live production data, must be secured within
the office. Reports should not be left on the printer or unattended
on a desktop in open view. Any report that is no longer needed,
which contains confidential and/or sensitive data, must be
shredded or stored securely until it can be shredded or processed
for recycling.
Communication
The security of administrative information is a shared responsibility
among the Whitman College staff who use and support technology.
All have a role to play. Vigilance is a daily activity. Effective,
on-going communication of this security policy and office
procedures will play an essential part in our success.
Department leaders are responsible for discussing this policy
with each user at the time system privileges are issued.
|
