Title: McPherson College – Security College Data
Effective Date: June 30, 2016
Issuing Authority: Information Technologies
Program Coordinator: Director of IT
Last Updated: July 8, 2016
Purpose of Statement
This document is intended to provide a summary of the policies and procedures McPherson has adopted to help safeguard our digital data.
All employees are expected to know and adhere to the policies that safeguards digital information and data in order to comply with state and federal regulations, as well as College policies.
Access to Data
Individuals wishing to access or use college data must request such access through the “data custodian” for that particular data set. Each office, department, or division that maintains core college data (protected, confidential or general) is responsible for assigning one or more individuals to serve as data custodians. These data custodians are responsible for managing the use, access, archiving, and sharing of the data to ensure that it is properly handled within their office area and by those that are granted access to the data.
Individuals who are given rights to access or use college data are responsible for maintaining the privacy of protected and confidential data and must agree to abide by any college policies and state or federal laws and regulations governing such data. Individuals may be required to take training on FERPA, HIPPA, GLBA, etc. prior to getting access to those data elements.
In order to maintain the security of the college’s data and information the college retains the authority to:
- restrict or revoke any user’s privileges,
- inspect, copy, remove, or otherwise alter any data, program, or other system resource that may undermine these objectives, and
- take any other steps deemed necessary to manage and protect its information systems and the data and information held within those systems.
This authority may be exercised with or without notice to the involved users. McPherson College disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives.
File and Information Privacy
All information on McPherson servers, desktop computers or on computer storage media, including digital mail, is considered college property. While Information Technology (IT) makes every reasonable effort to ensure the security of digital files, employees should be aware of the following:
Any individual using the McPherson College systems and networks from any computer automatically consents to the monitoring of their activities in the course of systems maintenance or security related investigations. In addition, in order to conduct the College’s business and assure compliance with College policies and the law, the College may need to monitor or review digitally stored information. If, in the course of such monitoring, systems personnel reveal possible evidence of criminal activity or College policy violations, systems personnel may provide the evidence of such monitoring to the College or law enforcement officials.
Select employees of IT have access to all information stored on the McPherson servers. Those employees may include the custodians of the campus servers maintained by IT and/or IT student workers whose responsibilities are associated with the servers. Such access is necessary in order for IT employees to perform their duties, and is normally exercised upon the request of the account owner, in cases of systems security and performance problems, upon presentation of warrants, subpoenas, or court orders, or upon the request of an individual’s supervisor. Supervisors requesting access to an employee’s computer files must first consult with the Human Resources Office and must present a valid work-related issue or need or convincing evidence of probable cause related to a violation of federal or state regulations or College policies before IT staff will access files.
Every digital file and e-mail message stored on the McPherson servers are backed up and, therefore, are reproducible and may be subpoenaed in the event of a court case. Users should be aware of this when creating files and e-mail messages intended for individuals both on and off campus.
E-mail correspondence should not be considered private. The individual to whom one sends an e-mail message may allow another person to access the mail message or may forward it to others. In addition, while McPherson makes every effort to ensure the security of e-mail messages routed on the College network, e-mail messages sent via the Internet are not guaranteed that same level of security and privacy.
Personal files and e-mail stored by employees on their college-provided desktop computer or on the McPherson servers should not be considered private. In the course of routine maintenance, upon the request of the immediate supervisor, or upon the presentation of warrants, subpoenas, and court orders personal files may be accessed by IT staff.
Information posted to the World Wide Web is not private and, in most cases, is readable by other individuals around the world. While it is possible to restrict direct access to on-campus users only, this does not preclude wider distribution of materials. Users should consider carefully the content and nature of materials posted to the Web in light of these realities.
Entering computer accounts or reading digital files without proper authorization is considered misuse of computers. Individuals suspected of accessing others’ files without permission will be referred to the appropriate office for action.
- Who has access to our campus computing systems and networks?
- When do access rights cease? What if someone is terminated?
- How do we control digital access to systems and networks?
- What constitutes misuse?
- What about personal use of computers and the campus network?
Off-campus use of data and information
There are occasions when employees will take confidential or protected data off-campus. In all cases the employee must get permission from his or her supervisor prior to moving the data and information. The employee must present a valid work reason for the removal of this data and is responsible for abiding by campus policies.
Employee Responsibilities for Computer Security
- Keep your password confidential, do not share it with others, and absolutely do not write it down and “hide it” at your desk. Never log someone else in to your account or use another person’s username and password. Many of our business systems track data changes by username. For auditing purposes it is imperative that we know who made changes to the data. Your password is your responsibility and you will be held accountable for activities within your account and activities associated with your username and password.
- “Lock” your computer when you step away from it. This can be done by adding a password to the screen saver.
- Do not store highly protected or confidential data on your computer hard drive. If your machine is stolen, the data is stolen too. Store protected or confidential data on the server. IT backs up the central servers nightly. If you store files on your hard drive, you need to work with your supervisor to establish the appropriate backup schedule for any files you keep on your computer.
- Do not keep any protected or confidential data on a laptop. Laptop theft is one of the more common ways sensitive data is stolen.
- Protected or confidential data should not leave campus. If special circumstances arise and this data must leave campus, the data must be in an encrypted format. IT can work with individuals to set up encryption.
- Social security numbers should never be used as unique identifiers. IT is working to purge all social security numbers from our systems except where it is absolutely necessary. You should verify that you do not have social security numbers in any of your data files. You should also make sure that you don’t have paper documents with social security numbers too.
- Word and Excel have options to password protect files. You should consider this for highly sensitive files. Please note that it is difficult to crack these passwords so be sure to set the password to something you can remember.
- Never set your browser to remember your username and passwords for websites. You should also turn off the “autocomplete” feature in your browser.
- Do not store credit card numbers on your hard drive.
If you supervise staff, make sure everyone knows the procedures for dealing with protected or confidential data.