St. Olaf College Information Security Policy
Title: St. Olaf College Information Security Policy
Effective Date: 4-01-2011
Issuing Authority: Treasurer’s Office and Information and Instructional Technologies
Program Coordinators: Controller and Director of Information and Instructional Technologies
Last Updated: 4-01-2011
Purpose of Policy
Information and information systems are critical college resources and assets. St. Olaf College has adopted these information and computing policy statements to safeguard the college’s investments and to comply with various regulatory agencies.
Policy
The protected data and information maintained by the college must be handled and managed in accordance to state or federal mandates. All employees are expected to know and adhere to this policy and related policies referenced within this policy. Violations of these policies can lead to revocation of system privileges and/or disciplinary action including termination of employment.
The use of any St. Olaf College data and information, in any format, for anything beyond the operation of the college is strictly forbidden. Unacceptable uses includes sharing the data with groups, organizations, or activities that are not college-sponsored or college-approved, use of data for personal gain, use of data to satisfy personal curiosity, removing data or reports from the campus except in the required performance of college duties, or use by individuals outside of their normal job responsibilities.
Procedures
St. Olaf College uses access controls and other security measures to protect the confidentiality, integrity, and availability of the college’s data and information. Data and information can be stored and transmitted in a variety of ways, including but not limited to computer files stored on desktop computers, CD’s, servers, portable electronic storage devices, paper files, audio or video files, telephone calls, and verbal communications. The College is the owner of all administrative data although the individual units or departments may have stewardship responsibilities for portions of that data.
Electronic protected or confidential data must follow IIT Electronic Information Security Policies. Whenever possible, paper files should never contain protected or confidential data such as social security numbers. When it is absolutely necessary, the paper files must be attended or kept in a secured, locked area. Protected or confidential data should not be taken off campus, but if necessary, it should be never be left unattended. If absolutely necessary to leave in a vehicle, it must be locked in the trunk.
Any individual using protected or confidential data of St. Olaf College must follow the policies that provide detailed guidance for the security of that specific type of data.
Notifications for Breach of Security:
Minnesota’s Security Breach law (Statute: § 325E.61) requires that “Any person or business that conducts business in [Minnesota] and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay . . . ."
The law defines “personal information” as:
“an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements is not encrypted:
(1) Social Security number;
(2) driver's license number or Minnesota identification card number; or
(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."
If you believe personal information or any other type of protected or confidential data may have been breached at St. Olaf, the following incident response steps should immediately be taken:
- The individual who discovers the breach should immediately notify the Public Safety Office.
- The Public Safety Office will contact the Treasurer and if electronic information or devices are involved, the Director of Information and Instructional Technologies (IIT) will also be notified.
- The Public Safety Office, Treasurer, and Director of IIT will determine if a breach of security of data has occurred, and the appropriate action to take.
The Public Safety Office, Treasurer, Director of IIT, and Director of Marketing and Communications may utilize guidance for dealing with a data breach and sample notification letter formats that can be found on the Federal Trade Commission website: http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html
Types of Protected or Confidential Data:
St. Olaf classifies data into three categories:
Protected: This data is protected under state and federal regulations such as FERPA, HIPPA, Graham-Leach-Bliley, and others. Data elements in this group include, but are not limited to, social security numbers, student ID numbers, credit card numbers, medical information, bank account numbers, grades, date and/or location of birth, drivers license information, ACH (automated clearing house) numbers, tax return information, credit rating, income history, loan payment history, passport information, coursework, etc.
Confidential: This data is not protected under state and federal regulations but the college has determined that this information should be held private. This data may include promotion materials, salary, employee ID numbers, review files, etc.
General College Data: This data pertains to the operation of the college and use is not restricted.
Protected or Confidential Data includes, but is not limited to:
Protected Data |
Confidential Data |
||||||
FERPA |
GLBA |
HIPAA |
PCI DSS |
FACTA |
COLLEGE |
||
Social Security Numbers |
X |
X |
X |
||||
Student ID Numbers |
X |
||||||
Grades |
X |
||||||
Courses Taken |
X |
||||||
Class Schedule |
X |
||||||
Test Scores |
X |
||||||
Advising Records |
X |
||||||
Educational Services Received |
X |
||||||
Student Disciplinary Actions |
X |
||||||
Bank Account Numbers |
X |
X |
|||||
Credit Card Numbers |
X |
X |
X |
||||
Date and /or Location of Birth |
X |
X |
|||||
Account Balances (Loans, Student/Bank Account) |
X |
X |
|||||
Loan Payment Histories |
X |
X |
|||||
Credit Ratings |
X |
X |
|||||
Income History |
X |
X |
|||||
Driver’s License Information |
X |
X |
|||||
ACH (Automated Clearing House) Numbers |
X |
X |
|||||
Tax Return Information |
X |
X |
|||||
Passport |
X |
X |
|||||
Real Estate Values |
X |
X |
|||||
Health Plan Premiums |
X |
||||||
Health Plan Eligibility |
X |
||||||
Health Plan Claims Benefits |
X |
||||||
Health Plan Enrollment/Dis-enrollment |
X |
||||||
Health Plan Payments/Remittance |
X |
||||||
Health Plan Claims and Status |
X |
||||||
Individually Identifiable Health Information |
X |
||||||
Health Referral Certification and Authorization |
X |
||||||
First Report of Injury |
X |
||||||
Salary and Benefits |
X |
||||||
Promotion and Review Materials |
X |
||||||
Employee ID Numbers |
X |
||||||
St. Olaf Policies for Protected or Confidential Data:
IIT Electronic Information Security Policy
Office Responsible: Information and Instructional Technologies
Program Coordinator: Roberta Lembke
Summary: St. Olaf guidance for protecting electronic information
Gramm-Leach-Bliley Act (GLBA)
Office Responsible: Treasurer’s Office
Program Coordinator: Angie Mathews
Summary: To protect consumer information from threats in security and data integrity.
Family Educational Rights and Privacy Act (FERPA)
Office Responsible: Registrar’s Office
Program Coordinator: Mary Cisar
Summary: Educational Institutions must grant and protect certain rights relating to educational records.
Health Insurance Portability and Accountability Act (HIPAA)
Office Responsible: Human Resources Office
Program Coordinator: Roger Loftus
Summary: To protect the privacy of personal health information
Payment Card Industry Data Security Standards (PCI DSS)
Office Responsible: Treasurer’s Office
Program Coordinator: Angie Mathews
Summary: Anyone who processes credit card payments must follow laws set by credit card companies.
Fair and Accurate Credit Transactions Act (FACTA)/Red Flag Rules
Office Responsible: Treasurer’s Office
Program Coordinator: Angie Mathews
Summary: We must be able to detect red flags for identity theft in instances where we issue credit.
Copyright Laws
Office Responsible: Dean of College
Program Coordinator: Arnie Ostebee
Summary: All employees of the College are expected to follow laws that protect copyrights.
