Information Security — Not Just an IIT Thing

by Roberta Lembke, Director of IIT

Computer and information security is everyone’s responsibility.  Some people automatically assume that anytime the term information security is used that it references computer security.  This is not true.  Information security in the purest sense refers to the safekeeping of information, regardless of the media or format.  Information security can refer to proper safeguarding of paper files or the measures used to protect confidential, protected, or copyrighted material.  IIT is continually working to keep the central servers and network secure, but our work is only a partial solution.  Every college employee, be it faculty, staff or student employee, plays an important role in protecting our college resources.   Most breaches in information security happen in an office or on a desktop or laptop computer and not on the central servers.

IT SECURITY		INFORMATION SECURITY
	(Examples)
Firewalls Intrusion Detection Viruses, Worms Encryption		Intellectual Property Regulatory Compliance Protected Data Elements Privacy Issues
Technology Problem		Business Problem
Adopted from Security Matters by Adobe

The state and federal governments have imposed regulations that govern the way organizations and institutions handle protected or confidential data.  St. Olaf is developing a comprehensive program to help all employees understand these regulations as it relates to the use of information and data about our students, faculty, and staff.  The program will consist of a document and website on information security, a series of campus workshops and seminars, and a comprehensive database of protected data elements and their locations on campus.  As part of that plan, later this spring all college employees will be asked to fill out a short form so that we can identify individuals or offices that maintain confidential or protected data.  Many of you will be surprised to find that you really do have data regulated by the government!  To help prepare you for the survey, I have summarized the three regulations that govern our use of data:

Family Educational Rights and Privacy Act of 1974 (FERPA)
Most faculty and academic staff are familiar with FERPA.  FERPA protects the privacy of student records and deals specifically with the education records of students, affording them certain rights with respect to those records.  Some of the data protected by FERPA include grades, courses taken, class schedule, test scores, advising records, etc.

Gramm-Leach-Bliley Act (GLBA)
The Federal Trade Commission’s Safeguard Rules and the Gramm-Leach-Bliley Act (GLBA) serve to protect customer financial information.  Our responsibility covers the data and information held by the college as well as that held by 3rd parties hired by the college.  St. Olaf is responsible for ensuring the security and confidentiality of these covered records and for protecting this information against hazards and unauthorized access.  The Controller serves as the college’s GLBA Security Officer.  GLBA protects items such as credit card numbers, payment histories, tax return information, etc.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)
St. Olaf College provides or sponsors a number of services and practices that are governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Health Plans covered by this notice and sponsored by the St. Olaf include the college medical and dental plan, the medical reimbursement benefits plan, the VEBA plan, etc.

While these regulations are somewhat painful to manage, they do serve a useful purpose in protecting information.  Just as you want your bank or your medical clinic to protect your own personal information, the college must be diligent about protecting the information we hold on our students, alumni, parents, friends, and, of course, the data we maintain about you!