ITSHeaderImage

Wesleyan University Data Security Policy

DRAFT

Scope

This policy applies to both electronic data found in email, databases, applications etc., and hard copy (paper) data found in employee files, student files and internal memos. It includes Wesleyan data stored in a cloud service, and/or held on a mobile computing device.

It is the responsibility of faculty, staff and students to protect our data. Misuse of classified data (intentional or otherwise) will be handled in accordance with this policy.

This policy also applies to third parties (contractors, vendors and business partners) who have access to and use Wesleyan data or systems.  All contracts should contain an explicit paragraph advising third parties of their responsibility to enforce confidentiality, and referencing the Gramm-Leach-Bliley, FERPA or HIPPA Acts as appropriate.

Data Types

Wesleyan deals with two main kinds of data:

  1. Institutionally-owned data that relates to areas such as corporate financials, employment records, payroll, etc.
  2. Private data that is the property of our clients and/or employees, such as social security numbers, credit card information, contact information, etc.

Data Classifications

Wesleyan’s data is comprised of four classifications of data:

  1. Public/Unclassified. This is defined as information that is generally available to anyone within or outside of the University. Access to this data is unrestricted, may already be available, and can be distributed as needed. Public/unclassified data includes, but is not limited to: fundraising materials, admission recruiting materials, information posted on Wesleyan’s public web pages, and employee work phone numbers [and other data as applicable]. 
  2. Private. This is defined as institutional information that is to be kept within the University. Access to this data may be limited to specific departments and cannot be distributed outside of the workplace. At Wesleyan, private data consists of departmental and project budgets, fundraising goals, and contractual agreements. Employees may not disclose private data to anyone who is not a current employee with clearance to specific private data.
  3. Secret/Restricted. This is defined as sensitive data which, if leaked, would be harmful to Wesleyan University, its students, faculty, and/or staff. Access is limited to authorized personnel and third parties as required. Secret/restricted data includes, but is not limited to: admission decisions, donations, audit reports, legal documentation, business strategy details [and other data as applicable]. 
  4. Secret/restricted data cannot be disclosed by anyone other than the original author, owner or distributor.
  5. Confidential. This is defined as personal or corporate information that may be considered potentially damaging if released and is only accessible to specific groups [e.g. Admissions, Financial Aid, University Relations, Payroll, HR, Benefits etc.]. Confidential data includes, but is not limited to, social security numbers, contact information, tax forms, accounting data, security procedures [and other data as applicable]. Wesleyan considers it a top priority to protect the privacy of our students, faculty, and staff. Employees should share confidential data only when there is a clear business need, such as processing of financial aid packages, payroll, tax forms, benefits administration etc. Any sharing of such data should be done in a technically secure manner (see below) with full adherence to the applicable regulations as laid out in Gramm-Leach-Bliley, FERPA and HIPPA Acts. Data that falls under Private, Confidential, and/or Secret/Restricted classifications must be encrypted with minimum 128-bit cryptography while in transit.  See PeopleSoft/Oracle Database Infrastructure (below).  Confidential or Secret/Restricted data should never reside on personal computers, laptops, tablets or cell phones.

Scanning for Personally Identifiable Information (PII) on Personal Computers

During the Spring of 2013, Wesleyan is rolling out a program to scan individual laptops for PII. The program will focus on those departments that have traditionally needed PII for business purposes. In addition, as a service to our faculty and staff any computers going through the Cardinal Technologies Services Shop for maintenance will be scanned for viruses and PII. The results of this Spring 2013 program will allow us to further refine our overall plan for PII scanning and prevention. We expect to refine this policy further by August 30, 2013. 

As part of our Spring 2013 program, we purchased a number of licenses of Identity Finder (http://www.identityfinder.com/) for PII scanning. In designated offices, ITS will:

  1. Load Identity Finder on office computers.
  2. Train the computer owners in running the PII scans.
  3. Schedule a weekly PII scan.
  4. Provide clear direction on the actions to be taken should PII be discovered.  
  5. The reporting console of Identity Finder will provide general statistics on PII found, which will be used to set future direction and revise this policy.Our guiding principle is that: Confidential or Secret/Restricted data should never reside unencrypted on personal computers, laptops, tablets or cell phones.  This data is available by secure login to protected institutional servers. 

PII abatement actions are as follows:

  1. If there is no outstanding business need, delete the PII.
  2. If your department head determines that there is an outstanding business need, move data to a protected directory on Wesfiles.  As soon as possible, delete the data from Wesfiles.
  3. If the data has recently been loaded onto your computer, alert your department head and the Director of Administrative Systems, smachuga@wesleyan.edu to stop the report or process loading the data to your computer.

As stated above, all machines coming through the Cardinal Technologies Services Shop will be scanned for PII.  If PII is found, the steps outlined above will be taken after consultation with the computer owner/user.

PeopleSoft/Oracle Database Infrastructure Issues

Normal PeopleSoft application access is encrypted over a secure socket layer SSL. However, programmers and Crystal report users access the database directly over unencrypted connections. 

Additionally, PeopleSoft reports are written to report directories on Linux File Servers. These directories are mounted as file shares on personal computers.  When the user opens these reports, a copy will be downloaded to a temp directory on the user’s computer.  PII should only be included in the reports when it is essential to the business process of the office.  For those offices, weekly scans must be performed and the temp files must be shredded.

Responsibilities

All employees are responsible for adhering to the policy and reporting any activities that do not comply with this policy.
Management is responsible for ensuring that their direct reports understand the scope and implications of this policy.

Security staff will be monitoring data for any unauthorized activity and are responsible for updating access requirements as needed.

Any employee who authors or generates corporate or client data must classify that data according to the criteria outlined above.  

Management

Ownership of this policy falls to all offices, departments, or employees handling Wesleyan data. 

Wesleyan’s Vice President for Information Technology, David Baird, will provide guidance and direction to this group. For any questions about this policy, or to report misuse of institutional or personal data, please contact the Director of User and Technical Services, Karen Warren, at kwarren@wesleyan.edu or the Director of Administrative Systems, Steve Machuga, at smachuga@wesleyan.edu

Review

As stated above, this policy will be scheduled for a second revision by August 30, 2013. 

Enforcement

Enforcement will be provided by department heads or, if necessary, the appropriate member of the President’s cabinet.

Employees found to be in violation of this policy by either unintentionally or maliciously stealing, using, or otherwise compromising institutional or personal data may be subject to disciplinary action up to and including termination.