Data Classification, Security and Roles (Procedure 7.0500)
|Based on board policy number and Florida Statutes:
||Family Educational Rights and Privacy Act (FERPA); Gramm-Leach-Bliley Act of 1999 (GLBA); Health Insurance Portability and Accountability Act (HIPAA) of 1996; F.S. 119.01; 257.36; 1001.64; 1001.65; F.A.C. 6A-14.0261; College Policies 7.010, 7.020
|Date of Review:
Seminole State College provides valuable technological resources to support educational activities and administrative functions. These resources, including computing systems and software, as well as internal and external data, voice, and video networks, are relational and shared resources. To preserve them for the common good, the College expects all users, including students, faculty, staff, administrators, other employees, and members of the general public using Seminole’s information technology resources to comply in all respects to institutional and external standards for their appropriate use.
- Data Classification
- A. Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data will be classified in one of the categories listed below in order to: implement security at the appropriate level commensurate with data value, sensitivity, and risk; establish guidelines for legal/regulatory compliance; and reduce or eliminate conflicting standards and controls over data.
||Data protected by law or regulation whose improper use or disclosure could:
- Adversely affect the ability of the College to accomplish its mission
- Lead to possibility of identity theft by release of personally identifiable information of College constituents
- Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
- Put the College into a state of non-compliance with contractual obligations
- Social security numbers
- Financial aid data
By default, ALL INSTITUTIONAL DATA are classified as SENSITIVE
- Data that Data Managers have decided NOT to publish or make public
- Data protected by contractual obligations.
- Purchasing data
- Information covered by non-disclosure agreements
- Low level of sensitivity
- Data that the general public may be granted access to in accordance with Florida Statutes Chapter 119 Public Records and the Family Education Rights and Privacy Act (FERPA)
- Directory information
- Academic course descriptions
- Data Security
- Data in Restricted, Sensitive and Public categories requires security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the College, result in financial loss, or violate law, policy or College contracts.
- Security access by employees of the College will be implemented in compliance with FERPA requirements as follows:
- FERPA makes it clear that school officials with legitimate educational interests may be given access to personally identifiable information about students.
- A person employed by the College in an administrative, counseling, supervisory, and academic, student affairs, research position, or a support person to these positions may be granted access to FERPA-protected data when that data is relevant to the accomplishment of assigned duties or a determination about a student.
- Security measures for data are set by the Data Custodian, working in cooperation with the Data Stewards, as defined below. The following roles and responsibilities are established for carrying out data policy:
- Security Roles and Responsibilities
- The functional requirements listed in a job description determine the type of data and the level of system access an employee will need to perform his/her job. These requirements are used to develop and assign a specific User Profile and Security Role to the employee. When implemented, the User Profile and the Security Role provide the employee with access needed to perform his/her job while maintaining the security and integrity of College data. Each employee job description must state the security access that is required for that position.
- Data Trustees, Data Stewards, and Data Custodians
Data Trustees, Stewards, and Custodians are responsible for establishing and carrying out College data policy. They will:
- Implement the security plan.
- Ensure that users receive the appropriate access to the system.
- Resolve functional security issues as well as troubleshoot custodial security problems.
- Assure cross-functional security compatibility.
- Audit security compliance regularly.
- Review and update the security plan regularly.
- Data Trustee (Administrator)
Data Trustees are senior College officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning Data Stewards, participating in establishing policies, and promoting data resource management for the good of the entire College.
|Data Trustees||Data Type|
||All College Data
|Chief Information Officer
||Information Technology Data
|Chief Student Affairs Officer
|Chief Financial Officer
||Financial Data and HR Data
- Data Steward (Approver)
Data Stewards are College officials having direct operational-level responsibility for information management – usually department directors. Data Stewards are responsible for data access and policy implementation issues.
|Data Stewards||Data Type|
|Associate Vice President, Information Systems
||Information Technology, Data Correction
|Director, Enrollment Services/Registrar
||Student Data (including Counseling, Admissions, Testing, and Enrollment Services), System Setup for Student Data, Row-Level Security
|Director, Curriculum and Academic Scheduling
||Curriculum, Instructor and Scheduling Information, Associated System Setup
|Director, Financial Aid
||Student Financial Aid Data, Student Financial Aid System Setup
||Student Financials Data, Student Financials System Setup
|Associate Vice President, Business Services
||Financial Data, Financial Data Setup Tables
|Associate Vice President, Human Resources
||Human Resources Data, Human Resources Setup Tables
|Associate Director, Payroll Services
||Payroll, Time and Labor; Payroll, Time and Labor Setup Tables
- Data Custodian (Owner)
The Computing and Telecommunication Services Department is the Data Custodian. The Custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
Data Custodians include:
VP, Information Technology and Resources/CIO
Associate Vice President, Information Systems
Director, Network and User Support Services
- Data User (User)
Most College Faculty and Staff are assigned the role of “Data User.” Data Users are individuals who need and use College data as part of their assigned duties or in fulfillment of assigned roles or functions within the College community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.
Detailed information regarding User access and inactivation is located in:
Procedure 7.0100 Access to Information Technology and Reassignment, and
Procedure 7.0200 Inactivation of Access to Information Technology Systems for Terminating Employees.
- A. Each Vice President, Dean, and Director, or designee, will conduct an annual data security review. In addition, Computing and Telecommunication Services (CTS) will conduct an annual review of procedures, incidents, and responses, and will publish all relevant materials except in those cases where publication may lead to breaches of security or privacy. Publication of these materials is for the purpose of educating the College community on information technology security and privacy issues. CTS will assure that procedures and responses are appropriately reflective of those widely practiced at other colleges.
- Confidentiality Agreement
Seminole State College maintains information that is sensitive and valuable, and is often protected by Federal and State laws that prohibit its unauthorized use or disclosure. The exposure of such information to unauthorized individuals could cause permanent harm to the College or members of the College community. All employees are expected to sign the Confidentiality Agreement (at the end of this document) before access can be granted to College restricted data.
||President, E. Ann McGee
Seminole State College
I understand that student, employee, and financial information from any source and in any form is confidential and is available to me solely for the performance of my official duties as a Seminole State College employee. I will protect the privacy and confidentiality of student, employee, and financial information to which I have access and will use it solely for the performance of my official duties, while on or off site. I also understand that I may have the ability to access student information outside my unit of responsibility, but will only utilize that access as it applies to my unit of responsibility.
I FURTHER AGREE THAT:
- I will only access information I need to do my job.
- I will protect the privacy of student, employee, and financial information.
- I will keep my password secret and I will not share it with anyone, including family members.
- I will log off any password-protected application before leaving my workstation. This includes my personal computer while working at home.
- I will tell my supervisor if I think someone knows or is using my password.
- I will not show, tell, copy, give, sell, review, change, trash or otherwise utilize any confidential information except as it relates to my job. If it is part of my job to do any of these tasks, I will follow the correct department procedure (such as shredding confidential papers before throwing them away).
- I will not misuse or be careless with confidential or sensitive information.
- I will not use anyone else’s password.
- I will not share any confidential or sensitive information even if I am no longer a Seminole State employee.
- I will tell my supervisor if I think someone else is violating this agreement.
- I am responsible for any access using my password.
- I am responsible for my use of confidential information.
- I am responsible for my failure to protect my password or access to confidential information.
- I know that my access to confidential information may be audited.
- I know that confidential information I learn on the job does not belong to me.
- I know that Seminole State may take away my security access at any time.
Failure to comply with this agreement may result in disciplinary action regarding my employment at Seminole State College and/or civil or legal penalties. By signing this Agreement, I agree that I have read, understand, and will comply with it.
Employee Signature Date