Data Classification, Security and Roles (Procedure 7.0500)
Authority: | Family Educational Rights and Privacy Act (FERPA); Gramm-Leach-Bliley Act of 1999 (GLBA); Health Insurance Portability and Accountability Act (HIPAA) of 1996; F.S. 119.01; 257.36; 1001.64; 1001.65 |
---|---|
Date Adopted: | 01/13 |
Date of Review: | 08/16 |
Date of Revision: | 10/16 |
Related Policies: | 7.010; 7.020 |
Purpose
Seminole State College provides valuable technological resources to support educational activities and administrative functions. These resources, including computing systems and software, as well as internal and external data, voice, and video networks, are relational and shared resources. To preserve these resources for the common good, the College expects all users, including students, faculty, staff, administrators, other employees, and members of the general public using Seminole’s information technology resources, to comply in all respects with institutional and external standards for their appropriate use.
Procedure
- Data Classification
- Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data will be classified in one of the categories listed below in order to: implement security at the appropriate level commensurate with data value, sensitivity, and risk; establish guidelines for legal/regulatory compliance; and reduce or eliminate conflicting standards and controls over data.
Data Category Description Examples Restricted Data protected by law or regulation whose improper use or disclosure could:
- Adversely affect the ability of the College to accomplish its mission
- Lead to possibility of identity theft by release of personally identifiable information of College constituents
- Put the College into a state of non-compliance with various state and federal regulations such as FERPA, HIPAA and GLBA
- Put the College into a state of non-compliance with contractual obligations
- Social security numbers
- Grades
- Financial aid data
Sensitive - Data that Data Managers have decided NOT to publish or make public
- Data protected by contractual obligations.
By default, ALL INSTITUTIONAL DATA
are classified as SENSITIVE
- Purchasing data
- Information covered by non-disclosure agreements
Public - Low level of sensitivity
- Data that the general public may be granted access to in accordance with Florida Statutes Chapter 119 Public Records and FERPA
- Directory information
- Academic course descriptions
- Data must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Data will be classified in one of the categories listed below in order to: implement security at the appropriate level commensurate with data value, sensitivity, and risk; establish guidelines for legal/regulatory compliance; and reduce or eliminate conflicting standards and controls over data.
- Data Security
- Data in Restricted, Sensitive and Public categories require security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the College, result in financial loss, or violate law, policy or College contracts.
- Security access by employees of the College will be implemented in compliance with FERPA requirements as follows:
- FERPA makes it clear that school officials with legitimate educational interests may be given access to personally identifiable information about students.
- A person employed by the College in an administrative, counseling, supervisory, academic, student affairs, research position, or a support person to these positions may be granted access to FERPA-protected data when that data is relevant to the accomplishment of assigned duties or a determination about a student.
- Persons must complete an online FERPA module and satisfactorily pass an exam prior to classes starting before security approval and access to student records will be granted. An exception may be provided for new faculty and adjunct instructors in their first term, if they complete the module and exam within two weeks after the start of the semester to maintain security access.
- Security measures for data are set by the Data Custodian, working in cooperation with the Data Stewards, as defined below. The following roles and responsibilities are established for carrying out data policy:
- Security Roles and Responsibilities
- The functional requirements listed in a job description determine the type of data and the level of system access an employee will need to perform his/her job. These requirements are used to develop and assign a specific User Profile and Security Role to the employee. When implemented, the User Profile and the Security Role provide the employee with access needed to perform his/her job while maintaining the security and integrity of College data. CTS is responsible for maintaining a list of security access assigned to each employee.
- Data Trustees, Data Stewards, and Data Custodians
Data Trustees, Stewards, and Custodians are responsible for establishing and carrying out College data policy. They will:- Implement the security plan.
- Ensure that users receive the appropriate access to the system.
- Resolve functional security issues as well as troubleshoot custodial security problems.
- Assure cross-functional security compatibility.
- Audit security compliance regularly.
- Review and update the security plan regularly.
- Data Trustee (Administrator)
Data Trustees are senior College officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning Data Stewards, participating in establishing policies, and promoting data resource management for the good of the entire College.Data Trustees Data Type President
All College Data
Chief Financial Officer
Financial Data and HR Data
Chief Information Officer
Information Technology Data
Chief Student Affairs Officer
Student Data
- Data Steward (Approver)
Data Stewards are College officials having direct operational-level responsibility for information management – usually department directors. Data Stewards are responsible for data access and policy implementation issues.Data Stewards Data Type Associate Director, Payroll Services
Payroll, Time and Labor; Payroll, Time and Labor Setup Tables
Associate Director, Student Accounting
Student Financials Data, Student Financials System Setup
Associate Vice President, Financial Services
Financial Data, Financial Data Setup Tables
Associate Vice President, Human Resources
Human Resources Data, Human Resources Setup Tables
Associate Vice President, Information Technology and Resources
Information Technology, Data Correction
Director, Curriculum, Credit and Academic Scheduling
Curriculum, Instructor and Scheduling Information, Associated System Setup
Director, Enrollment Services/Registrar
Student Data (including Counseling, Admissions, Testing, and Enrollment Services), System Setup for Student Data, Row-Level Security
Director, Facilities
Maintenance Management Data, Maintenance Management Setup
Director, Student Financial Resources
Student Financial Aid Data, Student Financial Aid System Setup
- Data Custodian (Owner)
The Computing and Telecommunication Services Department (CTS) is the Data Custodian. The Custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards), and implementing and administering controls over the information.
Data Custodians include:
VP, Information Technology and Resources/CIO
Associate Vice President, Information Technology and Resources
Director, Network and User Support Services - Data User (User)
Most College Faculty and Staff are assigned the role of “Data User.” Data Users are individuals who need and use College data as part of their assigned duties or in fulfillment of assigned roles or functions within the College community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.
Detailed information regarding User access and inactivation is located in:
Procedure 7.0100 Access to Information Technology and Reassignment, and
Procedure 7.0200 Inactivation of Access to Information Technology Systems for Terminating Employees.
- Security Review
- Each Data Steward will conduct an annual data security review. In addition, CTS will conduct an annual review of procedures, incidents, and responses, and will publish all relevant materials except in those cases where publication may lead to breaches of security or privacy. Publication of these materials is for the purpose of educating the College community on information technology security and privacy issues. CTS will assure that procedures and responses are appropriately reflective of those widely practiced at other colleges.
- Confidentiality
- Confidentiality of data and/or records subject to this procedure shall be determined in accordance with State and federal laws including, but not limited to, Florida’s Public Records Act, Chapter 119, Florida Statutes, and the Family Educational Rights and Privacy Act (FERPA).
- Confidentiality Agreement
Seminole State College maintains information that is sensitive and valuable. Such information is often protected by Federal and State laws that prohibit its unauthorized use or disclosure. The exposure of such information to unauthorized individuals could cause permanent harm to the College or members of the College community. All employees are expected to sign the Confidentiality Agreement (at the end of this document) before access can be granted to College restricted data.
Recommended by | Executive Team/CAC | Date | 09/18/18 |
---|---|---|---|
Signed by | President Georgia Lorenz | Date | 09/27/18 |
Confidentiality Agreement
I understand that student, employee, and financial information from any source and in any form, may be confidential and is available to me solely for the performance of my official duties as a Seminole State College employee. I will protect the privacy and confidentiality of student, employee, and financial information to which I have access in accordance with State and Federal records/privacy laws as well as College policy and procedures, and will use it solely for the performance of my official duties, whether on or off site. I also understand that I may have the ability to access student information outside my unit of responsibility, but will only utilize that access as it applies to my unit of responsibility.
I Further Agree That:
- I will only access information I need to do my job.
- I will protect the privacy of student, employee, and financial information.
- I will keep my password secret and I will not share it with anyone, including family members.
- I will log off any password-protected application before leaving my workstation. This includes my personal computer while working at home.
- I will tell my supervisor if I think someone knows or is using my password.
- I will not show, tell, copy, give, sell, review, change, trash or otherwise utilize any confidential information except as it relates to my job. If it is part of my job to do any of these tasks, I will follow the correct department procedure (such as shredding confidential papers before throwing them away).
- I will not misuse or be careless with confidential or sensitive information.
- I will not use anyone else’s password.
- I will not share any confidential or sensitive information even if I am no longer a Seminole State employee.
- I will tell my supervisor if I think someone else is violating this agreement.
- I am responsible for actions that result when I gain access using my password.
- I am responsible for my use of confidential information.
- I am responsible for my failure to protect my password or access to confidential information.
- I know that my access to confidential information may be audited.
- I know that confidential information I learn on the job does not belong to me.
- I know that Seminole State may take away my security access at any time.
Failure to comply with this agreement may result in disciplinary action regarding my employment at Seminole State College and/or civil or legal penalties. By signing this Agreement, I agree that I have read, understand, and will comply with it.
_______________________________ __________________ Employee Signature Date