College Record 2021-2022

Student Information Security Policy

Purpose

The Information Security Policy is designed to protect Keuka College’s proprietary and sensitive information from theft and/or loss while retaining the free information needs of the academic culture within an educational institution. It ensures that the College will comply with all federal and state regulations regarding the collection and retention of any private/confidential data. It insures a secure and trusted environment.

Compliance

This policy is designed to comply with or is based on the following:

FERPA
eDiscovery
NYS Personal Information Laws
Non-NYS Personal Information Laws
GDPR

Scope

Information covered by this policy is any information that:

Resides in datacenter databases
Is transmitted across both intranet and extranet
Resides on College-owned PCs
Is hand-written if it includes confidential or FERPA-related data
Stored on College-owned removable storage such as flash drives, CDs, and similar mediums
Is presented using slides and other audio/visual equipment
Resides in cloud applications used by the College

Procedures

Security of our information is retained through many electronic and physical means. These include:

Policies
Physical protection such as controlled card-swipe and key access
Regular vulnerability assessments
Access Control Lists, Virtual Local Area Networks, and Firewalls
Encrypted wireless networks
Data Center environmental controls
User education
Vendor evaluation
Limitation of Access to Information Systems

Access to physical servers is limited to the network and systems administration personnel within IT, the division VP of which IT resides in, and the current IT department head. Entrance into the Data Center requires dual-factor digital access granted to those employees. All other persons are always required to be under supervision of the listed individuals while inside the Data Center. Video recording is always active within the Data Center.

Access to virtualized servers remotely is granted in a case-by-case basis to other users within the IT organization. This is granted only to users who maintain those systems on an application-update level. Their network credentials are utilized to authorize this access.

Access to databases is granted remotely to specific Administrators within IT of those systems. Their network credentials are utilized to authorize this access.

Access to data within those databases is granted to reporting/business analyst users through a Data Warehouse and reporting tools. Access is segregated based on duties so that only data authorized by the respective departments can be accessed.

Access to data within our Student Information System is limited to Employees of the College through an encrypted web interface that is only accessible off campus via Virtual Private Network. Duty segregation is approved through the different heads of the respective departments and are closely controlled through use of personas.

Policy Responsibility

While all Keuka College employees are responsible for following rules and policies, Keuka College Information Technology is the current “owner” of the College’s system and network infrastructure as well as computer assets and cloud contracts. IT is responsible for maintaining and providing a safe and secure environment to perform daily duties.

Data Encryption

Interface to critical College systems containing sensitive/confidential information is encrypted and, as a further step, limited to within the internal network or accessed from an encrypted VPN tunnel or two-factor authentication.

Policy

Keuka College prohibits the deliberate introduction of inaccuracies into, or loss of, our retained information. The College also prohibits using our information to breach privacy, compromising system performance or security, or damaging any hardware.

Keuka College will protect its assets from threats to its security whether deliberate or accidental. Alongside this, since no single department can provide for absolute security, all College employees, students, and other authorized users of Keuka College are responsible of minimizing risks and making sure to comply with policy as well as secure any assets within their control and capability.

College-wide awareness of threats as well as common and new attack methodologies is necessary to retain a secure environment. Keuka College will provide education about these, as well as our current policies and changes within them via handouts, emails, and newsletters.

Last Revised 9/15/2020