Student Information Security Policy
Purpose
The Information Security Policy is designed to protect Keuka College’s proprietary and sensitive information from theft and/or loss while retaining the free information needs of the academic culture within an educational institution. It ensures that the College will comply with all federal and state regulations regarding the collection and retention of any private/confidential data. It ensures a secure and trusted environment.
Compliance
This policy is designed to comply with or is based on the following:
- FERPA
- eDiscovery
- NYS Personal Information Laws
- Non-NYS Personal Information Laws
- GDPR
Scope
Information covered by this policy is any information that:
- Resides in datacenter databases
- Is transmitted across both intranet and extranet
- Resides on College-owned PCs
- Is hand-written if it includes confidential or FERPA-related data
- Stored on College-owned removable storage such as flash drives, CDs, and similar mediums
- Is presented using slides and other audio/visual equipment
- Resides in cloud applications used by the College
Procedures
Security of our information is retained through many electronic and physical means. These include:
- Policies
- Physical protection such as controlled card-swipe and key access
- Regular vulnerability assessments
- Access Control Lists, Virtual Local Area Networks, and Firewalls
- Encrypted wireless networks
- Data Center environmental controls
- User education
- Vendor evaluation
- Limitation of Access to Information Systems
- Access to physical servers is limited to the network and systems administration personnel within IT, the division VP of which IT resides in, and the current IT department head. Entrance into the Data Center requires dual-factor digital access granted to those employees. All other persons are always required to be under supervision of the listed individuals while inside the Data Center. Video recording is always active within the Data Center.
- Access to virtualized servers remotely is granted on a case-by-case basis to other users within the IT organization. This is granted only to users who maintain those systems on an application-update level. Their network credentials are utilized to authorize this access.
- Access to databases is granted remotely to specific Administrators within IT of those systems. Their network credentials are utilized to authorize this access.
- Access to data within those databases is granted to reporting/business analyst users through a Data Warehouse and reporting tools. Access is segregated based on duties so that only data authorized by the respective departments can be accessed.
- Access to data within our Student Information System is limited to Employees of the College through an encrypted web interface that is only accessible off campus via Virtual Private Network. Duty segregation is approved through the different heads of the respective departments and are closely controlled through use of personas.
Policy Responsibility
While all Keuka College employees are responsible for following rules and policies, Keuka College Information Technology is the current “owner” of the College’s system and network infrastructure as well as computer assets and cloud contracts. IT is responsible for maintaining and providing a safe and secure environment to perform daily duties.
Data Encryption
Interface to critical College systems containing sensitive/confidential information is encrypted and, as a further step, limited to within the internal network or accessed from an encrypted VPN tunnel or two-factor authentication.
Policy
Keuka College prohibits the deliberate introduction of inaccuracies into, or loss of, our retained information. The College also prohibits using our information to breach privacy, compromising system performance or security, or damaging any hardware.
Keuka College will protect its assets from threats to its security whether deliberate or accidental. Alongside this, since no single department can provide for absolute security, all College employees, students, and other authorized users of Keuka College are responsible of minimizing risks and making sure to comply with policy as well as secure any assets within their control and capability.
College-wide awareness of threats as well as common and new attack methodologies is necessary to retain a secure environment. Keuka College will provide education about these, as well as our current policies and changes within them via handouts, emails, and newsletters.