This Information Security Program is the implementation of Board Policy 430.01 (Identity Theft Prevention).
The protection of Confidential and Sensitive Information (CSI) assets and the resources that support them are critical to the operation of Sauk Valley Community College (SVCC). As information assets are handled, they are placed at risk for potential threats of employee errors, malicious or criminal actions, theft and fraud. Such events could cause the College to incur a loss of confidentiality, or privacy, financial damage, fines and penalties. SVCC protects CSI in a manner that is compliant with all relevant legislation, industry best practices, and the values of the College.
Goals of the Information Security Program include but are not limited to:
- Defining what information is considered confidential and sensitive.
- Defining what information is considered public.
- Outlining employee responsibilities when working with CSI.
- Providing a process for reporting security breaches or other suspicious activity related to CSI.
- Providing guidelines on how to communicate information security requirements to vendors
- Summarizing the laws and other guidelines that impact the Information Security Program.
This policy applies to trustees, executives, management, employees, volunteers, work studies, students and service providers at SVCC. This includes all parties that may encounter CSI, such as, contractors, consultants, temporaries, and personnel of third party affiliates.
2.0 Information Security Program Coordinator
The Dean of Information and Security is the coordinator of the Information Security Program at Sauk Valley Community College. The Dean of Information and Security is responsible for working with Administrators from all areas of the College to implement information security practices in accordance with all legal requirements and industry best practices. The Dean of Information and Security reports to the President.
3.0 Purpose of the Information Security Program
The purpose of the Information Security Program is to define the guiding principles that all College employees must follow when working with Confidential and Sensitive Information. Each department that works with CSI will be required to implement department specific procedures to ensure that they are operating within the guidelines.
4.0 Types of Information
Sauk Valley Community College owns or is entrusted with a vast amount of information about its students, employees, and other business partners. This information may be in electronic form, stored on network servers, PC workstations, or magnetic or optical storage media. It may also be in hard copy (paper) form stored in file cabinets.
4.1 Confidential and Sensitive Information (CSI)
While this list is not exhaustive, the following types of information are explicitly considered by Sauk Valley Community College to be Confidential and Sensitive Information:
- Social Security Number (SSN)
- Social Insurance Number (Medicare number)
- Date of Birth
- Driver’s License Number
- Debit/Credit card number (Personal account number, Expiration date, CVV Code)
- Bank Account Numbers
- Tax ID
- Medical Records
- Doctor names
- Insurance policy information
CSI can be found in many places at Sauk Valley Community College. Records containing this information may be referred to as “Covered Accounts”. The following are some of the primary locations for CSI:
- Student records – Banner (credit/non-credit students)
- Student records – Filebound
- Student records – Nelnet (3rd party admin of online payments)
- Student records – Paper
- Employee records – Banner (HR, Payroll)
- Employee records – FileBound (HR, Payroll)
- Employee records – PeopleAdmin (HR)
- Employee records – Paper (HR, Payroll)
- Student payment/billing information (credit card, bank account numbers)
- SVCC financial accounts (checking/savings, investment, credit/debit card accounts)
- Medical records (employees and students)
4.2 Public Student Information
Public information, often called “Directory Information,” may be shared with the general public. Students wishing to have their Directory Information withheld from the public must fill out a form in Admissions and Records. Sauk Valley Community College considers the following information to be Directory Information:
- Telephone number
- Full-time/Part-time status
- Major field of study
- Dates of enrollment
- Degrees and awards received
- Most recent educational institution attended
- Participation in recognized activities and sports
- Weight and height of members of athletic teams
4.3 Private Information
Information should be classified as private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the College or its affiliates. By default, all Institutional Data that is not explicitly classified as CSI or public data should be treated as private information. A reasonable level of security controls should be applied to private data.
While this list is not exhaustive, the following types of information are explicitly considered by Sauk Valley Community College to be Private Information:
- Employee ID
- Student ID
- Library ID
5.1 Employee Responsibilities
Most SVCC employees will encounter CSI at some point while performing their job duties. While some employees will work with CSI more often than others, all employees need to be aware of their responsibilities when handling CSI.
- Employees may not divulge, copy, release, review, or destroy any CSI unless properly authorized as part of their official job duties.
- Properly authorized employees must destroy CSI that is no longer needed. This includes shredding documents and having digital storage devices permanently erased.
- Employees must protect CSI regardless of its location or format (electronic or paper).
- Employees must safeguard all types of access (i.e., keys, ID cards, and passwords) to CSI.
- Employees are required to report any suspicious activity regarding CSI to their supervisor as soon as possible.
5.2 Administrator Responsibilities
In addition to the employee responsibilities stated above, College administrators have additional responsibilities regarding the use of CSI in their respective departments. College administrators are required to:
- Know what types of CSI are available in their departments.
- Develop procedures that support safeguarding CSI in their department as outlined in this policy.
- Ensure employees are trained on departmental procedures and are following them.
- Report any suspicious activity regarding CSI to the Dean of Information and Security.
6.1 Diligence Concerning the Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) has two rules that impact financial institutions; the Privacy Rule and the Safeguards Rule. College and universities are considered financial institutions under GLBA. College and universities are considered compliant with the Privacy Rule if they are compliant with FERPA (see section 6.4). In order to be considered complaint with the Safeguard Rule, financial institutions must:
- Conduct ongoing risk assessments of all areas of operation where CSI is used.
- Design and implement a safeguards program to protect all CSI owned or entrusted to the College. This includes regular monitoring of these safeguards.
- Select appropriate service providers when those service providers work with the College’s CSI.
- Regularly evaluate and adjust the Information Security Program in light of changes in the College environment.
- Provide ongoing training to employees on the proper handling of CSI.
6.1.1 Mitigation of Risks
Sauk Valley Community College continuously assesses the potential risks (internal and external) to its Confidential and Sensitive Information. The College has taken the following steps to mitigate these risks:
- A network firewall has been implemented and is continuously monitored and adjusted.
- Anti-virus software is running on all workstations and servers and is regularly updated. The updates are controlled at the network domain level.
- Operating system updates are performed regularly on all server and workstation as well as Microsoft Office, Java, Adobe Flash, Adobe Reader applications.
- Spam filtering software solution is in place to drastically reduce the amount of spam e-mail that enters the College’s e-mail system.
- Administrative access is restricted on staff and public/shared workstations.
- File level access rights are controlled on all network-shared drives.
- Public/shared computers are “frozen” and periodically restarted to prevent unauthorized files and software installation.
- All wireless networks are encrypted to prevent network scanning or man-in-the-middle attacks.
- Websites are served over Secure Hypertext Transport Protocol (HTTPS).
- Server communication is encrypted.
Note: System Administrators have access to all files shared on all servers.
- Employees are required to change their password periodically.
- A self-service password reset tool is used by students and employees to change their own password form on-campus or off-campus.
- Off-campus access to Sauk Valley Community College network resources is limited to select personnel using Remote Desktop Connection (RDP).
6.2 Diligence Concerning Credit Card Information
Sauk Valley Community College accepts credit card and debit card payments for tuition, donations, and other financial transactions. Any merchant that accepts credit card payments is subject to the security requirements outlined in the Payment Card Industry Data Security Standards (PCI-DSS). All SVCC employees that work with credit card transactions must adhere to the following security requirements.
6.2.1 Electronic Storage
SVCC does not store any cardholder data electronically. Cardholder data includes:
- The Primary Account Number (PAN) – 16-digit credit card number on the front of the card.
- The expiration date of the credit card.
- The service code, Card Validation Code, or value (CVC, CVC2, CVV2, etc.) – the 3 digit number found on the back of the card used for online transactions.
- Personal Identification Number (PIN) – the number used for ATM transactions.
- Any magnetic strip information – which includes all the above information.
Employees must never enter cardholder data into any electronic software system such as Banner or any other type of database, spreadsheet or other electronic file. Credit Card data may not be stored on any laptop computer, any Personal Digital Assistant (PDA) device, any removable storage media such as a thumb drive, any office or public workstation, or any network drive.
6.2.2 Electronic Transmission
SVCC does not electronically transmit credit card information over its data network.
- All online credit card transactions are handled by a third party service provider. These providers are responsible for providing a secure web site to handle the transactions as well as storing the credit card data securely.
- All “card present” transactions are handled using stand-alone terminals connected through Ethernet lines.
- Any faxed in applications (Business and Community Education) are received in a secure electronic fax repository and require a login.
- SVCC employees are prohibited from sending credit card information using electronic communication methods such as e-mail, chat or instant messaging.
6.2.3 Hard Copy Storage
SVCC does receive and work with paper forms that may contain credit card information. Paper forms that contain credit card information must be safeguarded as follows:
- All paper forms containing credit card information must be physically secured in a lockable file cabinet in a lockable room. Access to this room and the file cabinet must be limited to employees with a legitimate business need to access them.
- The room may be unlocked during normal business hours, must be locked otherwise.
- Any file cabinet containing credit card information must be locked at all times. A cabinet should only be unlocked when an employee is accessing it to store or retrieve records.
- Hard copy forms containing credit card information must not be stored in personal desk drawers (even locked drawers) overnight. It is acceptable to store credit card information in a locked desk drawer during the workday when you are away from your desk.
6.2.4 Hard Copy Transportation
SVCC Employees are permitted to transport hard copy forms containing credit card information to other areas of campus. For example, credit transcript forms need to be taken to the Business Office. Business and Community Education applications containing credit card payment information that have been sent via U.S. Postal Service are required to be delivered to the appropriate department. When such transportation is required, only employees authorized by the department supervisor are allowed to transport the credit card information.
6.2.5 Hard Copy Retention and Destruction
Hard copy CSI must be shredded when it no longer has a legitimate business use. Destruction may be in-house via a crosscut shredder or by a service provider who is certified by the National Association of Information Destruction. Such service provider must provide a certificate of destruction every time material is released to be destroyed.
6.3 Diligence Concerning Identity Theft
The Red Flag Rules of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires financial institutions to implement procedures to detect, prevent, and mitigate potential identity theft incidents. Procedures required in order to comply with the Red Flag Rules are:
6.3.1 Identification Verification Procedures
Identification verification procedures are necessary for employees to form a reasonable belief that they know the identity of the individuals opening a new covered account or requesting access to an existing covered account. Each department where CSI is handled must define and implement a procedure that will allow SVCC employees to verify the identity of anyone opening a new account or anyone requesting access to an existing account.
126.96.36.199 Opening a New Account
SVCC may open new covered accounts for someone requesting such an account either in person or by mail, fax or online. Whenever possible, identification will be verified in-person using a valid State Issued Driver’s License or State Issued Identification Card. When new accounts are opened and the individual is not present, a welcome letter will be sent via U.S. Postal Service. This letter will serve as verification of the individual’s identification.
Upon establishing a new password for an account, a user will be prompted to select security questions and answers to verify their identity in the event of a forgotten password. If a user has not selected security questions, a series of security questions and answers will be randomly selected based on information in the student information system.
188.8.131.52 Accessing Information Stored Electronically
Information stored electronically will be secured using various network and application specific authentication and authorization policies. This includes the use of login names and passwords and access rights that are maintained by Information Technology Services with guidance from other departments within Sauk Valley Community College.
184.108.40.206 Accessing Information Stored in Hard Copy Format
Covered account information stored in hard copy format will be physically protected by the department storing the information. Access to this information will be granted based on the position held at the College or on the legitimacy of the need for the information.
6.3.2 Red Flag Response Procedures
SVCC may receive alerts, notifications or warnings of possible red flags from outside consumer reporting agencies; presentation by individuals of documents that appear to have been altered or forged; presentation of personal identifying information this is inconsistent compared to external information sources; unusual or suspicious activity to an existing account or record; or receipt of a notification of identity theft from victim of identity theft, law enforcement authorities, or other authorized persons.
When SVCC is presented with an alert, notification or warning, the College Information Security Committee will take necessary action to investigate and appropriately respond to the possible identity theft according to the College’s Incident Response Plan. This may include declining account access; closing of the fraudulent account; documenting the incident; notifying existing individuals on record; opening a new account; cooperating with law enforcement agencies and such other actions as needed to prevent or mitigate loss to the individual and the College.
6.4 Diligence Concerning the Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act, more commonly known as FERPA, is a federal law that declares the rights of students to view their personal educational records while protecting the privacy of those records. This law applies to all public and private institutions that receive funding from the U.S. Department of Education. Failure to comply with FERPA can lead to lawsuits, loss of federal funding, conviction of a misdemeanor under the Public Information Act with possible imprisonment or fines, and dismissal.
6.4.1 Student Information Maintenance
The Admissions and Record Department has ownership and authority over the primary repository of student data at Sauk Valley Community College. To acquire access to student records systems an employee must complete FERPA compliance training and sign a Confidential Information and Non-Disclosure Agreement. The Director of Enrollment Management/Registrar will evaluate new requests for access to student information and will either approve or deny requests.
6.4.2 Personal Identifiable Information
According to FERPA regulations, educational agencies or institutions are not permitted to release educational records, including personally identifiable information from those records, without prior written consent. According to FERPA, “personally identifiable information” is defined as information that includes, but is not limited to, the following:
- Student’s name
- Name of the student’s parent or other family member
- Address of the student or the student’s family
- A personal identifier, such as the student’s Social Security Number or student ID number
- A list of personal characteristics that would make the student’s identity easily traceable
- Other information that would make the student’s identity easily traceable
In exception, personally identifiable information may be disclosed without prior written consent internally to those who have legitimate educational interests, including the interests of students for whom consent would otherwise be required. Legitimate educational interest exists when disclosure of information is necessary for the completion of an employee’s official duties, and access to the information is consistent with the purpose for which it was granted.
Disclosure of any student information by non-Admission and Records personnel to any organization or person, including students, is prohibited. Employees outside of Admissions and Records should direct such requests to the Director of Enrollment Management/Registrar.
6.4.3 Directory Information
Under FERPA, the College is allowed to disclose directory information, including that which may be personally identifiable information, without the prior consent of students. Directory Information at SVCC consists of the information listed in the 4.2 Public Information section of this document.
A Student has the right to suppress the release of his or her personal directory information. To request that personal directory information not be publicly disclosed, a student must submit a completed “Request to Prevent Disclosure of Directory Information” form to Admissions and Records prior to the end of the second week of class. These forms are available in Admissions and Records.
Note: Once a student has signed request to suppress his or her directory information on file, he or she would then need to submit, in writing to the Admissions and Records Office, authorization for each individual disclosure of any information in the future.
6.4.4 Avoid FERPA Violations
To avoid violations of FERPA rules, DO NOT:
- At any time, use any part of Social Security Number, student ID numbers, or names to publicly post grades. Grades should be posted in Banner.
- Link the name of a student with that student’s Social Security Number or Student ID number in any public manner.
- Leave graded tests in a stack for students to pick up by sorting through the papers of all students.
- Circulate a printed class list with student name and Social Security Number or grades as an attendance roster.
- Discuss the progress of any student with anyone other than the student (including parents) without the consent of the student (or proper IRS documentation from parents).
- Provide anyone with lists of students enrolled in your classes for any commercial purpose.
- Provide anyone with student schedules or assist anyone other than college employees in finding a student on campus.
- Leave the door open when your office is vacant.
- Leave grades, test scores, etc., or personal information in the classroom between classrooms or during breaks.
- Leave student records (class lists, grades, work or home phone, student schedule, etc.) in view on your desk or on your computer.
6.4.5 FERPA-Related Requests and Demands from Students
Employees are required to direct students who inquire about FERPA regulations to Admissions and Records. Employees outside of the Admissions and Records Department are prohibited from responding to student’s questions relating to FERPA. Employees outside of the Admissions and Records department are not allowed to carry out a FERPA based request. FERPA affords students the following:
- The right to inspect and review the student’s education records within 45 days of the day the College receives a request for access. Student should submit to the Director of Enrollment Management/Registrar or the Dean of Student Services written request that identify the record(s) they wish to inspect. The College official will arrange for access and notify the student of the time and place where the records may be inspected.
- The right to request the amendment of the student’s education records that the student believes in inaccurate or misleading. Students may ask the College to amend a record they believe is inaccurate or misleading. They should write the College official responsible for the record, clearly identify the part of the record they want changed, and specify why it is inaccurate or misleading. If the College decides not to amend the record requested by the student, the College will notify the student of the decision and advise the student of his or her right to a hearing regarding the request for amendment.
6.4.6 Other FERPA-Related Legislation
220.127.116.11 Solomon Amendment
Pursuant to the Solomon Amendment, the College must supply specific student directory information to any military representative who requests such information for recruiting purposes. Exceptions are made for individuals with signed Public Directory Information forms on file. Military representatives will not be given directory information for those who have requested that such information be publically withheld.
18.104.22.168 US Patriot Act of 2001
In accordance with the US Patriot Act of 2001:
- The U.S. Attorney General may submit a written application to a court for an ex parte order requiring SVCC to collect and produce education records that might otherwise be protected by FERPA.
- Under the US Patriot Act, College personnel are prohibited from disclosing to any other person that the FBI has sought or obtained records, except to those persons necessary to produce the requested records. The College is provided immunity as a provider of electronic communications services if it furnishes information or assistance in accordance with a court order or a request for emergency assistance under the Foreign Intelligence Surveillance Act, as amended.
7.0 Service Providers
The level of responsibility given to service providers for security reasons depends on the scope of their service offering, whether it be direct or indirect access to information. In either case, service providers will be held accountable for their conduct and agreements must delineate where Sauk Valley Community College liability ends and where the service provider liability begins. For purpose of this policy,
- Direct access to information is when a service provider performs an activity with employee or customer information on behalf of the College. If the information is shared, then the service provider must have an Identity Theft Prevention Policy that complies with or exceeds federal and state regulations.
- Indirect Access to Information is when a service provider is working in the proximity of CSI in the College, but their function does not involve sharing information. This type of service provider must comply with this policy.
- Any vendors that hold CSI must provide a SOC report on an annual basis to the Vice President of Business and Facilities as part of the College’s annual financial audit.
Sauk Valley Community College may maintain agreements with certain outside entities with a legitimate interest, including the following:
- Sauk Valley College Foundation
- National Student Loan Data System
- National Student Clearinghouse
Violations should be immediately reported to the Dean of Information and Security.
A count of number of violations will be kept and reported annually.
9.0 Updating the Information Security Program
The Information Security Program will be reviewed at least one time per year by the College Information Security Committee, headed by the Dean of Information and Security. The policy may be reviewed and updated more often if circumstances arise that require significant changes to the policy.
10.0 Training and Communication
The Dean of Information and Security is responsible for providing annual Information Security Practices training to all Sauk Valley Community College employees. This training will inform employees of their responsibilities when working with Confidential and Sensitive Information at Sauk Valley Community College and update them on policy changes. Additional training will be provided to employees whose primary job duties require them to work with CSI. Procedural training specific to a particular department regarding CSI will be the responsibility of the Department Head.
At the time of hire and/or upon completion of training, all employees will be required to sign a Use of Confidential Information and Non-Disclosure Agreement acknowledging their understanding of the Identity Theft Prevention Program.