{"id":3697,"date":"2013-07-15T12:50:03","date_gmt":"2013-07-15T17:50:03","guid":{"rendered":"https:\/\/wp.stolaf.edu\/it\/?page_id=3697"},"modified":"2016-08-30T10:51:19","modified_gmt":"2016-08-30T15:51:19","slug":"securing-college-data","status":"publish","type":"page","link":"https:\/\/wp.stolaf.edu\/it\/securing-college-data\/","title":{"rendered":"Securing College Data"},"content":{"rendered":"

Title:<\/b> Security College Data
\nEffective Date: <\/b>September 2013
\nIssuing Authority:<\/b> Information Technologies
\nProgram Coordinator:<\/b>\u00a0 Director of IT and Libraries
\nLast Updated:<\/b> April 14, 2016<\/p>\n

Purpose of Statement<\/b><\/h3>\n

<\/b>This document is intended to provide a summary of the policies and procedures St. Olaf has adopted to help safeguard our digital data.<\/p>\n

Policy<\/b><\/h3>\n

<\/b>All employees are expected to know and adhere to the policies that safeguards digital information and data in order to comply with state and federal regulations, as well as College policies.<\/p>\n

Procedures<\/b><\/h3>\n

Inventory of High Risk Data<\/strong>
\nOffices and departments that store or process more than 100 high risk data elements, especially collections of more than 100 Social Security Numbers, should document and discuss their processes with the Information Security Officer. The Information Security Officer will deliver an annual report on high risk data to the Chair of the Information Security Council and then to Director of IT and Libraries.<\/p>\n

Access to Data
\n<\/b>Individuals wishing to access or use college data must request such access through the \u201cdata custodian\u201d for that particular data set.\u00a0 Each office, department, or division that maintains core college data (high, medium, or low risk) is responsible for assigning one or more individuals to serve as data custodians.\u00a0 These data custodians are responsible for managing the use, access, archiving, and sharing of the data to ensure that it is properly handled within their office area and by those that are granted access to the data.<\/p>\n

Individuals who are given rights to access or use college data are responsible for maintaining the privacy of protected and confidential data and must agree to abide by any college policies and state or federal laws and regulations governing such data. Individuals may be required to take training on FERPA, HIPPA, GLBA, etc. prior to getting access to those data elements.<\/p>\n

In order to maintain the security of the college\u2019s data and information the college retains the authority to:<\/p>\n

    \n
  1. restrict or revoke any user\u2019s privileges,<\/li>\n
  2. inspect, copy, remove, or otherwise alter any data, program, or other system resource that may undermine these objectives, and<\/li>\n
  3. take any other steps deemed necessary to manage and protect its information systems and the data and information held within those systems.<\/li>\n<\/ol>\n

    This authority may be exercised with or without notice to the involved users.\u00a0 St. Olaf College disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives.\u00a0 More information on data and responsibilities can be found in the Data Classification Policy statement found at:\u00a0 https:\/\/wp.stolaf.edu\/it\/data-classification\/<\/a><\/p>\n

    File and Information Privacy
    \n<\/b>All information on St. Olaf servers, desktop computers or on computer storage media, including digital mail, is considered college property. While Information Technology (IT) makes every reasonable effort to ensure the security of digital files, employees should be aware of the following:<\/p>\n

    Any individual using the St. Olaf College systems and networks from any computer automatically consents to the monitoring of their activities in the course of systems maintenance or security related investigations.\u00a0 In addition, in order to conduct the college\u2019s business and assure compliance with college policies and the law, the college may need to monitor or review digitally stored information.\u00a0 If, in the course of such monitoring, systems personnel reveal possible evidence of criminal activity or college policy violations, systems personnel may provide the evidence of such monitoring to the College or law enforcement officials.<\/p>\n

    Select employees of IT have access to all information stored on the St. Olaf servers. Those employees may include the custodians of the campus servers maintained by IT and\/or IT student workers whose responsibilities are associated with the servers. Such access is necessary in order for IT employees to perform their duties, and is normally exercised upon the request of the account owner, in cases of systems security and performance problems, upon presentation of warrants, subpoenas, or court orders, or upon the request of an individual\u2019s supervisor or Vice President. Supervisors requesting access to an employee\u2019s computer files must first consult with a Vice President and must present a valid work-related issue or need or convincing evidence of probable cause related to a violation of federal or state regulations or college policies before IT staff will access files.<\/p>\n

    Every digital file and email message stored on the St. Olaf servers are backed up and, therefore, are reproducible and may be subpoenaed in the event of a court case. Users should be aware of this when creating files and email messages intended for individuals both on and off campus.<\/p>\n

    Email correspondence should not be considered private. The individual to whom one sends an email message may allow another person to access the mail message or may forward it to others. In addition, while St. Olaf makes every effort to ensure the security of email messages routed on the College network, email messages sent via the Internet are not guaranteed that same level of security and privacy.<\/p>\n

    Personal files and email stored by employees on their college-provided desktop computer or on the St. Olaf servers should not be considered private. In the course of routine maintenance, upon the request of the immediate supervisor, or upon the presentation of warrants, subpoenas, and court orders personal files may be accessed by IT staff.<\/p>\n

    Information posted to the Internet is not private and, in most cases, is readable by other individuals around the world.\u00a0 While it is possible to restrict direct access to on-campus users only, this does not preclude wider distribution of materials.\u00a0 Users should consider carefully the content and nature of materials shared in light of these realities.<\/p>\n

    The full policy on privacy of files can be found at:\u00a0 https:\/\/wp.stolaf.edu\/it\/privacy-of-electronic-files\/<\/a><\/p>\n

    Entering computer accounts or reading digital files without proper authorization is considered misuse of computers. Individuals suspected of accessing others\u2019 files without permission will be referred to the appropriate office for action. Here is the College\u2019s policy statement on the Use of Campus Technologies: https:\/\/wp.stolaf.edu\/it\/appropriate-use-of-campus-technologies\/<\/a><\/p>\n