Information Security Procedure

Business Office (509) 527-4936 
Technology Services (WCTS) (509) 527-4975

In order to protect the institution and its private information and data and to comply with federal law, Whitman College (the College) has adopted this Information Security Procedure for critical and private financial and related information. This security Procedure applies to customer financial information received by the College, as well as other confidential financial information the College has chosen to include within the scope of the Procedure. This document describes procedures that various departments will follow while handling this information.

This Procedure covers the input, maintenance and output of covered information within the Administrative Information System. This Procedure also addresses the protection of information in paper reports or other computer files, as well as the inadvertent release of information via computer screen or verbal communication. This Procedure and the Staff Handbook prohibit purposeful release of confidential information to any unauthorized person or entity.

Procedure Administrators 
The College Controller and the College Director of Enterprise Technology are jointly responsible for the coordination of Whitman’s Information Security Procedure.

Definition of Customer & Administrative Information 
Protected or covered information under this Procedure is any data related to the business of the College including, but not limited to, financial, personnel, student, alumni, and physical resources. It includes data maintained at the departmental or office level as well as centrally, regardless of the media on which they reside. Covered information generally does not include library holdings or instructional materials.

The College recognizes information is a College resource requiring proper management in order to permit effective planning and decision-making and to conduct business in a timely and effective manner. Employees are charged with safeguarding the integrity, accuracy, and confidentiality of this information as part of the condition of employment.

Access to administrative computer systems is granted based on the employee’s need to use specific data, as defined by job duties, and subject to appropriate approval. As such, this access cannot be shared, transferred or delegated. Failure to protect these resources may result in disciplinary measures being taken against the employee, up to and including termination.

Customer & Administrative information is categorized into three levels:

1. Confidential information 
Requires a high level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration or destruction of the data. This includes records about individuals requiring protection under the Family Educational Rights and Privacy Act of 1974 (FERPA) or any other law or regulation governing personal information as well as information that if treated or disclosed improperly could adversely affect the ability of the College to accomplish its mission.

Confidential information includes, for example, salary information, social security numbers, alumni gift amounts and student grades.

2. Sensitive information 
Requires some level of protection because its unauthorized disclosure, alteration, or destruction might cause damage to the College. It is assumed that all administrative output from the administrative database is classified as sensitive unless otherwise indicated.

Sensitive information includes, for example, class lists, facilities data and vendor data.

3. Public Information 
Can be made generally available both within and beyond the College. It should be understood that any information that is widely disseminated within the campus community is potentially available to the public at large.

Public information includes, for example, student directory information, financial statements and IRS Form 990.

Administrative Information System 
Administrative information available in a client/server environment provides Whitman College with abundant opportunities for easy and efficient access to data. This fluid environment also poses significant risk to the security of such information. Protecting this college resource is a shared responsibility between the college administrative staff, faculty, and the Information Technology staff (WCTS).

Network security, including firewall technology, has been implemented to protect administrative servers and departmental workstations from unauthorized access through the Internet. Staff in administrative offices are connected to secured computers through an administrative subnet on the campus network.

Desktop computers in administrative offices provide one of the most vulnerable points of access to administrative systems. Staff in administrative offices must physically protect their computers, including laptops, from unauthorized access and theft

System privileges will be authorized by the department head or designated department security manager and centrally assigned by System Administrators in WCTS. Inquiry Access to administrative information will be authorized on a ‘need to know’ basis. Maintenance Access to processes will be authorized based on job responsibilities.

Employee Information 
All aspects of personnel records are confidential. Directory information for faculty and Staff as published in the Whitman College Telephone Directory is public. Directory information may include some or all of the following: name, home address, home telephone, spouse/partner name, department, position title, campus address, campus phone and email address. Employees may request of the Human Resources Department, that all personal information except their name be classified as confidential.

Family Educational Rights and Privacy Act (FERPA) 
The Family Educational Rights and Privacy Act (FERPA) of 1974 governs all information about students, current and former, maintained by Whitman College. FERPA generally requires that Whitman College have the student's written permission to release any information from their records except certain types of "directory information."

Student “Directory Information,” as defined by FERPA 
Certain information, classified as “directory information,” is available for public consumption unless the student specifically directs that it be withheld. A student wishing to withhold such information should convey those instructions to the Office of the Dean of Students. Former students should contact the Alumni Office.

Public or directory information includes: student’s name, address, telephone number, date and place of birth, major field of study, participation in officially organized activities and sports, weight and height (for members of athletic teams), dates of attendance, degree and awards received, and the most recent previous educational institution attended.

Individual Office Security Administration 
Department heads or their designees are responsible for authorizing system access by employees. System Administrators in Technical Services will enable, modify or remove user privileges based on authorization from the department head.

On a daily basis, System Administrators will review reports identifying failed login attempts, “super user” logins and origins of login.

Passwords 
The most effective way to protect administrative information is through the vigilant use of user-defined passwords.

Passwords must:

  • Be changed by the user on-line every sixty days
  • Be changed by the user no more frequently than every seven days
  • Consist of both letters and numbers
  • Be six characters in length, minimum
  • Be eight characters in length, maximum
  • Significantly differ from prior passwords

It is the employee’s responsibility to protect their password from disclosure. Every individual, including student employees, must have a unique user login. Passwords must not be shared with any other person. If it is suspected that a password has been compromised, the System Administrator must be contacted. Web browsers allow you to save passwords used to access external sites. You should be wary of using this feature. Please be aware that after five consecutive failed login attempts, accounts will be automatically deactivated. The System Administrator will be contacted automatically in that event.

OFFICE RESPONSIBILITIES

Office Specific Security Plans 
It is advisable that those offices dealing extensively with external customer information prepare and distribute among staff, security plans directed to the procedures and format of the individual offices. At a minimum such plans should outline how the specific office is maintaining compliance with FERPA.

Employee responsibilities 
Employees, including students, granted access to institutional data may do so only to conduct College business. In this regard, employees must:

  • Respect the confidentiality and privacy of individuals whose records they access
  • Observe ethical restrictions that apply to the data to which they have access
  • Abide by applicable laws or policies with respect to access, use, or disclosure of information

Employees may not:

  • Disclose data to others, except as required by their job responsibilities
  • Use data for their own personal gain, nor for the gain or profit of others
  • Access data to satisfy their personal curiosity

Employees and students who violate this policy are subject to the investigative and disciplinary procedures of the College. The offices of the Dean of Students and the Dean of Faculty generally handle complaints against students and faculty, respectively. Complaints against staff and administrators are usually handled through supervisors and Human Resources. The Human Resources Department is responsibility for notifying WCTS promptly of any employee terminating from employment at Whitman College.

Anti-Virus Software 
Up-to-date anti-virus software is essential to protecting information in a client/server environment. It is critical that employees install updates to campus-wide anti-virus software as it becomes available. Virus software should be set to scan all files, not simply program files, on a daily basis. If it is suspected that a PC has a virus, the WCTS Help Desk (x4976) must be notified immediately. Installing/downloading software that is not supported by the College should be handled with caution. There is a risk that such software may contain a virus or otherwise degrade the host computer in some way.

Unattended PC’s 
The use of a password protected monitor is highly recommended. Employees must logout from the administrative software (“Datatel”) when a PC is left unattended. Once logged in, all authorized applications are available to anyone with access to that PC.

Equipment Security 
All office computer equipment should be reasonably secured from theft. Laptops and other portable devices are the most vulnerable. Administrative data should be stored on the network drive rather than physical drive on your PC. Caution should be used when storing administrative information on portable computers.

The System Administrator should be notified immediately of any known or suspected administrative systems security breaches.

Printed reports 
Reports containing confidential and sensitive data, either test data or live production data, must be secured within the office. Reports should not be left on the printer or unattended on a desktop in open view. Any report that is no longer needed, which contains confidential and/or sensitive data, must be shredded or stored securely until it can be shredded or processed for recycling.

Communication 
The security of administrative information is a shared responsibility among the Whitman College staff who use and support technology. All have a role to play. Vigilance is a daily activity. Effective, on-going communication of this security policy and office procedures will play an essential part in our success.

Department leaders are responsible for discussing this policy with each user at the time system privileges are issued.