Subject: Data and Personally Identifiable Information Security POLICY
The purpose of this policy is to establish a standard for managing Personally Identifiable Information (PII) data on college-owned computers or devices that are used to store or transport sensitive or confidential information. In addition, this policy outlines responsibilities for Roane State employees who have access to such information.
The scope of this policy includes all college-owned devices used by individuals with access to Personally Identifiable Information (PII) information.
Sensitive Information is defined as any information that provides personally identifiable information (PII) on a Roane State Community College student, faculty or staff member. PII is information that can be used to uniquely identify, contact or locate a single person or can be used with other sources to uniquely identify a single individual. This includes, but is not limited to, information such as social security number, date and place of birth, mother’s maiden name.
Portable Mass Storage Device is defined as any device which is capable of transporting digital files outside the internal storage device of a Roane State computer or network. They include such devices as floppy disks, CD/DVD’s, flash drives, zip drives or external hard drives.
Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).
Access to data residing in administrative systems and applications at Roane State Community College is to be granted only to those individuals who must, in the course of exercising their responsibilities, use the specific information. Data Custodians are responsible for granting access to the information.
The copying, downloading, FTP transfer or otherwise duplicating PII data on a computer, website, floppy diskette, CD/DVD, tape, USB device, or other such mobile storage device for purposes other than backup by authorized personnel is prohibited unless granted written permission by the Assistant Vice President, Information Technology.
Control of Sensitive Information
Under no circumstance should sensitive or confidential information be transferred to or stored on any personally-owned laptops, removable media, or home computers. While access to Banner is permissible from personally owned computers, no PII data may be downloaded or stored on such devices.
One may access administrative systems and work with sensitive or confidential information from college-owned computing devices, but may not make a copy of that information and store it locally on the device. Any file containing personally identifiable information must be stored on the individual’s “U” drive on the network.
Unsecure laptops or removable storage devices will not be used to transport or store sensitive information. (See Control of Sensitive Information below.) Should a requirement exist for sensitive or confidential information to be stored on a laptop or removable media, the device must be encrypted and be physically secured when unattended. Unless written permission, as outlined above, has been granted, removable media such as USB drives or optical disks (e.g., CD-ROM or DVD-ROM) should not be used to transport sensitive or confidential information.
Laptop users are responsible for securing laptops at all times, but especially when traveling. (See Securing Laptops below.)
Email Transfer of PII
Email should not be used to transmit PII. Transmittal of information containing the Campus Wide ID (CWID) is permitted. (However, it is recognized that even this practice is being debated and may change in the future.)
Laptop computers owned by the college and assigned to faculty and staff are to be configured to use hard drive encryption. Contact the Help Desk if you believe your laptop needs to be encrypted.
Encryption methods used will be dependent on host operating system (e.g., Windows Vista and Windows XP) and whether or not the laptop hardware includes a Trusted Platform Module (TPM).
Encryption techniques requiring password authentication allowing a host operating system to load will conform to strong password standards (e.g., a strong password should appear to be a random string of characters to an attacker. It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols.). Check your password strength at https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link.
Security of Laptop
Laptops must be secured in a locked office when unattended for an extended length of time or left overnight.
Out of Office
When laptops are taken out of the office, the laptop must be kept under positive control of the owner. It should be in hand, in sight or locked in a secure location at all times.
For employees that are required to access PII from the Administrative System, Roane State Information Technology Division will provide training annually on the proper handing and safeguarding of PII.
Any employee found to have violated this policy may be subject to disciplinary action.