Roane State Community College
Policy Number: GA-18-08
Subject: Data and Personally Identifiable Information (PII) Security
The purpose of this policy is to establish a standard for managing Personally Identifiable Information (PII) data on college-owned computers or devices that are used to store or transport sensitive or confidential information. In addition, this policy outlines responsibilities for Roane State employees who have access to such information.
The scope of this policy includes all college employees, contractors, or consultants with access to PII information.
- Sensitive Information is defined as any information that provides PII on a Roane State Community College (RSCC) student, faculty, or staff member. PII is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. This includes, but is not limited to, information such as social security number, date and place of birth, and mother’s maiden name. Directory information is determined by each intuition and is not considered PII.
- Portable Mass Storage Device is defined as any device which is capable of transporting digital files outside the internal storage device of a Roane State computer or network. They include such devices as floppy disks, CD/DVD’s, flash drives, zip drives, or external hard drives.
- Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).
- Data Custodians are institutional designees who are responsible for establishing data management procedures and the assignment of access to the data for which they are responsible. Representatives will be designated from the flowing functional area as Data Custodians.
- Directory Information is that information which constitutes a basic profile based on information contained within student education records that generally is not considered harmful or an invasion of privacy if released. Directory information at RSCC includes:
- Business Office
- Student Records
- Financial Aid
- Human Resources
- Student Name
- Email address
- Telephone Listing
- Date of Birth
- Participation in officially recognized activities and sports
- Weight and Height of athletic team members
- Dates of attendance
- Enrollment Status - Part-time, Full-time
- Degree and awards received
- Major field of study
- Most recent previous educational agency or institution
Access to data residing in administrative systems and applications at RSCC is to be granted only to those individuals who must, in the course of exercising their responsibilities, use the specific information. Data custodians are responsible for granting access to the information.
The copying, downloading, FTP transfer, or otherwise duplicating PII data on a computer, website, floppy diskette, CD/DVD, tape, USB device, or other such mobile storage device for purposes other than backup by authorized personnel is prohibited unless granted written permission by the Assistant Vice President, Information Technology.
- Control of Sensitive Information
Under no circumstance should sensitive or confidential information be transferred to or stored on any personally-owned laptops, removable media, or home computers. While access to Banner is permissible from personally owned computers, no PII data may be downloaded or stored on such devices.
One may access administrative systems and work with sensitive or confidential information from college-owned computing devices, but may not make a copy of that information and store it locally on the device. Any file containing personally identifiable information must be stored on the individual’s “U” drive on the network.
Unsecure laptops or removable storage devices will not be used to transport or store sensitive information. Should a requirement exist for sensitive or confidential information to be stored on a laptop or removable media, the device must be encrypted and be physically secured when unattended. Unless written permission, as outlined above, has been granted, removable media such as USB drives or optical disks (e.g., CD-ROM or DVD-ROM) should not be used to transport sensitive or confidential information.
Laptop users are responsible for securing laptops at all times, but especially when traveling. (See Security of Laptop below.)
- Email Transfer of PII
PII should not be transmitted electronically (i.e., emailed from any systems such as Outlook, BDMS, etc. or by any other electronic transmission methods) unless encrypted. Transmittal of information containing the Campus Wide ID (CWID) is permitted. (However, it is recognized that even this practice is being debated and may change in the future.)
Laptop computers owned by the college and assigned to faculty and staff are to be configured to use hard drive encryption. Contact the Help Desk if you believe your laptop needs to be encrypted.
Encryption methods used will be dependent on host operating system and whether or not the laptop hardware includes a Trusted Platform Module (TPM).
Encryption techniques requiring password authentication allowing a host operating system to load will conform to strong password standards See GA-18-09, Strong Password. Access the complete detailed RSCC policy GA-18-09 at www.roanestate.edu/policies/. Check your password strength at Microsoft's Create Strong Passwords.
- Security of Laptop
Campus Offices - Laptops must be secured in a locked office when unattended for an extended length of time or left overnight.
Out of Office - When laptops are taken out of the office, the laptop must be kept under positive control of the owner. It should be in hand, in sight, or locked in a secure location at all times.
Roane State will conduct quarterly vulnerability scans of its outward facing firewall and semiannual scans of its internal credit card payment network in accordance with the Payment Card Industry Data Security Standards (PCI-DSS). All scans will be performed by an Approved Scanning Vendor or ASV. Any discrepancies will be corrected and a follow-up scan performed until the system is compliant. Scans will also be performed after any major changes in the network.
Wireless networks will be monitored for rogue access points, unauthorized WLAN cards or other unauthorized devices connected to Roane State’s network.
Roane State’s Intrusion Detection/Prevention System (IDS/IPS) will be configured to alert the network manager, assistant network manager and the Assistant Vice President of Information Technology in the event of an attack.
For employees that are required to access PII from the Administrative System, Roane State Information Technology Division will provide training information annually on the proper handing and safeguarding of PII.
Any employee found to have violated this policy may be subject to disciplinary action.
Revision History: 03/05/2014
Revision Date Effective: 03/05/2014
Revision Approval By: Christopher L. Whaley, President
Original Date Effective: 02/01/2013
Original Approval By: Christopher L. Whaley, President
Office Responsible: Executive Vice President for Business & Finance
© Roane State Community College
Roane State Community College is a TBR and AA/EEO employer and does not discriminate against students, employees, or applicants for admission or employment on the basis of race, color, religion, creed, national origin, sex, sexual orientation, gender identity/expression, disability, age, status as a protected veteran, genetic information, or any other legally protected class with respect to all employment, programs and activities sponsored by Roane State. View full non-discrimination policy.
Report Fraud, Waste and Abuse
Digital Millennium Copyright Act of 1998