All information gathered and maintained by employees of McNeese State University for the purpose of conducting University business is considered institutional information and, as such, each individual who uses, stores, processes, transfers, administers and/or maintains this information is responsible and held accountable for its appropriate use.
Information Collections and the Responsibilities of Information Guardians
University-held information should be protected against unauthorized exposure, tampering, loss and destruction, wherever it is found, in a manner that is consistent with applicable federal and state laws (see Appendix B), and with the information’s significance to the University and any individual whose information is collected. Achieving this objective requires that University information be segregated into logical collections (e.g., medical records, employee benefit data, payroll data, undergraduate student records, graduate student records, personal data regarding alumni, financial records), and that each collection be associated with an individual known as an “Information Guardian” who should:
- Define the collection’s requirements for confidentiality, integrity and availability (see Appendix D for requirement classifications),
- Convey the collection’s requirements in writing to the managers of departments that will have access to the collection,
- Work with Office Heads and Chairs to determine what users, groups, roles or job functions are authorized to access the information in the collection and in what manner (e.g., who can view the information, who can update the information).
The guardian of a logical information collection is typically the head of the department on whose behalf the information is collected or that is most closely associated with such information. A list of Information Guardians and their designated contacts may be found in Appendix C.
Each Information Guardian may designate one or more individuals on his or her staff to perform the above duties. However, the Information Guardian retains ultimate responsibility for their actions.
Responsibilities of Office Heads and Chairs
Office Heads and Chairs are required to:
- Understand the security-related requirements for the information collections used within their respective departments by working with the appropriate Information Guardians and their designates.
- Develop procedures that support the objectives for confidentiality, integrity and availability defined by the Information Guardians and designates, and ensure that those procedures are followed.
- Effectively communicate any restrictions to those who use, administer, process, store or transfer the information in any form, physical or electronic.
- Ensure that each staff member understands his or her information security-related responsibilities and acknowledges that he or she understands and intends to comply with those requirements by having them review the “Protection of Confidential Information – Summary of Responsibilities” document contained in Appendix E.
- Report any evidence that information has been compromised or any suspicious activity that could potentially expose, corrupt or destroy information to the University CITO.
User ResponsibilitiesProtecting Information Wherever It Is Located
Each individual who has access to information owned by or entrusted to the University is expected to know and understand its security requirements and to take measures to protect the information in a manner that is consistent with the requirements defined by its Information Guardian, wherever the information is located, i.e.,
- On printed media (e.g., forms, reports, microfilm, microfiche, books),
- On computers,
- On networks (data and voice)
- On magnetic or optical storage media (e.g., hard drive, flash drive, tape, CD/DVD)
- In physical storage environments (e.g., offices, filing cabinets, drawers),
- In a person’s memory, etc.
If an authorized user is not aware of the security requirements for information to which he or she has access, he or she should provide that information with maximum protection until its requirements can be ascertained.
Any individual who has been given a physical key, ID card or logical identifier (e.g., computer or network account) that enables him or her to access information is responsible for all activities performed by anyone using that key or identifier. Therefore, each individual must be diligent in protecting his or her physical keys and ID cards against theft, and his or her computer and network accounts against unauthorized use. Passwords created for computer and network accounts should be difficult to guess (see “Guidelines for University Passwords”). Furthermore, passwords should never be shared or recorded and stored in a location that is easily accessible by others. Stolen keys and ID cards, and computer and network accounts suspected of being compromised should be reported to the appropriate authorities immediately.
The assignment of a single network or system account to a group of individuals sharing the same password is highly discouraged and should only occur in cases where there is no reasonable, technical alternative.
Diligence Concerning Information Associated with “Identity Theft”
Identity theft is a serious and growing problem in our society. Anyone who can obtain certain pieces of information about an individual can open credit cards, take out loans, create forged documents or steal assets in the individual’s name.
Being sensitive to the identity theft threat, the law requires that extra precaution be taken when collecting, using and storing non-public “personally identifiable” information, such as:
- Social Security Number,
- Date of birth,
- Place of birth,
- Mother’s maiden name,
- Credit card numbers,
- Bank account numbers,
- Income tax records, and
- Drivers license numbers.
Collection and use of any of the above pieces of information should be limited to situations where there is legitimate business need and no reasonable alternative. Managers should ensure that their employees understand the need to safeguard this information, and that adequate procedures are in place to minimize this risk. Access to such information should only be granted to authorized individuals on a need to know basis.
Limitations on Sharing Personally Identifying Information
All non-public information gathered and maintained by employees of McNeese State University, for the purpose of conducting University business, that personally identifies any living or deceased individual – names and other personal information pertaining to individual students, faculty, staff, alumni, parents, guardians, spouses, children, donors, beneficiaries, etc. – should be considered “confidential” unless otherwise specified by this document or by the appropriate Information Guardian or designate. Such information associated with an individual may only be shared with:
- The individual with respect to whom the information is maintained,
- Persons designated in writing by that individual,
- University employees and representatives (included selected volunteers) who need access to such information for legitimate University business or to support the processing of such information, and who are authorized by the appropriate Information Guardian or designate,
- Governmental agencies to which the University has a legal obligation to provide such information,
- University-contracted organizations (e.g., health insurers, etc.) that:
- Require such information to deliver their services on behalf of the University, o Are authorized by the appropriate Information Guardian, and
- Are bound by appropriate, non-disclosure agreements. An organization receiving non- public financial information should execute a Confidential Information Agreement (See Appendices F, G and H).
The use of any personally identifying information collected and/or maintained by the University about any living or deceased individual – students, faculty, staff, alumni, parents, guardians, spouses, children, donors, beneficiaries, etc. – in hard copy or electronic form for any purpose that does not support the University’s objectives (e.g., political or commercial solicitations), is prohibited by law.
Methods of Distributing Public Information Associated with Individuals
Some pieces of personally identifiable information are considered public information. These pieces of information are described in Appendix A. The following procedures describe how public information associated with individuals may be shared:
- Directory information, including name, class (students), office address and phone number (faculty and staff) and e-mail address, can be made generally available over the electronic University Web site. The appropriate Information Guardian may deem other elements of information as directory information as well. The campus address and phone number for any student may also be made available in this manner except for those students who have submitted a formal request to the University to keep such information confidential.
Note – The Registrar maintains official University records of students who have expressly objected to such disclosure.
- Other public information may be released in response to reasonable requests.
Exchanging Information via E-Mail or Other Network Facilities
Electronic mail (e-mail) may in some situations be considered an insecure mechanism for exchanging information. The privacy of information contained within e-mail messages can be exposed, especially when either the sender or any of the recipients are off-campus or utilize a wireless network connection. The use of mechanisms that exchange information in a readable form, such as “ftp”, “chat” and “instant messaging”, between on- and off-campus computers also places confidential information at risk.
If information, deemed by its Information Guardian as “confidential” or “highly confidential”, must be exchanged with an individual or entity off-campus using e-mail or any other network facility that transfers data, it should be encrypted using a hardware- or software-based mechanism approved by the Office of Information Technology.
All business-related e-mail containing “confidential” or “highly confidential” information sent to recipients who are not in the “mcneese.edu” domain should include the following or a similar disclaimer:
“This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments.”
Physical documents containing information that has been classified as “confidential” or “highly confidential” by their Information Guardians and/or designates should be shredded using a University approved device or shredding facility prior to being discarded.
Any computer hard drive or removable magnetic medium, such as a diskette, magnetic tape, flash drive, etc., that has been used to hold any kind of “confidential” or “highly confidential” information should be electronically “scrubbed” using Office of Information Technology-approved software prior to being discarded or being transferred to any individual or entity who is not authorized to view such information. On such media, the mere deletion of confidential data is not sufficient as deleted information is still accessible to individuals possessing any of a number of available software tools. Any non-erasable medium, such as a CD, optical disk, etc., that has been used to hold any kind of “confidential” or “highly confidential” information should be physically destroyed before being discarded.
The Facilities Department provides strategies for shredding materials when the volume to be discarded requires their assistance. Information on office shredders is available from the Purchasing Department, which provides equipment recommendations based on projected volume.Valid Uses of Aggregate Information
Authorized users may analyze and aggregate institutional data. However, official, published reports that include such aggregate data should only be issued with the review and approval of the appropriate Information Guardian. Similarly, sharing those reports with individuals or organizations for which the reports are not primarily intended requires the permission of the individual or office primarily responsible for the report.
Authorized users are reminded that the full range of information collected on any living or deceased individual – students, faculty, staff, alumni, parents, guardians, spouses, children, donors, beneficiaries, etc. – in hard copy or electronic form may be subpoenaed and entered into the public record of a court case. Appropriate discretion should therefore be exercised in the drafting of any document that will be stored in any University file.
Employees who receive investigative subpoenas, court orders and other compulsory requests from law enforcement agencies that require the disclosure of University held information should contact the Office of General Counsel before taking any action.
Reporting of Security Breaches or Suspicious Activity
Any member of the University staff who comes across any evidence of information being compromised or who detects any suspicious activity that could potentially expose, corrupt or destroy information should report such information to his or her immediate supervisor or to the University CITO. No one should take it upon himself or herself to investigate the matter further without the authorization of the University CITO or General Counsel.
Awareness Prior to Obtaining Access to Confidential Information
All individuals should review the “Protection of Confidential Information – Summary of Responsibilities” document contained in Appendix E before being given access to confidential information contained within the University’s computer systems, networks and physical facilities.
Additional Requirements for Technology Managers
Technology managers are those individuals who manage computing and network environments where University information is stored, transmitted or processed, such as:
- Computer operating environments (e.g., Linux, Windows, Macintosh, etc.),
- Database management environments (e.g., Oracle, PostgreSQL, Access, etc.),
- Application environments (e.g., Banner, etc.),
- Network environments (e.g., electrical, optical, wireless networks, routers, switches, firewalls, etc.),
- Physical storage facilities (e.g., tape libraries, filing cabinets, etc.),
Technology managers are responsible for ensuring that specific data’s requirements for confidentiality, integrity and availability as defined by the appropriate Information Guardian are being satisfied within their environments. This includes the development of:
- A cohesive architectural policy,
- Product implementation and configuration standards,
- Procedures and guidelines for administering network and system accounts and access privileges in a manner that satisfies the security requirements defined by the Information Guardians, and
- An effective strategy for protecting information against generic threats posed by computer hackers.