UNIVERSITY OF WISCONSIN River Falls
UW-River Falls Administrative Policy
This policy identifies the practices and requirements for faculty, staff, students and other university constituents in regards to the security of the university's information resources.
The UW-River Falls Chancellor issues this policy in accordance with the Administrative Policy process.
The Division of Technology Services is responsible for the administration of this policy.
Request an exception to this policy by writing to firstname.lastname@example.org.
Failure to adhere to the provisions of this policy may result in appropriate disciplinary action as provided under existing procedures applicable to students, faculty, and staff, and/or civil or criminal prosecution.
The University of Wisconsin-River Falls is committed to safeguarding all personally identifiable information we obtain about our students, staff, other constituents and visitors, whether internal or external. The only personally identifiable information the university collects via electronic mail, administrative systems or the campus web site, including those web sites currently being maintained by third-party, trusted providers is that which is voluntarily provided by our constituents and visitors. Tracking information is collected and analyzed so that we may improve our service offerings to our users. This tracking information is kept confidential to the University of Wisconsin-River Falls.
The University of Wisconsin-River Falls will share personally identifiable information about its students, per FERPA standards and definitions, to entities external to the UW System only when:
The University of Wisconsin-River Falls maintains both paper records and computer information systems to carry out its educational mission. Federal and State laws and regulations govern access to these records. The university establishes local policies and procedures to ensure compliance with these laws and regulations and to protect the integrity of university records and the privacy of individuals. The following policy statements are applicable to all areas of the university and must be observed by all persons dealing with such information, including all university employees and students, as well as other individuals or entities that share university information for business purposes. This policy shall not conflict with or supersede any federal or state mandates for which protection of data under which University departments may be custodians.
Data contained in the university's information systems are the property of the University of Wisconsin and represent official university records. Exceptions to this policy are: faculty developed curricular material, student developed curricular material, certain licensed information such as electronic journal subscriptions and personal data or personal information that may be temporarily stored on a university owned electronic device. Questions regarding exemptions should be discussed with the Chief Information Officer.
Users who accept access to university data, regardless of the medium, also accept responsibility for adhering to certain principles regarding the use and protection of that data. These principles are:
Safeguarding of university information systems and data shall be the responsibility of each faculty, staff or student with knowledge of the system or data. Specific responsibilities are as follows:
The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of personal information that is collected from customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information. The FTC has ruled that colleges and universities are financial institutions for the purposes of this Rule, and must be in compliance by May 23, 2003.
The Payment Card Industry Data Security Standard (PCI-DSS) is a framework of security requirements, technology techniques and staff protocols that were established to encourage the safe processing of electronic financial transactions using a "credit" or "debit" card. These requirements are of university merchants by the financial institutions that process these transactions on our behalf. All university employees are required to comply with these requirements and must remain diligent in maintaining them daily to prevent a breach of financial information. The University Controller, in conjunction with the Chief Information Officer, or their designees, are responsible in overseeing that all applicable laws, rules, regulations, policies and practices are accounted for in the payment processing chain. Departments are responsible for a portion of the campus wide costs to maintain PCI-DSS safe technology environments and may also incur directly associated fees of compliance and non-compliance.
This policy (AP-05-301) sets out to satisfy PCI-DSS Version 3.0 Requirement 12.1 where the University shall "establish, publish, maintain and disseminate a security policy." Any campus merchant that is processing transactions that involve a credit card in any manner must comply with PCI-DSS and have a formal PCI-DSS security policy in their department that complies with PCI-DSS requirements. It is the responsibility of departmental management to contact the University Controller or designee to establish a PCI-DSS security program prior to beginning any efforts to acquire credit card transactions. Each merchant must comply with all requirements at the direction of the University Controller and Chief Information Officer, or designees, prior to and thereafter processing credit card transactions.
All departments wishing to transact electronic payments through any means, regardless of method or technology used now or in the future, are required to receive approval from the University Controller and Chief Information Officer prior to doing so. The Chief Information Officer, in conjunction with the University Controller, is responsible in overseeing that all the department is meeting all applicable laws, rules, regulations, policies and practices are accounted for in the payment processing chain.
All faculty, staff, students and University constituents shall immediately upon detection of, or immediately upon suspicion of, a breach of personal identifiable information (PII) or financial information, report the breach to the Chief Information Officer.
Sensitive Information: SSN, Credit Card Number, Driver's License, University Passwords, Passport number, Financial account numbers, student class rosters, student ID numbers, and personal health information.
University departments, staff and constituents shall not transmit sensitive information through insecure transmission methods including email, instant messaging, learning management systems, social media networks, third party file sharing applications or any other method not under the direct control of the Division of Technology Services.
The Division of Technology Services, Chief Information Officer and/or Chief Information Security Officer should be consulted about any process prior to proceeding to use methods of information sharing. This is so they can assist with assuring compliancy with this guideline.
If the email communication is requesting someone give or submit sensitive information, either of the following requirements must be met:
If either of these requirements cannot be met in their entirety, the email communication must be cleared by the Chief Information Officer.
This policy was developed in order to be compliant with:
Please direct questions about this policy to email@example.com.