University of Wisconsin-River Falls
Information Security Policy
Section I.
Privacy Protection
The University of Wisconsin-River Falls is committed to safeguarding all personally identifiable information we obtain about our students, staff, other constituents and visitors, whether internal or external. The only personally identifiable information the university collects via electronic mail, administrative systems or the campus web site, including those web sites currently being maintained by third-party, trusted providers is that which is voluntarily provided by our constituents and visitors. Tracking information is collected and analyzed so that we may improve our service offerings to our users. This tracking information is kept confidential to the University of Wisconsin-River Falls.
The University of Wisconsin-River Falls will share personally identifiable information about its students, per FERPA standards and definitions, to entities external to the UW System only when:
· We have your consent to share the information;
· We need to send the information to companies/agencies who work on behalf of the University of Wisconsin-River Falls. These companies do not have and will not be granted any right to use the personally identifiable information we provide to them beyond what is necessary to assist us;
· We respond to legally issued subpoenas, court orders or a legal process;
· We find it necessary to protect and defend the legal rights or property of the University of Wisconsin-River Falls;
· We must comply with Federal or State law.
Section II.
Access, Security and Control of Data and Information Policy
Purpose and Scope
The University of Wisconsin-River Falls maintains both paper records and computer information systems to carry out its educational mission. Federal and State laws and regulations govern access to these records. The university establishes local policies and procedures to ensure compliance with these laws and regulations and to protect the integrity of university records and the privacy of individuals. The following policy statements are applicable to all areas of the university and must be observed by all persons dealing with such information, including all university employees and students, as well as other individuals or entities that share university information for business purposes.
Policy and Principles
Data contained in the university's information systems are the property of the University of Wisconsin-River Falls and represent official university records. Exceptions to this policy are: faculty developed curricular material, student developed curricular material, certain licensed information such as electronic journal subscriptions and personal data or personal information that may be temporarily stored on a university owned electronic device. Questions regarding exemptions should be discussed with the university legal counsel.
Users who accept access to university data, regardless of the medium, also accept responsibility for adhering to certain principles regarding the use and protection of that data. These principles are:
1. Information systems within the university shall be used only for and contain only data necessary for fulfillment of the university's mission.
2. University data shall be used solely for the legitimate business of the university.
3. Due care shall be exercised to protect university data and information systems from unauthorized use, disclosure, alteration or destruction.
4. Personally identifiable university data, regardless of who collects or maintains it, shall only be shared among those faculty or staff whose responsibilities require knowledge of such data.
5. Summary data that contains no personally identifiable information may be distributed freely at the university's discretion.
6. Applicable federal and state laws and university policies and procedures concerning storage, retention, use, release, transportation and destruction of data and/or all information systems, content and components shall be observed.
7. Appropriate university procedures shall be followed in reporting any breach of security or compromise of safeguards.
8. University computerized information systems shall be constructed in such a manner to assure that:
a. Accuracy and completeness of all system contents are maintained during storage and processing;
b. Data, text and software stored and processed can be traced forward and backward for audit purposes;
c. Information system capabilities can be reestablished in the event of infrastructure or equipment failures or calamities within an acceptable period of time;
d. Actual or attempted breaches of security can be detected promptly.
9. Any employee engaging in, or allowing others to engage in, unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to appropriate disciplinary action. All employees making use of university information systems shall be informed annually as to their proper, ethical and legal use.
10. Any student engaging in unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to appropriate disciplinary action. All students making use of university information systems shall be informed annually as to their proper, ethical and legal use.
11. Users may not use, query, release or print data in any application which they have not been given deliberate access to, which can include but is not limited to
a. Transcripts, grade reports, enrollment reports;
b. Financial Aid information;
c. Personnel, leave, salary reports;
d. Reports for government or funding agencies;
e. Fund-raising activities;
f. Mailing lists and labels; and
g. Private or public release of data to outside parties such as student, parents, and the news media.
12. The university shall take steps to ensure that proper consent has been granted by users for the use of electronic transactions. Such consent shall be considered in effect from the point in time that it is consented until such time as the on-going relationship between the university and the user is severed. Should a severed relationship be renewed, a new consent must be granted by the user. Should any changes in the university's business practices occur that have a substantive effect on this consent, a revised consent must be granted which will supersede the previous consent.
13. All requests for information under the Freedom of Information Act, the Wisconsin Public Records Law, law enforcement agencies, subpoenas, etc. must be referred to the university administration before releasing any records. Records will only be released at the direction of the Vice Chancellor for Administration and Finance, the Provost, the Chancellor or their properly designated representatives in concert with established policies and procedures.
Responsibilities
Safeguarding of university information systems and data shall be the responsibility of each faculty, staff or student with knowledge of the system or data. Specific responsibilities are as follows:
· Management - All levels of management are responsible for ensuring that system users within their area of accountability are aware of their responsibilities as defined in this policy. Specifically, managers are responsible for validating the access requirements of their staff and student employees according to their job functions prior to submitting requests for access, and for ensuring a secure office environment with regard to university information systems. Managers of major university offices should appoint an individual within their staff to ensure these responsibilities are observed. Managers are also responsible for ensuring that their staff and student employees attend appropriate training sessions offered by the university. Managers are also responsible for ensuring that their staff and student employees are in compliance with laws, regulations and local policies.
· Employees - Faculty, staff, and student employees, are responsible for the protection, privacy, and control of all university data they access or create, regardless of the data storage medium. All employees must ensure that the data and data media are maintained and disposed of in a secure manner. Employees are responsible for reading and understanding the Acceptable Use Policy, E-mail Policy, eSIS Data Access Policy and FERPA Policy, and for complying with these policies and practices. All employees are responsible for understanding the meaning and purpose of the data to which they have access, and may use this data only to support the normal functions of the employees' administrative or academic duties. All employees are responsible for all transactions occurring under their user ID. Passwords and other security access secrets may not be shared with anyone under any circumstances unless the Chief Information Officer, in consultation with the university administration, approves an exception.
· Students - Students are responsible for protecting their passwords and other security access secrets so that no unauthorized persons would have access to their university records. Students are responsible for reading and understanding the Acceptable Use Policy, E-mail Policy, and Student Handbook, and for complying with these policies and practices. Students should participate in university sponsored training sessions to improve their understanding of how to safeguard their own privacy.
· The Chief Information Officer is responsible for providing administrative, technical and educational support in the area of information security for all users of the information systems. This support includes but is not limited to: computer account management; system and network security administration; firewall management; and an information security education program.
Responsibility for Implementation
The Chief Information Officer serves as the coordinator of the Information Security Policy of the University of Wisconsin-River Falls.
Responsibility for Interpretation
The Chief Information Officer will consult with the university administration regarding interpretation of this policy. Final authority for interpretation rests with the university administration.
Section III.
Compliance with FTC Safeguard Rules
The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of personal information that is collected from customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information. The FTC has ruled that colleges and universities are financial institutions for the purposes of this Rule, and must be in compliance by May 23, 2003.
