Data Confidentiality and Security Policy

Section: Information Systems
Approved By: Dr. Pamela J. Transue, 08/19/10
Last Review: Unknown
Last Revision: 08/19/2010
Prior Revisions: None
Initial Adoption: 10/13/2008

Policy

Security and Confidentiality of Data

  • Sensitive information is not recommended for storage on mobile devices or portable media.  When alternative methods of access as described below are not practical or feasible, sensitive information stored on mobile devices or portable media must be protected by additional security in the form of encryption or other College-approved protection methods.  Employees that are unsure of how to best employ these technologies are required to consult with computer center staff to ensure a properly functioning installation.
  • Confidential information must not be stored on mobile devices or portable media.  This includes reports, documents, spreadsheets, email messages, email attachments, memoranda, and confidential information from any source.  On-campus access to such digitally stored information is provided through the college’s local area network.  Remote access to digitally stored confidential data is provided through the college’s Virtual Private Network (VPN) service.
  • Exceptional circumstances that require confidential information to be stored on a mobile device or portable media must be approved in writing in advance by an administrative level supervisor describing the data elements and the duration of the exception.  When confidential information is approved for use in this way, additional security in the form of encryption or other College-approved measures must be employed.  Employees are required to consult with computer center staff to ensure a properly functioning installation.  Data stored under these circumstances will be deleted at the approved expiration date.
  • E-mail messages are sent across the network unencrypted and are easily forwarded to off-campus addresses.  Email messages and attachments should not contain confidential information.  Shared network drives and other secure methods of sharing confidential information are available.  Please contact the computer center staff for help with these issues.
  • College-owned mobile devices may be equipped with location tracking and remote file deletion features.  These features are not routinely enabled.  However, if the device is determined to be lost or stolen, the College will turn on the location tracking features and may implement remote file deletion as part of the recovery process.

Physical Device Security

  • Mobile devices and portable media, when not in your physical possession, must be kept behind locked doors or other physically secure environments.  Leaving any device containing sensitive or confidential information in an automobile is not considered secure.
  • Mobile devices and portable media containing sensitive or confidential information are never loaned to others.

Purpose

To protect the integrity, confidentiality and security of information entrusted to the College by its employees, students and the community.

To Whom Does This Policy Apply

This policy applies to all users of the College’s information systems and services.

References

TCC Board of Trustees Policy Manual

Definitions

Mobile Devices - include mobile computers, personal digital assistants (PDAs), smart phones, and other mobile devices capable of transmitting, viewing or storing data.

Portable Media - includes USB flash drives, memory sticks, CD ROM disks, printed documents, floppy diskettes and any other portable storage media.

Data Categories

  • Normal - The least restrictive class of data. Although it must be protected from unauthorized disclosure and/or modification, it is often public information or generally releasable under college procedures for processing public records requests. Examples include class schedules, course catalogs, general ledger data, information commonly published in directories, and employee demographic statistics.
  • Sensitive - This class includes data which is required by law to enjoy specific protections or for which agencies are obligated to prevent identity theft or similar crimes or abuses. Examples include people’s names in combination with any of the following: driver’s license numbers, birth date, employee identification number, student identification number, and education records including papers, grades, and test results.
  • Confidential - These data elements are passwords in the traditional sense or items that function in the role of an access control such as credit card numbers, expiration dates, PINs, or card security codes.  Confidential Information includes, but is not limited to, Social Security numbers, personal financial information, credit card information, medical data, law enforcement records, agency security data, financial identifiers, business records, or information about receipt of governmental services.

Procedure

Incumbent employees were educated regarding the importance of this issue in the fall of 2008 and asked to sign a copy of the agreement.  The agreement is included in all new employee orientations.