IT Security Policy
11300.1 Purpose
Wright State University (WSU) is responsible for collecting, storing, and distributing very large amounts of information. Some of this information is federally legislated as private and must be protected in accordance with laws such as the Family Education Rights and Privacy Act (FERPA) of 1974 (for student records), the Gramm-Leach-Bliley Act (GLBA) of 1999 (for personal financial information), the Health Insurance Portability and Accountability Act (HIPPA) of 1996 (for personally identifiable health information), the Payment Card Industry Data Security Standards (PCI DSS), and government regulations controlling research data. All members of the university have responsibility to protect information about our students and employees from public disclosure.
Protected Information
Information that is classified as "protected" (sensitive information) cannot be disclosed or disseminated to the public. Much of the information about our students and employees is considered protected.
- Social Security Number
- Birth Date
- Credit card security code
- Encoded magnetic strip information
- Health Information
- Student grades
- Gender
- Ethnicity
- Citizenship
- Citizen visa code
- Veteran and disability status
- Courses taken
- Schedule
- Test scores
- Advising records
- Educational services received
- Disciplinary actions
- Credit card numbers & expiration dates
This Wright State IT Security Policy is designed as a set of measures to protect the confidentiality, integrity and availability of sensitive data, such as those outlined above, as well as any Information Systems that store, process or transmit this data.
Note: Students have the right to withhold their directory information from being released by completing a "Directory Information Hold/Release Authorization" form. Once received, a confidentiality flag will be noted in the student information system to indicate that no directory information for that student is to be released. The existence of such a confidentiality flag must be confirmed before any directory (public) information is released for any student. Questions should be directed to the Registrar's Office.
11300.2 Scope
This policy applies to all faculty, staff, student employees, and any third parties designated as agents authorized to handle institutional data and/or access University computing systems.
Failure to comply with this policy may result in disciplinary action and/or the loss of use of university computing resources. The university also may refer suspected violations of applicable law to appropriate law enforcement agencies.
11300.3 General Privacy Guidelines
All employees and users of network computing resources at Wright State University have a role in protecting the university's information assets because their computers provide potential gateways to protected information stored on the network. Therefore, whether or not you deal directly with protected or confidential university information, you should take the following steps to reduce the risk of data theft:
- Don't give out information to someone you don't know
- Be alert to any incident that would indicate the possibility of identity theft. Please reference WSU's Identity Theft Prevention Program Policy for more information: University Policy 9610.
- Restrict access to information and systems to only those people who need it to perform their jobs
- Encrypt documents containing sensitive information before transmitting them via email, ftp, and other forms of electronic transmission. Do not include sensitive information in the body of an email unless the email is encrypted
- Regularly review the list of users who have access to systems that store protected information, and remove those who should no longer have the access
- Test internal processes to ensure data integrity and security
- Printed pages, CDs, DVDs, etc should be stored in a locked cabinet when not in use and identify as "PROTECTED"
- Immediately retrieve or secure protected documents that are printed on copy machines, fax machines, and printers
- Do not store sensitive data on cloud storage provided by 3rd party services such as Box, Dropbox, Microsoft OneDrive and OneDrive for Business, Google Docs, iCloud, etc. Classifications of sensitive data include the following:
- FERPA Information
The Family Educational Rights and Privacy Act of 1974 (FERPA) as amended sets forth requirements designed to limit the disclosure of student educational records. The law governs access to records maintained by educational institutions and the release of information from those records. In early 2009 new FERPA regulations took effect, which prohibit the public posting of grades by any part of the student UID number in addition to any part of the Social Security Number or name. Restrictions were included covering the electronic transmission of information covered under FERPA must be transmitted in a secure manner. This includes the transmission via email, ftp services, and other forms of transmitting information electronically.
For more information on FERPA: University Policy 3010
- Credit Card Information
Credit card data, including the expiration date, is sensitive, confidential information which must be stored in a secure manner and destroyed when it is no longer needed. Note that the maximum retention time to keep this data is 18 months. In addition, the credit card security code and encoded magnetic stripe information should never be stored. Sensitive credit card information such as the full 16 digit card number should never be stored on a computer hard drive, network drive, or portable device such as a flash drive.
For more information on the Cash Collection & E-commerce Policy and Procedures: University Policy 9120
- GLBA Information
Wright State University is committed to the ongoing protection of confidential financial information that it may collect from faculty, staff, students, alumni and others. The Gramm-Leach-Bliley Act ("GLBA"), 15 U.S.C. §6801, addresses the privacy of non-public identifying information and describes the necessity for administrative, technical and physical safeguarding of that type of information. GLBA mandates the University develop, implement and maintain a comprehensive information security program (the "Plan") to insure the safeguarding of Confidential Financial Information ("CFI"). The University obtains CFI from students, faculty, staff and others that may include, but is not limited to:
- Names
- Social Security Numbers
- Date and location of birth
- Gender
- Credit card numbers
- Driver's license information
- Salary history
- Personal check information
- Tax or financial information from a student or a student's parents
- HIPAA Information
The Health Insurance Portability and Accountability Act (HIPAA) regulates the protection of private health information for individuals. HIPAA requires an individual's medical records be safeguarded and kept confidential. HIPAA-related date must be available to only those with sanctioned access and be encrypted when transmitted electronically.
- FERPA Information
11300.4 Password Standards
The following are general password policies applicable for network, system resources and internet access use:
- Users must abide by policies stated in the WSU Computing and Telecommunications Account Policy Statement
- CAMPUS passwords and user logon IDs should be unique to each authorized user.
- CAMPUS passwords will follow the standard set forth on the WINGS portal: http://wings.wright.edu
- CAMPUS passwords will be kept private i.e., not shared, coded into programs, or written down.
- CAMPUS passwords for faculty and staff will be changed every 180 days. Student passwords will be changed every 5 years. Systems will enforce password change with an automatic expiration and prevent repeated or reused passwords. Faculty and Staff opting in to two-factor authentication are not required to change W#account passwords unless a compromise of the password if suspected.
- CAMPUS user accounts will be locked after 9 failed logon attempts. All failed login attempts will be recorded.
- Successful systems logons should display the date and time of the last logon and logoff.
- Logon IDs and passwords are suspended if a client is not authorized during current term unless authorized by Computing and Telecommunications Account Policy Statement.
11300.5 Password Best Practices
Every user is responsible for keeping their password secure. The following are some best practices which help keep your password a secret:
- Do not write your passwords on sticky notes or other pieces of paper around your desk.
- Do not share your passwords with anybody. Computing and Telecommunications Services (CaTS) will never ask for your password. If you receive an email purported to be from CaTS requesting your password, it is likely an attempt to gain your credentials by a fraudulent source.
- Do not hide your passwords under your keyboard. This is like hiding your house key under the door mat—crooks know to look there! Try to memorize your password.
- Avoid logging into your Wright State accounts from third party computers. It is difficult to know for certain if other computers have been compromised with a computer virus or a key logger. Be especially cautious if your user account has access privileges to highly sensitive areas such as banner.
11300.6 Operating System Updates
- Operating System updates are small programs or files that patch operating systems (such as Windows) from known problems. These updates are crucial in defending against new viruses and attacks. Hackers are constantly looking for vulnerabilities in operating systems and programs, and can easily find and infiltrate a computer that has not been properly patched.
- For CaTS managed computers on the Wright State University network (normally defined as faculty, staff, and administrative computers), security updates are automatically installed from our update server. For students living in the residence halls, or home users, your computer should be setup to automatically download and install critical updates. For specific directions on how to do this for your particular operating system, please call the CaTS Helpdesk.
- All systems connected to the WSU's network should have a vendor supported version of the operating system installed.
- All systems connected to the WSU's network must be current with security patches.
11300.7 Virus Protection
- A computer virus is a program that implants instructions into your computer programs or storage devices that can then attack, scramble, or erase computer data. The destructiveness of viruses lies in their ability to replicate themselves and spread from system to system. It is very important to have anti-virus software running on your computer and to keep it up to date so that new viruses can be detected.
- CaTS requires all computers connected to the Wright State network have up-to-date anti-virus software. For CaTS supported systems on campus (faculty and staff offices), this is done automatically. Disabling anti-virus software is prohibited.
11300.8 Spyware Protection
- Spyware is any software that watches your computing activity and collects personal data without your permission. It can be hidden in programs that you download from the Internet. Once you install that program, the spyware can monitor your activity and send that information to someone else. Email addresses, web browsing habits, usernames, and passwords are just some of the data that spyware can collect. This data can then be used for identity theft, marketing, spam, and other activities. Along with the ability to steal your information, spyware also consumes large amounts of memory on your computer, making it more unstable and prone to crashing.
- To reduce the amount of spyware on your computer, all computers connected to the Wright State University network are required to have actively updated spyware protection software installed if available for that operating system.
11300.9 Firewall Protection
A firewall is a system that is designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software formats. Here at Wright State University, CaTS maintains both hardware and software perimeter firewalls for the entire campus community that control internet traffic in and out of our network. For individual computers, personal desktop firewalls, such as Windows Firewall, must be enabled to help prevent unauthorized access.
11300.10 Email
Keep in mind that email is not secure. Never put sensitive information, such as Student Grades, Social Security Numbers, Credit Card information, or Bank Account Numbers into any part of your email or email attachments unless the email and attachment are encrypted.
- Faculty and staff: Please note that any attachments containing Protected information must be encrypted before being sent via email.
- When sending an encrypted message through email, never place the password to unlock the file in an email.
- Do not forward documents or emails containing institutional data to outside email accounts without first checking with your manager and/or the Department of Information Security.
- In addition to the above security concerns the following apply:
- Forgery (or attempted forgery) of electronic mail messages is prohibited.
- Attempts to read, delete, copy, or modify the electronic mail of other users are prohibited.
- Attempts at sending harassing, obscene and/or other threatening email to another user are prohibited.
- Use of electronic mail services for purposes constituting clear conflict of WSU interests or in violation of Policy for Responsible Use of Information Technology is expressly prohibited.
- The use of email in any way to facilitate the conduct of a private commercial purpose is prohibited.
- The contents of email messages will not be considered private and are subject to the Sunshine Laws.
- Users may not use WSU CaTS' mail servers for any purpose prohibited by this policy or applicable state and federal laws.
11300.11 Instant Messaging (IM) Applications
Instant messaging software is not a secure form of communication. Information transmitted via these software packages is not typically encrypted and travels outside of the university network environment to arrive at its destination even if that destination is another individual at Wright State University. The following should be adhered to when using this type of software:
- Do not transmit Institutional Data, including Protected data, in an instant message or via a file transfer or any other means of communication these programs provide.
11300.12 Data Integrity
Protecting the integrity of data is essential to the overall health of the university's information. You can accomplish this in a number of ways, most notably through using data encryption methods, backing up the data on a regular basis, using Virtual Private Network (VPN) software when connecting to university information from remote locations, and securing all devices and equipment.
For more information concerning CaTS VPN please see the attached VPN Policy Link.
- Encryption
Encryption is the process of transforming information from clear or plain text into a non-readable format so that only the intended reader can understand or change the message content. Encryption ensures privacy. It is a way to keep prying eyes from reading confidential information that is sent across the public internet.
Certain software applications have encryption methods embedded in them for sending and receiving secure information and for the storage of information. There is also third party software available that can be used to encrypt information. For directions on encrypting files, check out the "Encryption" area at the CATS Computing Habits link.
- Backups
One of the most important steps you can take to ensure that the integrity of your data is protected is to backup your files on a regular basis. Data loss can come at any time and for a number of reasons:
- Theft of computer
- File corruption
- Hard drive failure
- Accidental deletion of a file or files
- Viruses
- Natural disasters
Perform a backup of your files at least once a week, and backup critical files more often if they change. If you need assistance in backing up your files, contact the CaTS Help Desk and they will be glad to assist you. If files are stored on the network shared drive or network personal storage space, backups are performed by CaTS on a nightly basis.
- VPN Software
Use of the University's Virtual Private Network is set forth in CaTS VPN Policy
- Mobile and Cellular Devices
Information stored on laptop computers, cellular phones, thumb drives, and other similar mobile devices is susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure—even networks using certain types of encryption are vulnerable to intruders. The following rules apply to all mobile devices:
- All university owned laptops must utilize full disk encryption unless an exception is granted. Contact the CaTS Help Desk to make an exception request.
- Encrypt documents containing sensitive information before they are placed on portable devices, unless the entire drive or data storage of the device is encrypted.
- Smart phones capable of receiving email should be configured to connect to our server via secure IMAP—Post Office Protocol is not to be used.
- Protect and secure mobile devices from theft at all times.
- Use CaTS VPN when transmitting sensitive information via wireless technologies.
- Use personal firewalls on laptops that will access the WSU Network from a remote location.
- Password protect mobile devices.
- Report any loss or theft of a mobile device containing sensitive information to the Department of Information Security.
- Backup the data on your mobile devices on a regular basis—backup media should be stored in a secure location or the backup should be encrypted.
- Bluetooth wireless is to be disabled to protect mobile devices from unauthorized access.
- Security of Surplus Equipment
When university owned computer systems reach the end of their usefulness in your department, you have the option to surplus that equipment through ESPM. However, this presents its own share of security risks that need to be addressed. Due to the significant risk of sensitive Information leaving the university on hard drives that have not been properly erased, all computer (desktops and laptops) that are being sold through ESPM must have their hard drive removed by CaTS before being processed through ESPM. CaTS will ensure proper disposal of the drive. To arrange a removal, contact the Cats Help Desk.
- Security of Physical Media
Ensuring the confidentiality of information requires that all physical media (CDs, DVDs, hard drives, etc) be disposed of properly. This means that, in addition to being properly erased before being discarded, hard drives must also be erased before being returned for any type of warranty work. Additionally, other media such as CDs, DVDs, and paper must also be carefully destroyed if they contain Protected information. CDs and DVDs should be broken into multiple pieces, and paper documents should be shredded. If assistance is needed in properly disposing of any physical media, contact the CaTS Help Desk.
11300.13 Incident Handling
- The Office of Information Security will oversee information security incident handling in cooperation with designated Technical Managers, Office of General Counsel, University Police Department, Office of Student Affairs (only where students are involved), and other designated support staff.
- Any person who suspects, receives notification of, or discovers an information security incident must contact the Office of Information Security and responsible IT department and file an incident report prior to taking any action.
- To report an incident see the CATS Report an Incident Link.