FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:   || 2 |

«Approved by the IT Committee (December 2004) Table of Contents Summary Overview Definition of Administrative Information Employee Information Family ...»

-- [ Page 1 ] --

Hamilton College

Administrative Information Systems

Security Policy and Procedures

Approved by the IT Committee

(December 2004)

Table of Contents



Definition of Administrative Information

Employee Information

Family Educational Rights and Privacy Act (FERPA)

Student “Directory Information”, as defined by FERPA

Gramm-Leach-Bliley Act (GLBA)

Security Administration


Student Employees

Web Access to Information

Department Security Manager Responsibilities

Anti-Virus Software

Critical Security Patches (Windows computers only)

Unattended Computers

Equipment Security

Printed reports


Acknowledgement Form

Employee Confidentiality Agreement

We acknowledge the help of Amherst College whose Project Possibility document was the starting point for our work.

–  –  –

Administrative Information is categorized into three levels: Confidential, Sensitive, and Public. (Page 5) Employee Information (other than directory information as published in the Hamilton College Telephone Directory) is confidential and must be protected. The Family Educational Rights and Privacy Act (FERPA) and the Gramm-Leach-Bliley Act (GLBA) specify obligations that Hamilton College must fulfill with respect to information security. (Page 6) All requests for administrative system account activity (adds, changes, or deletions) must be submitted using the new web form available on the ITS website. (Page 7) Every employee (including student employees) must access the system using their assigned account and password. Passwords must NEVER be shared for any reason! (Page 8) Administrative information is available in WebAdvisor, the My Hamilton portal, and in other web-based applications and is subject to the same privacy restrictions. (Page 9) Department Security Managers are responsible for authorizing and monitoring access to the administrative system in their respective areas. They must work with ITS to promote this policy and assist users in their area with understanding the appropriate use of information resources. (Page 9) All Hamilton College owned computers must be equipped with up-to-date Anti-Virus software and must be current on Critical Security Patches. (Page 9) Users must log out when leaving their computers unattended. (Page 10) Equipment, especially laptops and portable devices must be secured from theft. Data should be stored on a network drive rather than on the physical drive in the computer. (Page 10) Printed reports containing administrative data must be secured and appropriately disposed of when they are no longer needed. (Page 10) Security of administrative information is a partnership between ITS, the Designated Security Managers and all users of the information resources. (Page 10) Administrative Information Systems Security Policy & Procedures 3 Overview Electronic information at Hamilton College is stored on central servers and on individual desktop computers. This networked environment also poses significant risk to the security of information.

Protecting this College resource is a shared responsibility between Information Technology Services (ITS) and the individual users of that information. This policy covers information maintained by administrative offices of the college related to the business of the college and accessed by members of the college community.

Network security, including firewall technology, has been implemented to protect servers and departmental workstations from unauthorized access through the Internet. Staff in administrative offices connect to secured computers through a firewall. The IP address of each administrative computer is registered in the firewall, permitting the user of that computer to access the Datatel system.

The person still needs a valid username and password to access information on the system. Offcampus access to these servers is currently in the testing stages and will be provided through a secure Virtual Private Network (VPN) complete with encryption and an additional layer of password security.

Desktop computers in administrative offices provide the most vulnerable point of access to administrative information. Staff in administrative offices must physically protect their computers, including laptops, from unauthorized access and theft. All administrative information including word processing documents, spreadsheets, databases, schedules, etc. must be backed up on a regular basis to protect information from inadvertent deletion or computer failure.

In addition to network security, a fundamental layer of protection is the logical security plan. This plan is the key to protecting administrative information and describes the procedures by which system privileges are granted, passwords maintained, security monitored and issues communicated.

Access to information will be authorized by the department head or designated Department Security Manager and centrally assigned by System Administrators in ITS. Inquiry Access to administrative information will be authorized on a ‘need to know’ basis. Maintenance Access to processes will be authorized based on job responsibilities.

Employees, including students, granted access to institutional data may do so only to conduct College

business. In this regard, employees must:

Respect the confidentiality and privacy of individuals whose records they access Observe ethical restrictions that apply to the data to which they have access Abide by applicable laws or policies with respect to access, use, or disclosure of information

Employees, including students, may not:

Disclose data to others, except as required by their job responsibilities Use data for their own personal gain, nor for the gain or profit of others Access data to satisfy their personal curiosity Employees and students who violate this policy are subject to the investigative and disciplinary procedures of the College.

Administrative Information Systems Security Policy & Procedures 4 Definition of Administrative Information Administrative information is any data related to the business of the College including, but not limited to, financial, personnel, student, alumni, communication, and physical resources. It includes data maintained at the departmental and office level as well as centrally, regardless of the media on which they reside. Administrative information does not include library holdings or instructional notes unless they contain information that relates to a business function.

The College recognizes administrative information as a College resource requiring proper management in order to permit effective planning and decision-making and to conduct business in a timely and effective manner. Employees are charged with safeguarding the integrity, accuracy, and confidentiality of this information as part of the condition of employment.

Access to administrative systems is granted based on the employee’s need to use specific data, as defined by job duties, and subject to appropriate approval. As such, this access cannot be shared, transferred or delegated. Failure to protect these resources may result in disciplinary measures being taken against the employee, up to and including termination.

Requests for release of administrative information must be referred to the office responsible for maintaining those data. The College retains ownership of all administrative information created or modified by its employees as part of their job functions. Administrative information is categorized

into three levels:

Confidential information requires a high level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration or destruction of the data. This includes information whose improper use or disclosure could adversely affect the ability of the College to accomplish its mission as well as records about individuals requiring protection under the Family Educational Rights and Privacy Act of 1974 (FERPA), and Gramm-Leach-Bliley Act (GLBA).

Confidential information includes, for example, salary information, social security numbers, alumni gifts and student academic records.

Sensitive information requires some level of protection because its unauthorized disclosure, alteration, or destruction might cause damage to the College. It is assumed that all administrative output from the administrative database is classified as sensitive unless otherwise indicated.

Sensitive information includes, for example, class lists, facilities data and vendor data information.

Public Information can be made generally available both within and beyond the College. It should be understood that any information that is widely disseminated within the campus community is potentially available to the public at large.

Public information includes, for example, directory information.

Administrative Information Systems Security Policy & Procedures 5 Employee Information All aspects of personnel records are confidential. "Directory information for faculty and staff as published in the Hamilton College Telephone Directory is public (this includes the printed and Web directories). Directory information will include the following: Printed directory: name, home address, home telephone, department, position title, campus address, campus phone and email address.

Employees may request that home address and home telephone remain confidential and not appear in the printed directory. Web (on-line) directory: name, photo, department, position title, campus address, campus phone and email address. Employees may request that their photo not appear in the Web directory.” All other employee related data, especially that which is available to users outside Human Resources such as social security number and birth date, must be vigilantly safeguarded and treated as confidential.

Family Educational Rights and Privacy Act (FERPA) The Family Educational Rights and Privacy Act (FERPA) of 1974 governs all information about students, current and former, maintained by Hamilton College. FERPA generally requires that Hamilton College have the student's written permission to release any information from their records except certain types of "directory information."

Student “Directory Information”, as defined by FERPA

Certain information, classified as “directory information”, is available for public consumption unless the student specifically directs that it be withheld. The student should direct the Registrar’s Office not to disclose such information prior to the fourteenth calendar day of each semester. Former students should contact the Communications and Development Office.

Public directory information as defined by the law and the College includes: student’s name, home and campus address, e-mail address, telephone listing, parents’ name and address(es), date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, photograph and the most recent previous educational agency or institution attended.

Gramm-Leach-Bliley Act (GLBA) This law mandates extensive new privacy protection for financial information colleges maintain about individuals. The college must “develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards” appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of any customer information at issue. (NACUBO Advisory Report, January 13, 2003) One of the required elements of this security program (as detailed in the NACUBO Advisory Report) is the designation of an employee to coordinate the information security program. Any questions or

issues with this policy should be addressed to the program coordinator:

–  –  –

The Administrative Account Request Form must be completed by the Department Security Manager to authorize, modify or remove user privileges. Security is established in discrete “levels” within a department. For example, the Admission Office may have pre-established security classes called ADM.STUDENT.EMPLOYEE, ADM.DATAENTRY, ADM.ADMISSION.OFFICER, and ADM.MANAGER. It is acceptable and desirable to place employees into the security profile that is appropriate for the job functions they will perform. Note that requesting the same access as [person x] (where person x is another employee with the same job functions within the department) is allowable.

If you do not specify a particular “level” of security or “same as person x”, you must provide a detailed list of the menus and mnemonics that the employee should be granted access to. Security is explicitly granted by individual menus, screens and processes within the Datatel system.

The Administrative Account Request Form is a web form and is available on the ITS web site at http://my.hamilton.edu/college/its/colleague_benefactor/account_requests/default.html After the form has been submitted, it is automatically forwarded to the System Administrator for action. Requests for account actions are usually completed within one business day. If you have any reason to follow up with additional information after submitting the form, you may send an email message to cis@hamilton.edu or call 5CIS (5247).

Procedure for creation of NEW accounts:

1. Department Security Manager explains the Security Policy to the new employee and provides a written copy of the Security Policy.

2. The employee signs the Security Policy Acknowledgement/Employee Confidentiality Agreement form. This form is sent via campus mail to the CIS team.

3. Department Security Manager fills out the Administrative Account Request Form on the ITS website containing specific details about the Administrative processes the user should have access to.

4. System Administrator creates the login and assigns the appropriate security classes.

5. System Administrator sends the login and password in a sealed envelope, or delivers, to the new employee.

6. System Administrator files the signed Security Policy Acknowledgement/Employee Confidentiality Agreement form and the Administrative Account Request Form (copy of email).

Pages:   || 2 |

Similar works:

«ISSN (Print) : 2320 – 9798 ISSN (Online): 2320 – 9801 International Journal of Innovative Research in Computer and Communication Engineering Vol. 1, Issue 2, April 2013 Distributed Firewall Application for Policy Management and Network Security Manila Bohra1, Laghvi Aloria2, Neha Gupta3 B. Tech (6th sem) Student, Rajasthan Technical University, Kota, Rajastan, India1 B. Tech (6th sem) Student, Rajasthan Technical University, Kota, Rajastan, India2 M.Tech Student, Rajasthan Technical...»

«2016 HANDBOOK OF IMF FACILITIES FOR LOWINCOME COUNTRIES March 2016 IMF staff regularly produces papers proposing new IMF policies, exploring options for reform, or reviewing existing IMF policies and operations. The Report prepared by IMF staff and completed on February 22, 2016 has been released. The staff report was issued to the Executive Board for information. The report was prepared by IMF staff. The views expressed in this paper are those of the IMF staff and do not necessarily represent...»

«Land Tenure Working Paper 14 LAND POLICY DEVELOPMENT IN AN AFRICAN CONTEXT LESSONS LEARNED FROM SELECTED EXPERIENCES Paul De Wit Christopher Tanner Simon Norfolk with the supervision of Paul Mathieu and Paolo Groppo Land Tenure and Management Unit (NRLA) October 2009 FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS LAND POLICY DEVELOPMENT IN AN AFRICAN CONTEXT LESSONS LEARNED FROM SELECTED EXPERIENCES Paul De Wit Christopher Tanner Simon Norfolk with the supervision of Paul Mathieu and...»

«RESEARCH PAPERS Centre for Cultural Policy Studies University of Warwick Research Papers No 8 Series Editors: Oliver Bennett and Jeremy Ahearne The Methodological Challenge of Cross-National Research: comparing cultural policy in Britain and Italy Eleonora Belfiore Research Fellow Centre for Cultural Policy Studies TABLE OF CONTENTS Abstract 3 INTRODUCTION 3 THE USE AND ABUSE OF CULTURAL STATISTICS IN CROSS-NATIONAL RESEARCH 4 CULTURAL POLICY ACROSS NATIONAL BOUNDARIES: THE “MODELS OF...»

«NEW ISSUES IN REFUGEE RESEARCH Working Paper No. 115 European Refugee Policy: is there such a thing? Joanne van Selm Senior Policy Analyst Migration Policy Institute, Washington DC, USA and Senior Researcher, Institute for Migration and Ethnic Studies University of Amsterdam, Netherlands E-mail : jvanselm@migrationpolicy.org May 2005 Evaluation and Policy Analysis Unit Evaluation and Policy Analysis Unit United Nations High Commissioner for Refugees CP 2500, 1211 Geneva 2 Switzerland E-mail:...»

«[7590-01-P] U.S. Nuclear Regulatory Commission Policy Statement on the Treatment of Environmental Justice Matters in NRC Regulatory and Licensing Actions AGENCY: Nuclear Regulatory Commission. ACTION: Final Policy Statement. SUMMARY: On November 5, 2003 (68 FR 62642), the Commission issued, for public comment, a draft policy statement on the treatment of environmental justice (EJ) matters in Nuclear Regulatory Commission (NRC) regulatory and licensing actions. This final policy statement...»

«7. Making Policy and Winning Votes: Election promises and political strategies in the 2013 campaign Nicholas Reece This chapter examines the intersection of public policy and politics in the 2013 federal election campaign. More than any other point in the political cycle, election campaigns are a time in which candidates and political parties release a large amount of new policy in the hope that it will win them increased public support. The candidates and the parties also attack the policies...»

«centre for analysis of risk and regulation An ESRC Research Centre Analyzing Public Management Policy Cycles in the European Commission: Oversight of Budget Control and the Integrated Internal Control Framework Michael Barzelay, Roger Levy and Antonio Martin Porras Gomez DISCUSSION PAPER NO: 65 DATE: August 2010 Analyzing Public Management Policy Cycles in the European Commission: Oversight of Budget Control and the Integrated Internal Control Framework Michael Barzelay, Roger Levy and Antonio...»

«Public Policy Formulation Through Non Moderated Crowdsourcing in Social Media Yannis Charalabidis1, Anna Triantafillou2, Vangelis Karkaletsis3, Euripidis Loukis1 University of the Aegean, Information and Communication Systems Engineering Dept., Gorgyras and Palama Str., 83200 Karlovassi, Samos, Greece {yannisx, eloukis}@aegean.gr Athens Technology Center, Rizariou Str. 10, 15233 Halandri, Athens, Greece a.triantafillou@atc.gr National Center for Scientific Research Demokritos, Institute of...»

«Please cite this paper as: Van Tongeren, F. (2008), Agricultural Policy Design and Implementation: A Synthesis, OECD Food, Agriculture and Fisheries Working Papers, No. 7, OECD Publishing. doi:10.1787/243786286663 OECD Food, Agriculture and Fisheries Working Papers No. 7 Agricultural Policy Design and Implementation A SYNTHESIS Frank Van Tongeren* * OECD, France TABLE OF CONTENTS 1. The positive agenda for policy reform 2. The policy cycle 3. What are the policy objectives? 4 Do current...»

«A/HRC/11/5 Advance version Distr.: General 26 March 2009 English Original: French HUMAN RIGHTS COUNCIL Eleventh session Item 10 of the agenda TECHNICAL ASSISTANCE AND CAPACITY-BUILDING REPORT OF THE INDEPENDENT EXPERT ON THE SITUATION OF HUMAN RIGHTS IN HAITI, MICHEL FORST* Summary In the area of civil and political rights, notable progress has been made with the passing of the framework laws on the reform of the judicial profession, the Supreme Council of the Judiciary and the independence of...»

«Inter-Institutional Academic Agreements Policy Academic Policy Group 1. Purpose: At a time when the University is entering into an increasing number of inter-institutional academic agreements, it is important that the University has a clear statement as to what it expects to achieve by entering into such agreements. The purpose of this policy is to ensure that all future Inter-Institutional Academic Agreements (IAAs) support the strategic direction of Victoria University of Wellington, are...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.