Applies to: (examples; Faculty,Staff, Students, etc)
Faculty , Staff , Students , Contractors_Vendors
Faculty , Staff , Students , Contractors_Vendors
Protecting College Data is a shared effort. Individuals with access to College Data are responsible for accessing, storing, and processing data on systems that have appropriate security controls in place for the class of data. Individuals should consult with the IT Department to determine the best way to access, store, and use their data, particularly for more sensitive data.
This document defines the minimum security standards required for any Electronic Device (defined below) or cloud service that may be used to access, store or process (input, output, transmit, receive, display, calculate, etc.) Sensitive Information (defined below) owned or used by the College. More specific security standards may be established unde other College policies and applicable laws and regulations.
Applies to all active members of the College community, including faculty, students, staff, and affiliates, and to authorized visitors, guests, and others for whom College technology resources and network access are made available by the College. This policy also applies to campus visitors who avail themselves of the College’s temporary visitor wireless network access, and to those who register their computers and other devices through Conference and Event Services programs or through other offices, for use of the campus network.
Term |
Definition |
College Data |
Information generated by or for, owned by, or otherwise in the possession of STLCOP that is related to the College’s activities. College Data may exist in electronic or paper form and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that support the College. |
Sensitive Information |
College Data that is classified as Internal, Confidential, or Restricted Use. See the Data Classification Policy for definitions and examples of each of these classifications. |
Cloud Services |
Any free or paid application, tool, or infrastructure made available by third parties wherein computing or storage resources are accessed via the Internet. |
Electronic Device |
Any device that is used to access, store or process data electronically. For example: a computer of any type (including a smart phone or iPad), a data storage device (including a USB device), a network device, a printer or copier that contains a storage device or that may be connected to a network.
|
Encryption |
The process of converting human readable data (plain text) into data that cannot be read (cipher text) without knowledge of a specific secret (a key). There are two types of encryption referenced in this document: encryption in transit and encryption at rest. Encryption in transit refers to ensuring that all data sent over a network is encrypted, where encryption at rest refers to ensuring that all data written to disk or other permanent storage is encrypted. While the encryption process and outcome may be the same, the tools and methods for achieving each type of encryption are different.
|
The data handling protections outlined in this document apply to all Electronic Devices and Cloud Services (defined below) used to access, store, or process Sensitive Information whether owned by the College or by a College employee or consultant and used to do College business. The use of an Electronic Device you own (referred to herein as a “Personal Electronic Device”; for example, a home computer, smart phone, or tablet) to access, store or process Sensitive Information, is prohibited. If you choose to use a cloud service that you have set up yourself (referred to as a “personal cloud service”; i.e., a service that has not been provisioned by the College), use of the service to access, store or process Sensitive Information belonging to STLCOP is prohibited. (Examples of such services: Dropbox, Google Drive, Box, GMail)
The Payment Card Industry Data Security Standards (PCI-DSS) includes more stringent requirements for systems handling credit card data than described herein. If you are handling credit card data in any way, please contact the IT Department to ensure that your systems meet the PCI-DSS requirements.
Please refer to the Identity Theft Prevention Program Policy for information about procedures pertaining to identity theft and the Red Flag rules.
Systems that handle Protected Health Information (as defined under the Health Insurance Portability and Accountability Act (HIPAA)) are subject to HIPAA and must comply. Please consult with the Information Security Team if you have questions about the use of HIPAA data in our environment.
Roles
Enterprise Services
The IT Department is responsible for ensuring compliance of IT Department supported devices and services with this policy. The IT Department will provide guidance about the approved data classifications for each service.
Schools, Department, and Offices
The IT Department is responsible for ensuring that the devices and services they provide to the College meet these minimum security standards, including specifying whether services are appropriate for each class of data.
Personal Responsibility
All STLCOP faculty and staff are expected to be familiar with the Data Management Guide, Data Protection Requirements and Minimum Security Standards to ensure understanding of how to handle Confidential or Restricted Use information properly.
If you use a personal Electronic Device or a personal cloud service, you are responsible for ensuring that your Electronic Device and/or personal cloud service meet the requirements below and is not used to handle or store sensitive STLCOP data.
If you have questions, ask your supervisor, Departmental Security Administrator, or IT Department.
Restricted Use Data Registry
All services that collect, store, or provide Restricted or Confidential use data by design must be approved by the Information Security Team. All new services that collect, store, or provide Restricted or Confidential Use data must be approved by Information Security Committee.
Business Standards
Risk Based Controls
Systems Management
Cloud Services include any free or paid application, tool, or infrastructure made available by third parties wherein computing or storage resources are accessed via the Internet. The use of Cloud Services with College Data is governed by the Conditions of Use Policy, the Minimum Security Standards (this document) and other relevant College policies and procedures.
The following standards apply to the use of Cloud Services provided by or arranged for by, the College:
Personal Cloud Services used for College Data
“Personal Cloud Service” is a subset of “Cloud Service” where the service is arranged for by an individual rather than the College for storing College Data, including the use of free services. Examples: Google Docs, Box, Dropbox
Endpoint Devices
An endpoint device is a system that is intended for direct human interaction. By comparison, a server is intended to offer an application, storage, or other service and while it may be used directly by a human such use is not the norm. In some cases, both sets of standards may apply, and the more stringent standard should be used.
Note: If you are using an Electronic Device that you cannot configure or for which you cannot confirm is securely configured (such as a public kiosk computer or a computer in a hotel, for example), that device should not be used to conduct STLCOP business. Only devices managed by the IT Department should access Restricted Use, Confidential or Internal data.
Endpoint devices must meet the following requirements:
Non-Endpoint Devices
This section contains detailed security requirements for all devices and services run or arranged for by the College, including but not limited to by the IT Department.
Exceptions
Information Security is authorized to grant exceptions to the requirements set forth in this document. Any exception granted will require a thorough review of the situation and the implementation of appropriate compensating controls.
In addition, Information Security may publish directives aimed at clarifying the intent of a standard to aid in the interpretation of this policy.
Important
Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or the College. The unauthorized or unacceptable use of College Data, including the failure to comply with these standards, constitutes a violation of College policy and may subject the User to revocation of the privilege to use College Data or Information Technology or disciplinary action, up to and including termination of employment.
Position/Office/Department | Responsibility |
All computer and infrastructure users | Abide by Minimum Security Standards |
Digital Millennium Copyright Act Policy
Payment Card Industry Data Security Standards (PCI-DSS)
Identity Theft Prevention Program Policy
Health Insurance Portability and Accountability Act (HIPAA)
Data Protection Standards policies
Name | Contact Information |
Lewis, Zachary, Director IT | Zachary.Lewis@stlcop.edu, 314-446-8402 |
Knoll, Eric, Vice President Operations | Eric.Knoll@stlcop.edu, 314-446-8375 |