Administrative Information Systems Security Policy

 Project Possibility Implementation Team, November 2000

Security Policy

The College's administrative information systems provide Amherst College and Folger Shakespeare Memorial Library[1] with abundant opportunities for easy and efficient access to data. This fluid environment also poses significant risk to the security of administrative information.  Protecting this College resource is a shared responsibility between all data users and the Information Technology staff.  

Network security, including firewall technology, has been implemented to protect administrative servers and departmental workstations from unauthorized access through the Internet.    Staff in administrative offices will connect to secured computers through an administrative subnet on the campus network.  Off campus access to this subnet will be provided through a secure Virtual Private Network (VPN) complete with encryption and an additional layer of password security.

Desktop computers in administrative offices provide the most vulnerable point of access to administrative systems.  Staff in administrative offices must physically protect their computers including laptops from unauthorized access and theft.  All administrative information including  documents, spreadsheets, databases, schedules, etc. will be stored on secured network file servers, not on individual desktops. 

In addition to network security, a fundamental layer of protection is the logical security plan.  This plan is the key to protecting administrative information and describes the procedures by which system privileges are granted, passwords maintained, security monitored and issues communicated.

System privileges will be authorized by the department head or designated department security manager and centrally assigned by System Administrators in Administrative Information Services.  Inquiry Access to administrative information will be authorized on a ‘need to know’ basis.  Maintenance Access to processes will be authorized based on job responsibilities. 

Employees, including students, granted access to institutional data may do so only to conduct College business.  In this regard, employees must:

  •  Respect the confidentiality and privacy of individuals whose records they access
  • Observe ethical restrictions that apply to the data to which they have access
  • Abide by applicable laws or policies with respect to access, use, or disclosure of information

 Employees may not: 

  • Disclose data to others, except as required by their job responsibilities 
  • Use data for their own personal gain, nor for the gain or profit of others
  • Access data to satisfy their personal curiosity

Employees and students who violate this policy are subject to the investigative and disciplinary procedures of the College.  The Office of the Dean of Students usually handles complaints against students. The Office of the Dean of the Faculty usually handles complaints against faculty. Complaints against staff and administrators are usually handled through supervisors and Human Resources.

Definition of Administrative Information

Administrative information is any data related to the business of the College including, but not limited to, financial, personnel, student, alumni, communication, and physical resources. It includes data maintained at the departmental and office level as well as centrally, regardless of the media on which they reside. Administrative information does not include library holdings or instructional notes unless they contain information that relates to a business function.

The College recognizes administrative information as a College resource requiring proper management in order to permit effective planning and decision-making and to conduct business in a timely and effective manner. Employees are charged with safeguarding the integrity, accuracy, and confidentiality of this information as part of the condition of employment.

Access to administrative systems is granted based on the employee’s need to use specific data, as defined by job duties, and subject to appropriate approval. As such, this access cannot be shared, transferred or delegated. Failure to protect these resources may result in disciplinary measures being taken against the employee, up to and including termination.

Requests for release of administrative information must be referred to the office responsible for maintaining those data. The College retains ownership of all administrative information created or modified by its employees as part of their job functions.  Administrative information is categorized into three levels:

Personally Identifiable Information as defined by 201 CMR 17:00 Standards for the Protection of Personal Information of Residents of the Commonwealth requires the highest level of security.  It  includes Massachusetts resident's first and last name or first initial and last name in combination with one of more of the following data elements that relate to such resident:

a) Social Security Number

b) Driver's license number or state-issued id 

c) Financial account number

Confidential information requires a high level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration or destruction of the data. This includes information whose improper use or disclosure could adversely affect the ability of the College to accomplish its mission as well as records about individuals requiring protection under the Family Educational Rights and Privacy Act of 1974 (FERPA).

Confidential information includes, for example, salary information, alumni gifts and student grades.

Sensitive information requires some level of protection because its unauthorized disclosure, alteration, or destruction might cause damage to the College. It is assumed that all administrative output from the administrative database is classified as sensitive unless otherwise indicated.

Sensitive information includes, for example, class lists, facilities data and vendor data information.

Public Information can be made generally available both within and beyond the College.  It should be understood that any information that is widely disseminated within the campus community is potentially available to the public at large.

Public information includes, for example, directory information.

 Employee Information

All aspects of personnel records are confidential.  Directory information for faculty and Staff as published in the Amherst College Telephone Directory is public. Directory information may include some or all of the following: name, home address, home telephone, spouse/partner name, department, position title, campus address, campus phone and email address.  Employees may request that this data be classified as confidential.  All other employee related data, especially that which is available to users outside Human Resources such as social security number and birth date, must be vigilantly safeguarded and treated as confidential.

 Family Educational Rights and Privacy Act (FERPA)

 The Family Educational Rights and Privacy Act (FERPA) of 1974 govern all information about students, current and former, maintained by Amherst College. FERPA generally requires that Amherst College have the student's written permission to release any information from their records except certain types of "directory information."

Student “Directory Information”, as defined by FERPA

Certain information, classified as “directory information”, is available for public consumption unless the student specifically directs that it be withheld.  The student should direct the Office of the Dean of Students not to disclose such information prior to the fourteenth calendar day of each semester.  Former students should contact the Public Affairs Office. 

Public directory information as defined by the Act includes:  student’s name, address, telephone number, date and place of birth, major field of study, participation in officially organized activities and sports, weight and height of members of athletic teams, dates of attendance, degree and awards received, and the most recent previous educational institution attended.

  Security Administration

Department security managers (department heads or their designee) are responsible for authorizing system access by employees.   System Administrators in Administrative Information Services will assign that access.

 The Security Request Form must be completed by the Department Security Manager to authorize, modify or remove user privileges.

 A Security Class Spreadsheet must be completed for each new employee to the department specifying the forms and processes the individual is to be authorized to use. 


 NEW Employee to department:

  1. Department Security Manager explains the Security Policy to the new employee and provides a written copy.
  2. Department Security Manager emails request to System Administrator attaching the Security Request Form and the Security Class Spreadsheet.
  3. System Administrator creates the login and assigns Security Classes.
  4. System Administrator replies to Department Security Manager’s original email indicating the security has been established and schedules an appointment with new user.
  5. Department Security Manager prints and signs Security Request Form.
  6. Employee carries signed Security Request Form and last page of the this Security Policy signed by the user to System Administrator to acquire a password.
  7. System Administrator files signed Security Request Form and Security Class Spreadsheet.
  8. Department Security Manager provides training and documentation to employee.
  9. Employee must change password upon first login.

 Modification and Termination:

  1. Department Security Manager emails System Administrator the Security Request Form with instructions (modify or terminate).
  2. System Administrator makes the appropriate changes.
  3. System Administrator files Security Request Form.
  4. System Administrator replies to Department Security Manager’s original email indicating that security has been modified or removed.

 On a daily basis, System Administrators will review reports identifying failed login attempts, “super user” logins and origins of login.

 At the end of each payroll, Human Resources will report to the System Administrators new hires, transfers and terminations.

 Twice annually,  Department Security Managers will be required to review a complete list of all system privileges assigned in their area.  The cover page of this report must be signed by the Department Security Manager and returned to the System Administrator within two weeks.

 

Office Responsibilities

Department Security Manager

The department head of each administrative office must assign a Department Security Manager and an alternate who is responsible to authorize and monitor access to the administrative system.

A Security Request Form must be completed for each individual who is provided access to the administrative system.  This same form must be completed to modify or remove access. It is just as important to remove access to the administrative system, as it is to authorize access to the administrative system. The Department Security Manager should document completed Security Request Forms and Security Class Spreadsheets. 

Twice annually, the Department Security Manager will be required to review all security authorizations for the department.  A report will be produced and distributed by the System Administrators.  The cover page must be signed and returned within two weeks to the System Administrators indicating the security is accurate.  Administrative Information Services reserves the right to deactivate the Department Security Manager’s access to the administrative system, if the review of security authorizations is not completed in a timely manner.

Passwords

Your password must not be revealed to anyone. You are the only one who knows your password. If your password has been disclosed, please contact your System Administrator to change it. 

Web browsers allow you to save passwords used to access external sites.  You should be wary of using this feature.  If you choose to save a password, be aware that anyone using your PC will be able to gain entry to that site using your password.

Printed reports

Reports containing confidential and sensitive data, either test data or live production data, must be secured within the office. Reports should not be left on the printer or desktop in open view. Any report that is no longer needed, which contains confidential and/or sensitive data, must be shred or stored securely until it can be shred.

 Communication

The security of administrative information is a shared responsibility among the Amherst College staff who use and support technology. We all have a role to play.  Vigilance is a daily activity.  Effective, on-going communication of this security policy and office procedures will play an essential part in our success.

An excerpt of the Administrative Information Security Policy & Plan is published in the Faculty and Staff Handbooks. 

 Department Security Managers are responsible for discussing this policy with each user at the time system privileges are issued.

To obtain access to password protected systems, you must print and sign the following form

[1]  References to the College include both Amherst College and  Folger Shakespeare Memorial Library.

Revised, September 2013