2. IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers, Redbird Card Office Jess Ray Registrar

3. A GENDA 9.8 Policy and Procedures Compliance PCI FERPA

4. 9.8 P OLICY AND P ROCEDURES

5. 9.8 POLICY ON SECURITY OF INFORMATION TECHNOLOGY RESOURCES AND SYSTEMS Framework to protect Illinois State University’s information technology resources, computers, networking systems, and data.

6. SECURING THE DATA 9.8.1 PROCEDURE ON DATA CLASSIFICATION Data Classifications Highly Restricted Restricted Unrestricted

7. SECURING THE DATA 9.8.2 PROCEDURE FOR SECURING AND ACCESSING EACH DATA/SYSTEM CLASSIFICATION Data Resource Types Non-Electronic Media Electronic Media –University owned, maintained, or contracted servers –University owned, maintained, or contracted workstations –Personally owned workstations

8. SECURING THE DATA DATA RESOURCE TYPES – CONT. Electronic Media – cont. –University owned or maintained laptop computers –Personally owned laptop computers –University owned or maintained mobile devices –Personally owned mobile devices –University owned, maintained, or contracted printers, scanners/faxes, multi-function devices, and electronic surveillance devices

9. 9.8.2 identifies Standards Working Groups These are being developed by a team consisting of AT and University Security personnel Account and Password Standard Minimum Security Standards for Servers Minimum Security Standard for Workstations Minimum Security Standard for Laptops Minimum Security Standard for Mobile Devices Minimum Security Standard for Printers/Scanners/Faxes, and Multi-Function Devices. Encryption Standard Remote Access Standard S ECURING IT R ESOURCES AND S YSTEMS

10. Computer systems and other electronic devices store information on a variety of media. It is important that all licensed software, "highly restricted" data, and "restricted" data are thoroughly sanitized from University-owned devices (computers, tablets, smart phones, etc.) before they are surplussed. The State of Illinois requires that all surplussed equipment be disposed of in accordance with the Data Security on State Computers Act. Data Security on State Computers Act D ATA D ISPOSAL Knowledge base article on the Technology Support Center website

11. O VERVIEW OF S ECURITY R OLES 9.8.3 P ROCEDURES FOR D EFINING E NTERPRISE D ATA R EPOSITORY MANAGEMENT R OLES AND R ESPONSIBILITIES Data Steward Council Data Steward Functional Owners Data Custodians Unit Security Liaisons Information Security Officer Information Architecture Team Information Technology Security Incident Response Team (ITSIRT)

12. USLs principal contact for data security related matters, request access for their unit Request new or changes data access for unit Security awareness Review access list A CCESS R EQUEST 9.8.4 P ROCEDURES FOR R EQUESTING AND G RANTING A CCESS TO THE E NTERPRISE D ATA R EPOSITORY

13. A CCESS R EVIEW 9.8.5 P ROCEDURES FOR N ON -A FFILIATED I NDIVIDUALS R EQUESTING A CCESS Must be sponsored Method Responsibilities

14. What is an incident Information technology security incident - an event that: Impacts or has the potential to impact the confidentiality, integrity, or availability of ISU Information Technology Resources and Systems. Violates state or federal law or the policies and procedures of the University. I NCIDENT R EPORTING 9.8.6 P ROCEDURE FOR IT S ECURITY I NCIDENT R EPORTING

15. Who should report an IT security incident? Any individual or group who in the course of using ISU Information Technology Resources and Systems observes an information technology security incident shall report that incident. INCIDENT REPORTING –

16. Where to report the incident? Overview of IT Security Incident Reporting Criminal Activity – ISU Police Copyright violations – copyright@ilstu.educopyright@ilstu.edu Violations of the Appropriate Use Policy – abuse@ilstu.edu abuse@ilstu.edu All other incidents – Unit Security Liaison INCIDENT REPORTING –

17. When a USL reports an Incident The classification of the Data involved in the Incident determines the urgency of reporting the Incident. –Highly Restricted Data: Call 438-ITSR (438-4877) Immediately! Contain the Incident DO NOT POWER OFF THE SYSTEM Remove the system from the network if possible Wait to be contacted by the IT Security Incident Response Team (ITSIRT) INCIDENT REPORTING –

18. When a USL reports an Incident Restricted Data: Complete the online IT Security Incident Report or call 438-ITSRIT Security Incident Report –Contain the Incident DO NOT POWER OFF THE SYSTEM Remove the system from the network if possible –Wait to be contacted by the IT Security Incident Response Team (ITSIRT) Unrestricted Data: Complete the online IT Security Incident ReportIT Security Incident Report –Repair the system and restore the service. INCIDENT REPORTING –

19. Guiding Principles Data Capture and Storage Data Integrity, Validation, and Correction Data Extracts and Reporting Data Management System Administration S ECURING IT R ESOURCES AND S YSTEMS 9.8.7 P ROCEDURES FOR A DMINISTRATION OF THE E NTERPRISE D ATA R EPOSITORY

20. E S IGNATURES 9.8.8 E LECTRONIC S IGNATURE P ROCEDURES Risk Assessment and implementation method Responsibilities Developing and Implementing the Process Compliance

21. A DMINISTRATIVE T ECHNOLOGIES S ECURITY W EB S ITE AT. SHAREPOINT. ILLINOSSTATE. EDU /S ECURITY

22. C OMPLIANCE

23. L EGAL PROTECTIONS FOR D ATA Electronic records and data are subject to numerous state & federal laws designed to protect privacy of sensitive information. University Data Classifications & Applicable Laws/Regulations –“Highly Restricted Data” Social Security Numbers Health Information Other Personal Information Financial Data –“Restricted Data” FERPA Protected (Student Records) Other Data

24. H IGHLY R ESTRICTED D ATA Personal Information –Social Security Number –Birthdate (month, day, year) –Certificate/License Number –State Identification Card Number –Directory Information Restricted by employee or student –Disability status –Driver’s License Number –Genetic or Biometric Information or Identifiers –Marital Status –Medical records and personal health information Financial Information –Account payment history –Application fee waiver –Bank account number/financial account numbers –Credit or Debit Card Number –Redbird Account Number –Donation Information –Garnishment –Student Loan Accounts and Information –Federal Student Aid Application and Information University Records –Human Resource Benefits Records –Job action material –Background Checks –Payroll information –Internal Audit Records –Investigator ID –Electronic Surveillance –Library Material Checked Out –Location or management of hazardous materials –Network diagrams –Passwords, passphrases, PIN –Police Reports Detail –Personally identifiable information (PII) human subjects –Student Application Criminal History (self- reported) Status –Counseling Center Records

25. R ESTRICTED D ATA Other Data –Facility Availability –Facility Floor Plans/Diagrams –Facility Maintenance Records –Facility Work Orders –Gender –Military Status –Personnel Record –Race/Ethnicity –Staff Calendar/Scheduling –Staff Sick and Vacation Time Used –Student Course Evaluations –University ID data (employee) –Veteran Status –Wellness Center Program Information –Work Authorization (I-9) FERPA Protected –Community Rights and Responsibilities Records – Dining Hall Usage –Electronic Door Access Records (if student) –Student Fitness Center Membership and Usage –Student Evaluations –Student Grades –Student Schedules –University ID data (student) –Veteran status (student)

26. University Policy 1.13 Identity protection SSNs can be collected for ONLY limited purposes required by law such as: Mandatory IRS withholding & reporting from students, vendors, employees. Entering into financial transactions. –SSN Disclosure ONLY permitted with consent or when required by law. Collecting Social Security Numbers When Required By Law –A statement must be provided explaining the purpose of collecting the number and whether the request is voluntary or mandatory. S OCIAL S ECURITY N UMBER

27. SSNs may not: –Be publicly posted or displayed –Be transmitted over the Internet, unless the connection is secure or the SSN is encrypted. SSN’s should not be required to be used to access University resources. –Be e-mailed or otherwise delivered to the individual, except when: Required by law or application / enrollment materials. –Be used for any purpose other than the purpose for which it was collected Maintaining Records Containing Social Security Numbers: –Must be maintained ONLY by University employees required to have access to the numbers in a confidential format. –Numbers must be redacted if released in a public format. –Records must be disposed in a secure fashion and follow the University Record Retention Policy (7.1.55). S OCIAL S ECURITY N UMBER

28. Specific health information is protected by federal and state law with more stringent confidentiality and disclosure requirements Health Insurance Portability and Accountability Act (HIPAA) for Covered Health Units Illinois Mental Health Confidentiality Act and Developmental Disabilities Confidentiality Act Physician and Patient Privilege Americans with Disabilities Act (ADA) H EALTH I NFORMATION

29. Other specific data/information is protected by additional federal and state law with more stringent confidentiality and disclosure requirements Personal Information Protection Act Personnel Record Review Act Biometric Information Privacy Act Genetic Information Privacy Act Library Records Confidentiality Act O THER P ERSONAL I NFORMATION

30. Personal Information Protection Act Red Flags Rule Payment Card Industry Data Security Standards(Credit Card Transactions) F INANCIAL D ATA P ROTECTIONS

31. FTC Rule designed to create systems to prevent, detect & respond appropriately to identity theft. University Identity Theft Prevention Policy 1.4 and Procedure 1.4.1University Identity Theft Prevention Policy 1.4 Procedure 1.4.1 Protects information associated with University accounts that could be used to identify a specific person such as: –Name, Address, Phone, E-mail, Date of Birth. –Identifying Numbers: Driver’s license, Passport Number, SSN, FEIN –Account number(s) –Computer Information: IP Address, Routing Code F INANCIAL DATA : R ED F LAGS RULE

32. A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. If Red Flags are detected, please consult with your supervisor regarding appropriate steps to take to prevent identity theft. The University should maintain records regarding Red Flags and responses. F INANCIAL DATA : R ED F LAGS RULE

33. PCI

34. What are the Payment Card Industry Standards? Requirements for Departments Where to get information? What to do if there is a security breach? F INANCIAL DATA : PCI R OBIN K NAPP

35. W HAT IS PCI? Payment Card Industry (PCI) Data Security Standards (DSS) set up by Visa and MasterCard. All credit card companies in the U.S. have endorsed the Standard. Created so there would be common industry security requirements.

36. W HY FOLLOW PCI S TANDARDS ? Protect customers against fraud and identity theft Mandated by credit card companies – “If you accept our credit card, you must follow these rules” For the University’s protection to avoid huge penalties and bad publicity

37. T WELVE R EQUIREMENTS 1.Install and maintain a firewall configuration to protect cardholder data. 2.Do not use vendor-supplied defaults for system passwords and other security parameters.

38. T WELVE R EQUIREMENTS 3. Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks. 5.Use and regularly update anti-virus software or programs. 6.Develop and maintain secure systems and applications. (testing, documentation, back-up)

39. T WELVE R EQUIREMENTS 7. Restrict access to cardholder data by business need-to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data

40. T WELVE R EQUIREMENTS 10.Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors

41. R EQUIRED OF D EPARTMENTS Pre-approval on all software purchases with credit card capabilities Signature forms for all new employees (updated every year) Yearly training (every spring) Update Business Practices (yearly) Let E-Commerce Committee know if anything changes (procedures; staff)

42. R EQUIRED OF D EPARTMENTS TouchNet Applications –uStores –uPay –ONLY ENTER CREDIT CARD PAYMENTS ON SECURE, DEDICATED LAPTOPS OR WORKSTATIONS PROVIDED BY ADMINISTRATIVE TECHNOLOGIES.

43. R EQUIRED OF D EPARTMENTS Don’t store full credit card numbers, exp. dates, PINs, or security codes. Settle credit card machines nightly and keep secure. Don’t transmit credit card numbers via e-mail or networked fax machines. Don’t print full credit card numbers on receipts.

44. R EQUIRED OF D EPARTMENTS All credit card processing must be approved by the E-Commerce Committee –Approved 3 rd party software –Credit Card machines provided by Global –TouchNet –Dedicated laptops for data entry –Only mobile device approved is the cellular omni from Global

45. R EQUIRED OF D EPARTMENTS Square and other card readers that attach to systems (laptops, cell phones, iPads, etc.) NOT approved Payments must go through the University

46. W HERE TO GET INFORMATION Comptroller’s Website (A-Z, PCI) E-Commerce Committee –Robin Knapp –Tom Shadid –Dave Carson –Tim Flynn –Ryan Grahs –Connie Barling –Rendi Cottrell –Paul Unsbee –Adam Listek

47. WHAT TO DO IF THERE’S A BREACH Suspected or confirmed security breach (credit card numbers have been compromised) Call the Technology Support Center: 438-4357 (HELP) Comptroller’s Office will work with department to determine extent of the breach Comptroller’s Office may need to contact Visa, Local FBI, and U.S. Secret Service

48. FERPA IN 10 MIN. USL Training Session

49. W HAT IS FERPA? The Family Educational Rights & Privacy Act of 1974 (FERPA) sets forth requirements regarding the privacy of student records. Under FERPA students have the right to: -Inspect & review their education records -Request to amend their education records -Limit the disclosure of personally identifiable information (aka directory information)

50. W HO D OES FERPA P ROTECT ? FERPA protects the education records of any currently or formerly enrolled student regardless of their age or parental dependency status. FERPA does not apply to: Individuals who have applied but have not yet attended Deceased students

51. RECORDS ARE… Education Records are records that are: Directly related to a student Maintained by an educational agency or institution or by a party acting for the agency or institution. Records are any information maintained in any way, including, but not limited to: Handwriting, Video or Audio Tape, Computer Media, Film, Print and Microfilm/Microfiche.

52. E XCEPTIONS TO E DUCATION R ECORDS Sole Possession Records-Those records or private notes held by a school official that aren’t accessible or related to other staff. Law Enforcement Records-Records created/maintained for a law enforcement purpose Employment Records

53. R ECORDS E XCEPTIONS C ONT. Medical Records-Records made and maintained in the course of treatment and disclosed only to those individuals providing treatment. Non-Current Student Records- Records that only contain information about a student after he or she is no longer at the institution (i.e. Alumni Records).

54. S O W HAT I NFORMATION C AN W E D ISCLOSE ? As long as the student has not requested a restriction, we can release a student’s directory information without violating FERPA. Directory information is information that if disclosed, is not generally considered harmful or an invasion of privacy.

55. D IRECTORY I NFORMATION AT ISU Student’s Name Address (local & home) Telephone Listing (local & home) Email Address Date & Place of Birth Major Field of Study Dates of Attendance Grade level (Fr, So, etc.) Enrollment Status (UG, GR, full-time, part-time, etc) Participation in officially recognized sports and/or activities

56. D IRECTORY I NFORMATION C ONT. Weight & Height of Athletic Team Members Target Graduation Date Degrees Earned Merit Honors and/or Awards Received Most Recent Educational Agency or Institution Attended Signed and dated written consent from the student is required to disclose information not deemed as directory in nature.

57. W HO M AY H AVE A CCESS TO S TUDENT I NFORMATION ? The student and any individual/entity who has the student’s written permission – * School officials (as deemed by the University) who have a legitimate educational interest Parents of a dependent student as defined by the Internal Revenue Code - * A person in response to a lawfully issued subpoena/court order (University should try to inform the student first) * May be able to provide external entity and parents but not required to provide

58. W HEN I S C ONSENT NOT N EEDED ? Consent is not needed for disclosure of information to: Release directory information School Officials who have a legitimate educational interest Federal, state & local authorities involving an audit or evaluation of compliance with educational programs In connection with financial aid, including Veterans’ benefits Organizations conducting studies for or on behalf of an educational institution

59. W HEN IS C ONSENT NOT N EEDED C ONT. Accrediting organizations Parents of a dependent student Comply with a judicial order or subpoena In a health or safety emergency Release the results of a disciplinary hearing to an alleged victim of a violent crime

60. P OSTING G RADES Posting of grades and other non- directory information in a public place without written consent of the student is a violation of federal law. –Do not leave graded papers in a hallway for students.

61. L ETTERS OF R ECOMMENDATION If non-directory record information is used in the letter then you need the students written release. If you use observations or directory information and student does not have a restriction then you do not need the written release.

62. A DDITIONAL R ESOURCES AACRAO www.aacrao.org www.aacrao.org US Department of Education www.ed.gov/policy/gen/guid/fpco/ index.html www.ed.gov/policy/gen/guid/fpco/ index.html Office of the University Registrar www.registrar.ilstu.edu www.registrar.ilstu.edu

63. Q UESTIONS ?