Reducing the Risk of Information Theft
Shawnee State University:
1. Employee Education
University employees are being educated about the importance of information security. ITS continues to promote its Security Awareness Education Campaign, "Be Informed, Be Aware, Be Responsible About Information Security" in which employees are made aware of the need for security awareness in their daily routines. In addition, the University is participating in the Federal Trade Commission's educational program on Identity Theft entitled "Deter, Detect, Defend; Avoid ID Theft" which educates individuals about how to avoid personal identity theft. Employees are also educated on and expected to abide by the approved "Conditions for Information Security and Best Practices".
2. Departmental Education and GLBA Safeguards Rule
All University departments are being educated about the legal requirements within the Gramm Leach Bliley Act (GLBA) that mandate financial institutions develop, implement, and maintain safeguards to protect the security, integrity and confidentiality of customer information. The Federal Trade Commission (FTC) enforces compliance with GLBA rules.
Institutions must protect student financial aid information, with particular attention to information provided to institutions in support of the administration of federal student financial aid programs, and have protocols in place to evaluate, assess and mitigate risk to customer information on a regular basis, as part of the information security program. For more information go to http://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act.
ITS is eager to discuss with campus departments this web site and what it means to each employee. Employees and departments should understand what steps each individual must take to protect the data used each day during the normal course of operation.
3. Avoiding the use of Social Security Number as an identifier
Shawnee State University has nearly eliminated the use of the Social Security number as an identifier for students and employees. By using identifiers such as the administrative system ID in its place, the risk has been greatly reduced. University departments are continuing to identify any remaining areas where this can be eliminated.
4. Reducing the use of identifier information on printed items
Printed items such as receipts or payroll related items are being modified so that, where possible, identifier information such as bank account number, credit card numbers, etc. are not displayed. University departments should continue to identify any remaining areas where this can be eliminated.
5. Confidential or officially protected data must be stored on ITS protected servers only
Any and all files, including databases, spreadsheets, word processing documents, and reports with confidential or officially protected data must reside on ITS-managed secure servers. This means that files with confidential data cannot be stored on local workstations, shared on local drives, or saved to any portable media. In addition, these files may not be transmitted by email without a secure connection. University Departments are continuing to identify if they have any such data which is not currently stored on a ITS-protected server and with the assistance of ITS it will be relocated to an appropriate and secure location.
6. Prohibiting the use of confidential information on mobile devices
Mobile Devices, including but not limited to, laptops, email, disks, CDs, DVDs, USB Drives, iPods, Smartphones, and mobile PCs should never be used to store, back-up, or transfer confidential or identifiable data. ITS will work with each department individually to help identify and determine if they have a need for shared secure server space or proper secure back-ups.
7. SSU Policies and Guidelines
Shawnee State University employs several board approved policies as well as Conditions for Information Security and Best Practices that serve as guidelines for regulating the use of data and information on campus.