The Information Security Policy is designed to protect Keuka College’s proprietary and sensitive information from theft and/or loss while retaining the free-information needs of the academic culture within an educational institution. It ensures that the College will comply with all federal and state regulations regarding the collection and retention of any private/confidential data. These regulations include, but are not limited to:
- NYS Personal Information Laws
- Non-NYS Personal Information Laws
Information covered by this policy is any data traversing through or stored within our infrastructure assets. This includes, but is not limited to information that:
- Resides in datacenter databases
- Is transmitted across both intranet and extranet
- Resides on College-owned PCs
- Is hand-written if it includes confidential or FERPA-related data
- Stored on College-owned removable storage such as flash drives, CDs, and similar mediums
- Is presented using slides and other audio/visual equipment
Security of our information is retained through many electronic and physical means. These include:
- Physical protection such as controlled card-swipe and key access
- Regular vulnerability assessments
- Access Control Lists, Virtual Local Area Networks, and Firewalls
- Encrypted wireless networks
- Data Center environmental controls
- User education
Keuka College prohibits the deliberate introduction of inaccuracies into, or loss of, our retained information. The College also prohibits using our information to breach privacy, compromising system performance or security, or damaging any hardware.
Keuka College will protect its assets from threats to its security whether deliberate or accidental. Alongside this, because no single department can provide for absolute security, all College employees, students, and other authorized users of Keuka College are responsible of minimizing risks and making sure to comply with policy as well as secure any assets within their control and capability.
College-wide awareness of threats as well as common and new attack methodologies is necessary to retain a secure environment. Keuka College will provide education about these, as well as our current policies and changes within them via handouts, emails, and newsletters.
4.1 Policy Addendum
The following are addendums written to be included as multiple parts to a larger policy:
- Keuka College VPN Policy
- Keuka College Password Policy
- Keuka College Acceptable Use Policy
4.2 Access rights to Information and Systems
Access to physical servers is limited to the Network and Systems Administration personnel, the Chief Information Officer, the Assistant Director of Information Systems and Security, and the Associate Director of User Services. Entrance into the Data Center is controlled by those employees or digital access granted to those employees. All other persons are required to be under supervision of the listed individuals while inside the Data Center at all times. Video recording is active within the Data Center at all times.
Access to virtualized servers remotely is granted in a case-by-case basis to other users within the IT organization. This is granted only to users who maintain those systems on an application-update level. Their network credentials are utilized to authorize this access.
Access to databases are granted remotely to specific Administrators within IT of those systems. Their network credentials are utilized to authorize this access.
Access to data within those databases is granted to reporting/business analyst users through a Data Warehouse and reporting tools. Access is segregated based on duties so that only data authorized by the respective departments can be accessed.
Access to data within our Student Information System is limited to Employees of the College through an encrypted web interface that is only accessible via intranet or Virtual Private Network. Duty segregation is approved through the different heads of the respective departments and are closely controlled through use of personas.
4.3 Systems Security Responsibilities
Keuka College Information Technology is the current “owner” of the College’s system and network infrastructure and is responsible for maintaining and providing a safe and secure environment to perform daily duties.
4.4 Encryption of Data
Interface to College systems containing sensitive/confidential information is encrypted behind SSL and, as a further step, limited to within the internal network or accessed from an encrypted VPN tunnel.