Information Security Program

University of Wisconsin-Green Bay Information Security Program

Approved by Cabinet May 2008

Section I.
Privacy Protection

A number of state and federal laws require institutions to develop, implement and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards appropriate to the size and complexity of the institution, the nature and scope of its activities and the sensitivity of any information stored by the institution.

The University of Wisconsin-Green Bay is committed to safeguarding all personally identifiable information we obtain about individuals. The only personally identifiable information the University collects is that which is provided by the individual.  This information is kept confidential to the University of Wisconsin-Green Bay.

The University of Wisconsin-Green Bay will share personally identifiable information about you to other companies or people only when one or more of the following conditions apply:

  • We have your consent to share the information;
  • We need to share your information to provide the product or service you have requested;
  • We need to send the information to companies/agencies who work on behalf of the University of Wisconsin –Green Bay to provide a product or service you have requested. These companies do not have any right to use the personally identifiable information we provide beyond what is necessary to assist us;
  • We need to respond to legally issued subpoenas, court orders or a legal process;
  • We need to respond to health and safety emergencies;
  • We need to fulfill an obligation as an educational institution of the State of Wisconsin; or
  • We find it necessary to protect and defend the legal rights or property of the University of Wisconsin-Green Bay.
Section II.
Access, Security and Control of Data and Information Policy

Purpose and Scope

The University of Wisconsin-Green Bay maintains both paper records and computer information systems to carry out its educational mission. Federal and State laws and regulations govern access to these records. The University establishes local policies and procedures to ensure compliance with these laws and regulations and to protect the integrity of University records and the privacy of individuals. The following policy statements are applicable to all areas of the University and must be observed by all persons dealing with such information, including all University employees and students, as well as other individuals or entities that share University information for business purposes.

Policy and Principles

Data contained in the University’s systems are the property of the University of Wisconsin-Green Bay and represent official University records. Exceptions to this policy are: faculty developed curricular material, student developed curricular material, or certain licensed information such as electronic journal subscriptions. Questions regarding exceptions should be discussed with the University Legal Counsel.

Users who are granted access to University data, regardless of the medium, also accept responsibility for adhering to certain principles in the use and protection of that data. These principles are:

  1. Information systems within the University shall be used only for and contain only data necessary for fulfillment of the University’s mission.
  2. University data shall be used solely for the legitimate business of the University.
  3. Individuals with access to University data must be able to distinguish between confidential, sensitive and unclassified data.
  4. Due care shall be exercised to protect University data and information systems from unauthorized use, disclosure, alteration and/or destruction. In the event of a security incident, the Information Technology Security Officer and/or a Public Safety officer have the authority to seize any University owned equipment for investigation and/or mitigation purposes.
  5. University data, regardless of who collects or maintains it, may be shared among those faculty or staff whose responsibilities require knowledge of such data.
  6. Applicable federal and state laws and University policies and procedures concerning storage, retention, use, release, transportation and destruction of data and/or all information systems, content and components shall be observed.
  7. Appropriate university procedures shall be followed in reporting any breach of security or compromise of safeguards.
  8. University computerized information systems shall be constructed in such a manner to assure that:
    1. Accuracy and completeness of all system contents are maintained during storage and processing;
    2. Data, text and software stored and processed can be traced forward and backward for audit ability;
    3. Information systems capabilities can be reestablished within an acceptable time due to loss or damage by accident, malfunction, breach of security or act of God; and
    4. Actual or attempted breaches of security can be detected promptly.
  9. Any faculty or staff member engaging in unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to appropriate disciplinary action, up to and including dismissal.
  10. Any student engaging in unauthorized use, disclosure, alteration or destruction of information systems or data in violation of this policy shall be subject to appropriate disciplinary action, up to and including expulsion.
  11. Users may not use, query, release or print data in any application which they have not been given deliberate permission to, which can include but is not limited to:
    1. Transcripts, grade reports, enrollment reports;
    2. Financial Aid information;
    3. Personnel, leave, salary reports;
    4. Reports for government or funding agencies;
    5. Fund-raising activities;
    6. Mailing lists and labels.
  12. All requests for information under the Freedom of Information Act, the Wisconsin Public Records Law, law enforcement agencies, subpoenas, etc. must be referred to the University Legal Counsel before releasing any records. Records will only be released at the direction of the University Legal Counsel.
  13. All contracts with third parties must include the following privacy clause or a similar clause:

Privacy Assurance:  The University of Wisconsin-Green Bay is committed to safeguarding all personally identifiable information we obtain about individual. UW-Green Bay selects appropriate service providers that in the normal course of business may need personally identifiable information in order to provide the service requested by UW-Green Bay’s customers. All such service providers are required to protect the confidentiality of this personally identifiable information according to the Gramm Leach Bliley Act (“GLB”), FTC Safeguards Rule (16 CFR Part 314), Wisconsin Act 138, and other applicable federal, state, and/or local laws no less rigorously than it protects its own confidential information. Service providers shall not use or disclose confidential customer information received from or on behalf of UW-Green Bay except as permitted by or required by this Agreement, as required by law, or otherwise authorized in writing by UW-Green Bay.

Data Confidentiality Classifications

Data shall be classified based on the following criteria:

  1. Confidential Data-Confidential data can be organized into three general categories:
    1. Data that could cause personal or institutional financial loss or the unauthorized release of which would be a violation of a statute, act or law. This includes but is not limited to:
      1. Social Security Numbers
      2. Bank account or credit card numbers, pins or other identifiers
      3. Individual’s data covered by Wisconsin Act 138 (driver’s license or state identification number, DNA profile, biometric data)
      4. Information protected under Family Educational Rights and Privacy Act (FERPA).  This includes information that can be used to identify a student, including direct identifiers, such as student’s name, social security number, and biometric records, alone or combined with other personal or identifying information that is linked or linkable to a specific individual, that would allow a reasonable person in the school or its community, which does not have personal knowledge of the relevant circumstance, to identify the student with reasonable clarity.
      5. Data protected under the Health Insurance Portability and Accountability Act (HIPAA) and/or other applicable state and local medical privacy statutes.
    2. Data, the release of which, if accessed by unauthorized individuals, would constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting data. This includes but is not limited to
      1. Trade secrets or information that may be purchased for the creation of patented or trade secret information. For example, unique or proprietary chemical formulas or computer code.
      2. Data which the licensee guaranteed to keep in confidence as a stipulation for licensing of that data.
      3. Data which the University, by contract or other agreement, has committed to ensuring confidentiality.
    3. Proprietary University data the disclosure of which could cause significant harm to the University. This includes but is not limited to:
      1. Login/password credentials implemented to control access to systems or resources, particularly those issued specifically to individuals.
      2. University information that is exempt from public records requests.
  2. Sensitive Data
    1. Information generally used internally at the University or with its authorized partners AND
    2. Information which, if released to unauthorized individuals would not result in any business, financial or legal loss but would negatively impact the privacy of the individuals named or the integrity or reputation of the University.
      1. Employees who have chosen to suppress their directory information.
      2. Donor or other third party partner information maintained by the University.
      3. Proprietary financial, budgetary or personnel information not explicitly approved by authorized parties for public release.
      4. Emails and other communications regarding internal University matters which have not been specifically approved for public release.
    3. Research data not considered confidential.
  3. Unclassified Data
    1. Data that does not meet the criteria as confidential or sensitive as defined above shall be considered unclassified data and can be treated as public information.

Roles and Responsibilities

Safeguarding of University information systems and data shall be the responsibility of each faculty, staff or student with knowledge of and access to the records system or data. Specific responsibilities are as follows:

  • Supervisors – Supervisors are responsible for ensuring that staff within their area of accountability are aware of their responsibilities as defined in this policy. Specifically, supervisors are responsible for validating the access requirements of their staff according to their job functions prior to submitting requests for access, and for ensuring a secure office environment with regard to University information systems. Offices that have records custodian responsibilities should appoint an individual within their staff to ensure these responsibilities are carried out. Supervisors are also responsible for ensuring that their staff members attend appropriate training sessions offered by the University to ensure compliance with laws, regulations and local policies.
  • Employees – Faculty, staff, and student employees are responsible for the protection, privacy, and control of all University data they access or create, regardless of the data storage medium. All employees must ensure that the data and data media are maintained and disposed of in a secure manner. All employees are responsible for understanding the meaning and purpose of the data to which they have access, and may use this data only to support the normal functions of the employees’ administrative and academic duties. All employees are responsible for all transactions occurring under his/her usernames and/or password. Passwords and usernames may not be shared with anyone under any circumstances unless the Associate Provost for Information Services in consultation with the University Legal Counsel approves an exception. All employees are responsible for reading and understanding the Acceptable Use Policy, Email Policy, and the appropriate faculty, academic staff, or classified staff handbook, and complying with these policies and practices.
  • Students – Students are responsible for protecting their usernames and passwords so that no unauthorized persons would have access to their University records. Students are responsible for reading and understanding the Acceptable Use Policy, Email Policy, and Student Handbook, and complying with these policies and practices. Students should participate in University sponsored training sessions to improve their understanding of how to safeguard their own privacy.
  • System or Network Administrators- Ensure technical specifications are developed and implemented to meet information security standards.
  • Information Technology Security Officer- Issues standards based on best practices in higher education and research institutions, legal requirements and threats to ensure the protection of University data.
  • Associate Provost for Information Services is responsible for providing administrative, technical and educational support in the area of information security for all users of the information systems.

Records Retention and Disposal

University records are not the personal property of the staff who create and maintain them, but are the property of the University and, ultimately, of the State of Wisconsin.   Keeping records for longer than necessary, while creating clutter, also results in simply having more information to safeguard. However a couple of things must be considered when reviewing record disposal processes:

  1. Is there a state or University standard for archiving and destroying these records?   If records are not covered by an existing records retention schedule, offices must work with the University Archivist to develop a records retention and disposition authorization (RDA) to cover their materials.
  2. For those records that can be destroyed, how do I do this safely?   The University Archivist arranges for periodic pickup and destruction for confidential paper records that need to be securely destroyed.   Confidential and sensitive data in electronic form must be completely removed from any electronic media prior to disposal or reassignment of the media/device.   Simply deleting data from a hard drive does not ensure that the data has been destroyed.  All computers containing hard drives must be returned to the Information Services Division for proper cleanup and disposal.  CD’s and other static media should be physically destroyed prior to disposal.

Questions regarding records retention and disposal should be addressed with the University Archivist.

Responsibility for Implementation

The Associate Provost for Information Services serves as the coordinator of the Information Security Program of the University of Wisconsin-Green Bay.

Responsibility for Interpretation

The Associate Provost for Information Services will consult with the University Legal Counsel regarding interpretation of this policy. Final authority for interpretation rests with the Chancellor and is generally delegated to the University Legal Counsel.

Reporting Security Breaches

Departments should ensure that any potential unauthorized access to confidential or sensitive University information is reported to a University official in a timely fashion. Various legislation mandates reporting of such incidents. As such, any potential breach should be reported to the following immediately:

  1. For the unauthorized disclosure of electronic information (e.g. computer hacking, stolen files, etc.), contact the Information Technology Security officer David Kieper (telephone: 465-2238).
  2. For the unauthorized disclosure of non-electronic information (e.g. university records contained on paper, video or audio tape, etc.), contact the campus Public Safety office (telephone: 465-2300).

Reporting Non-compliance

If a concern exists on the part of an individual or a department that University information is at risk, this should be brought to the attention of a supervisor, internal audit, Information Technology Security Officer, or the Chief Information Officer.

Contacts

The following is a list of contacts mentioned in the above document:

Chief Information Officer: Kathy Pletcher, 465-2383
Information Technology Security Officer: David Kieper, 465-2238
University Legal Counsel: Melissa Jackson, 465-2622
University Archivist: Debra Anderson, 465-2539

Relevant Policies and Links

The following is a list of relevant policies mentioned in the above document:

UW-Green Bay Employee Acceptable Use Policy for Technology and the Internet:

 http://www.uwgb.edu/compserv/Policies/AcceptableUsePolicy.htm

UW-Green Bay Student Acceptable Use Policy for Technology and the Internet:

http://www.uwgb.edu/compserv/policies/StudentAccpUse.htm

UW-Green Bay Email Policy and Guidelines:

http://www.uwgb.edu/compserv/policies/email_use.htm

UW-System Public Records Management Policy:

http://www.uwsa.edu/bor/policies/rpd/rpd3-2.htm