Aurora University staff members and contractors doing business with AU may require access to private information about the University's students, donors, contractors, and other individuals associated with the university. In order to ensure the privacy of these records, representatives from university offices responsible for the collection and organization of this information have developed this set of information management policies and practices. The purpose of this plan is to ensure the confidentiality of student, client, and customer records and to anticipate and mitigate any threats to the security of those records. This plan will be maintained by the Chief Information Officer and will be reviewed, tested, and periodically revised as risks, systems, and business practices change.
- Aurora University is in compliance with the requirements of the Family Educational Rights and Privacy Act (FERPA).
- The Coordinator for Information Security will maintain an inventory of the location of electronic and hardcopy records covered by these policies.
- The Coordinator for Information Security will work with senior staff, technical staff, and directors of offices with access to protected information to assure the currency and accuracy of these policies and procedures. Technical protections and data management policies will be reassessed on a regular basis and will be modified as needed to assure protection against emerging security threats.
STAFF TRAINING AND PRACTICES
- Employees of Aurora University assigned to work with confidential information receive training by their supervisors in the information security policies appropriate to their departments and will be expected to abide by those policies.
- All AU employees, including student workers, are required to sign a confidentiality statement (see Human Resources Policy 104: Confidentiality).
- Information Services staff will offer regular computer security workshops for AU staff to raise the awareness of security risks in the electronic environment and familiarize staff with the tools available to them for minimizing these risks.
ACCESS TO DATA
- Access to the main administrative data processing system is controlled by a system of passwords and security class definitions to ensure that only authorized users have access to the records stored on this system. Users are required to change their passwords every 6 months. Accounts for student workers are automatically expired at the end of each term.
- All users who have access to protected data are required to log off their workstations, or secure the system using screen-protecting passwords, when they are away from their work area. To protect against inadvertent exposure of protected information, an auto-logout feature has been implemented on the administrative system that automatically terminates a session after a specified period of inactivity. Administrative workstations in public areas are placed to prevent casual viewing by unauthorized individuals.
- Databases containing data exported from the main administrative system are stored only on password protected directories of the shared drives of the local area network, and access rights to protected areas are assigned only to authorized users of that information.
- Paper records containing confidential information are stored in secure cabinets or rooms and those storage locations be locked when unattended.
PROTECTION OF ELECTRONIC DATA
- Information Services maintains a comprehensive backup program for electronic information, and keeps all backup media in physically secure locations.
- Network firewall systems and encrypted data connections are used to block electronic access to secure information by unauthorized users.
- Private information collected using interactive online forms are protected by appropriate encryption and storage systems.
- Technical staff in Information Services will continually monitor the status of the AU information infrastructure and will develop additional protective systems as required by changing conditions.
- All service providers who have access to private customer information are guided by the same policies that apply to AU employees. AU staff working with these providers will ensure that reasonable steps are taken to provide adequate safeguards for the security and privacy of this information.
- Service providers must agree not to provide access to private customer information in their possession except as provided in the contract. Where appropriate, AU and contractors will sign confidentiality or nondisclosure statements to ensure the security of private information used for these purposes.