This program is designed to set standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
Customer – Any student of the University, parent of a student of the University, or faculty or staff member employed by the University.
Customer Information – Any record containing nonpublic personal information about a customer of the University, whether in paper, electronic, or other form, that is handled or maintained by, or on behalf of, Missouri State University.
Information Security Program – The administrative, technical, or physical safeguards Missouri State University uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
Service Provider – Any person or entity that receives, maintains, processes, or otherwise is permitted access to Missouri State University’s customer information through a provision of services.
Jan Lewis, Director of Accounting, 417-836-5632
David King, Assistant Director of Financial Aid, 417-836-5262
Matt Morris, Director of Business and Support Services, 417-255-7258
Donna Bassham, Coordinator of Financial Aid, 417-255-7242
Employees handle and have access to customer information in order to perform their job duties. This includes regular, full-time employees, temporary employees, and student employees (including graduate students), whose job duties require them to access customer information or work in a location where there is access to customer information.
Missouri State University exercises great care in attempting to select well-qualified employees to perform any function for the University. Hiring supervisors review applications, conduct interviews, and check references before making their final selection. Then, the Office of Human Resources submits a criminal background check for selected applicants in sensitive areas after an employment offer is made.
The employment offer is contingent upon completing a satisfactory pre-employment physical and the results of the criminal background check. The Employee Handbook specifically identifies employees in custodial, security, residence life, and vending as well as those with access to funds, buildings and facilities and others required by law as requiring a criminal background check.
The process for hiring temporary employees can be found on the Human Resources web site. Overall, hiring of temporary employees is handled by the individual department with the need. These departments are responsible for recruiting, interviewing, screening, background checks, and hiring.
Student employees are screened by the Student Employment Office on the Springfield campus and by Human Resources on the West Plains campus to ensure their eligibility. If they pass the screening process, individual offices interview students and make the final decision whether to hire a student. The individual offices are responsible for checking student references and administering job training as it relates to their specific requirements. The Student Employment Office provides training materials and handbooks for the student and the employers. The materials are available on the Student Employment web site.
Graduate Assistant hiring is handled by individual departments and offices on campus. Departments/offices are responsible for an initial check of eligibility and then the Graduate College verifies eligibility of the student including a minimum grade point average of 3.00 and admittance into a graduate degree program. For complete information on graduate assistant eligibility, please see the Graduate College web site. The individual departments and offices are responsible for checking references and administering job training as it relates to their specific requirements. The Graduate College provides a one-day orientation for all graduate assistants with teaching responsibilities.
Appropriate training regarding information confidentiality and security is provided to regular, full-time employees, temporary employees, student employees, and graduate assistants.
Within units where employees, student employees, or graduate assistants will have access to sensitive information, the hiring unit is responsible for providing training associated with confidentiality and safeguarding of information. This training session is to be conducted within the first 5 workdays of employment.
Student employees requiring FERPA training receive this training within the hiring department. The Student Employment Office requires student employees to sign a FERPA compliance statement. Some units and divisions (such as Enrollment Services) require all employees to receive FERPA training and sign a compliance statement.
All employees, student employees, and graduate assistants with access to customer information receive a copy of the document "Maintaining the Security, Confidentiality & Integrity of Customer Information." A copy of this document is included in the appendix and is posted on the University’s web site.
Periodically, employees with access to customer information will take part in refresher training regarding information security and confidentiality. Employees with access to Missouri State University’s customer information will take the refresher training every 3 years while employed.
Only employees, student employees, and graduate assistants whose job duties require them to access customer information shall have access.
Breaches of information security may result in various levels of disciplinary actions, up to and including dismissal, depending upon the nature and severity of the breach.
The Missouri State University Employee Handbook states within the "Disciplinary Guidelines" section that the following actions (among others) can be cause for disciplinary actions:
All accidental breaches should be reported and rectified as soon as possible. Employees and students are encouraged to report any suspected intentional and/or malicious breaches.
Information systems include network and software systems that capture, store, process, retrieve, transmit, and dispose of data and information. Only selected systems at Missouri State University handle customer information. These systems include paper-based systems, computer-based systems, and optical imaging systems.
Access safeguards are outlined in the document "Maintaining the Security, Confidentiality & Integrity of Customer Information." The University’s warehouses are locked and alarmed or monitored when not occupied.
Missouri State University-Springfield Computer Services and Missouri State University-West Plains Computer Services serve as the central information security offices on their respective campuses.
Reports generated by Computer Services at Missouri State University-Springfield are kept in locked boxes in Computer Services until picked up by the requesting unit. The locked boxes are monitored by video surveillance. At Missouri State University-West Plains, the vast majority of reports are printed in the user departments. In cases when reports are generated in the Missouri State-West Plains Computer Services Department, the report is delivered to the requesting department as soon as the report has been printed.
The Computer Services departments at both Missouri State University-Springfield and Missouri State University-West Plains are secure areas. Only authorized personnel are allowed entry to secure locations.
All online access to customer information is restricted to individuals requiring access to perform their jobs.
Personal information accessible via the web requires a user ID, password, customer identification number, and personal identification number (PIN).
When paper documents containing customer information can no longer serve a purpose to the University, the unit that "owns" the document is responsible for shredding it (or ensuring the document is shredded by a qualified commercial shredder) prior to disposal.
Documents containing customer information that are stored in the University’s warehouse are shredded on-site via a commercial shredding company.
As computers and storage devices are disposed, the University erases all data from these devices. The University’s Property Surplus Form requires this process to be completed prior to disposal of these devices.
Missouri State University-Springfield Computer Services and Missouri State University - West Plains Computer Services magnetically erase all storage tapes and diskettes prior to disposal. All CDs containing customer information are broken prior to disposal.
Both the Missouri State University-Springfield and Missouri State University-West Plains campuses have developed procedures to be followed in response to major or minor system failures. For security reasons, these plans are not made public. Maintenance contracts are established to expedite computer and network hardware repairs and/or replacements as necessary. Business continuity plans dictate that the University’s mission-critical systems receive priority when re-establishing computer systems following a major system failure. System data will be restored from backup media. The Missouri State University-Springfield and Missouri State University-West Plains technical staffs will communicate and coordinate their respective responses with each other and with senior administrators on both campuses.
The University mandates the use of anti-virus protection software on mission-critical file servers and all desktop computers. Every attempt is made to keep operating systems and application software at the most current versions with all patches applied to avoid exploitation of security holes. All passwords are encrypted on the systems that will support encryption. Security measures are in place to protect data from being intercepted and viewed as it is transmitted via our campus network.
Systems residing within the server farms on the Missouri State University-Springfield and Missouri State University-West Plains campuses are backed up on a regular basis. Both full and differential backups are taken. Back-up media are stored off-site as a precautionary measure.
System back-ups are addressed in Missouri State University-Springfield’s Backup Procedures and Schedules document.
System back-ups are conducted on the Missouri State University-West Plains campus based on a published schedule.
In the event that information security is compromised, a prompt disclosure will be made to any customers that may have been impacted.
All contracts with service providers are reviewed by the University’s Director of Procurement Services and General Counsel to ensure appropriate contracts include a provision requiring external service providers to observe our high standards of information security and confidentiality. Contracts will not be approved with providers that cannot provide and maintain appropriate safeguards. Contracts with external service providers handling, or with access to, University customer information will include language requiring the implementation and maintenance of appropriate safeguards.