Security, Confidentiality and Integrity of Customer Information Policy

This program is designed to set standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

Purposes

  • To ensure the security and confidentiality of customer information;
  • To protect against anticipated threats to the security and/or integrity of customer information;
  • To guard against unauthorized access to, or use of, customer information that could result in harm or inconvenience to any customer; and
  • To comply with the Gramm-Leach-Bliley Act and the related rules put forth by the Federal Trade Commission.

Policy for maintaining the security, confidentiality & integrity of customer information

Control access to rooms and file cabinets where paper records are kept

  • Doors to office areas are to be locked during non-business hours.
  • Customer information is to be processed in work areas that are behind locked doors or in other areas not regularly accessible to the general public.
  • Guests are escorted in areas where customer information is being processed and are restricted to areas where customer information is not in plain view.
  • File cabinets used to store customer information are secured in locked areas or areas not regularly accessible to the general public.
  • The cabinets used to store promissory notes are locked during non-business hours.
  • Documents no longer needed are disposed of in designated recycling containers or shredded on site.
  • Custodial and Maintenance staff are trained to ensure secure areas remain locked and confidential information is safeguarded.
  • Building Security Guidelines are to be followed as published by the Office of Safety & Transportation.

Control access to information stored electronically

  • Computer workstations accessing customer information are to be housed behind locked doors or in areas where output devices (screens, printers, etc.) cannot be seen by the general public.
  • Computer screens displaying customer information are to be minimized when not in use to prevent inadvertent breeches.
  • Strong passwords are to be used.
    • Network and email access (at least eight characters, alphanumeric, special character)
    • Mainframe access (at least eight characters, alphanumeric)
  • Computer passwords are required to be changed every 120 days.
  • User IDs, passwords, and PINs are not to be posted near or on computers.

Protect our customers' information

  • Requests for customer information will be responded to in accordance with FERPA guidelines.
  • Appropriate security policies will be developed and followed to ensure protection of customer information.
  • Fraudulent attempts to obtain customer information are to be reported to management, who will then report the attempt to the appropriate law enforcement agencies.

Definitions

Customer – Any student of the University, parent of a student of the University, or faculty or staff member employed by the University.

Customer Information – Any record containing nonpublic personal information about a customer of the University, whether in paper, electronic, or other form, that is handled or maintained by, or on behalf of, Missouri State University.

Information Security Program – The administrative, technical, or physical safeguards Missouri State University uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

Service Provider – Any person or entity that receives, maintains, processes, or otherwise is permitted access to Missouri State University’s customer information through a provision of services.

Details

  1. Program Coordination
    • Representatives from the Office of Financial Services and the Office of Financial Aid coordinate the Information Security Program on the Missouri State University-Springfield campus.
      • Representative from the Office of Financial Services:

        Jan Lewis, Director of Accounting, 417-836-5632

      • Representative from the Office of Financial Aid:

        David King, Assistant Director of Financial Aid, 417-836-5262

    • Representatives from the Business Office and the Office of Financial Aid coordinate the Information Security Program on the Missouri State University-West Plains campus.
      • Representative from the Business Office:

        Matt Morris, Director of Business and Support Services, 417-255-7258

      • Representative from the Office of Financial Aid:

        Donna Bassham, Coordinator of Financial Aid, 417-255-7242

    • The program includes input from other departments on the Missouri State University-Springfield, and Missouri State University-West Plains campuses, including General Counsel, Financial Services, Financial Aid, Residence Life, Housing and Dining Services, Computer Services, and the Office of Information Technology.
    • The program will be reviewed annually, on May 23. Selected aspects will be tested and monitored to ensure the program’s safeguards remain current and effective. Updates will be made as necessary.
      • The Annual Review Checklist
        1. Are appropriate background/criminal checks being conducted within the hiring process for prospective employees who will have access to customer information?
        2. Are training programs in place and being conducted to teach new employees, student employees, and graduate assistants who will have access to customer information about information security and confidentiality?
        3. Are employees, student employees, and graduate assistants who have access to customer information receiving "refresher" training regarding information security and confidentiality?
        4. Have additional contracts been established that require monitoring to ensure the third-party contractor secures Missouri State University's customer information?
        5. Are procurement bids including provisions requiring purchased software or services to provide secure storage and transmission of customer information?
        6. Are the safeguards outlined in section "II. B. Information Systems" of this document still effective?
  2. Risk Assessment & Safeguard
    1. Employee Management and Training

      Employees handle and have access to customer information in order to perform their job duties. This includes regular, full-time employees, temporary employees, and student employees (including graduate students), whose job duties require them to access customer information or work in a location where there is access to customer information.

      1. Hiring Regular, Full-Time Employees

        Missouri State University exercises great care in attempting to select well-qualified employees to perform any function for the University. Hiring supervisors review applications, conduct interviews, and check references before making their final selection. Then, the Office of Human Resources submits a criminal background check for selected applicants in sensitive areas after an employment offer is made.

        The employment offer is contingent upon completing a satisfactory pre-employment physical and the results of the criminal background check. The Employee Handbook specifically identifies employees in custodial, security, residence life, and vending as well as those with access to funds, buildings and facilities and others required by law as requiring a criminal background check.

      2. Hiring Temporary Employees

        The process for hiring temporary employees can be found on the Human Resources web site.  Overall, hiring of temporary employees is handled by the individual department with the need. These departments are responsible for recruiting, interviewing, screening, background checks, and hiring.

      3. Hiring Student Employees

        Student employees are screened by the Student Employment Office on the Springfield campus and by Human Resources on the West Plains campus to ensure their eligibility. If they pass the screening process, individual offices interview students and make the final decision whether to hire a student. The individual offices are responsible for checking student references and administering job training as it relates to their specific requirements. The Student Employment Office provides training materials and handbooks for the student and the employers. The materials are available on the Student Employment web site.

      4. Hiring Graduate Assistants

        Graduate Assistant hiring is handled by individual departments and offices on campus. Departments/offices are responsible for an initial check of eligibility and then the Graduate College verifies eligibility of the student including a minimum grade point average of 3.00 and admittance into a graduate degree program. For complete information on graduate assistant eligibility, please see the Graduate College web site.  The individual departments and offices are responsible for checking references and administering job training as it relates to their specific requirements. The Graduate College provides a one-day orientation for all graduate assistants with teaching responsibilities.

      5. Training

        Appropriate training regarding information confidentiality and security is provided to regular, full-time employees, temporary employees, student employees, and graduate assistants.

        Within units where employees, student employees, or graduate assistants will have access to sensitive information, the hiring unit is responsible for providing training associated with confidentiality and safeguarding of information. This training session is to be conducted within the first 5 workdays of employment.

        Student employees requiring FERPA training receive this training within the hiring department. The Student Employment Office requires student employees to sign a FERPA compliance statement. Some units and divisions (such as Enrollment Services) require all employees to receive FERPA training and sign a compliance statement.

        All employees, student employees, and graduate assistants with access to customer information receive a copy of the document "Maintaining the Security, Confidentiality & Integrity of Customer Information." A copy of this document is included in the appendix and is posted on the University’s web site.

      6. Ongoing Training

        Periodically, employees with access to customer information will take part in refresher training regarding information security and confidentiality. Employees with access to Missouri State University’s customer information will take the refresher training every 3 years while employed.

      7. Access to Customer Information

        Only employees, student employees, and graduate assistants whose job duties require them to access customer information shall have access.

      8. Disciplinary Measure for Breaches

        Breaches of information security may result in various levels of disciplinary actions, up to and including dismissal, depending upon the nature and severity of the breach.

        The Missouri State University Employee Handbook states within the "Disciplinary Guidelines" section that the following actions (among others) can be cause for disciplinary actions:

        • Unauthorized use or misuse of all computer systems, equipment and software.
        • Unauthorized release of confidential information from official records.

        All accidental breaches should be reported and rectified as soon as possible. Employees and students are encouraged to report any suspected intentional and/or malicious breaches.

    2. Information Systems

      Information systems include network and software systems that capture, store, process, retrieve, transmit, and dispose of data and information. Only selected systems at Missouri State University handle customer information. These systems include paper-based systems, computer-based systems, and optical imaging systems.

      1. Paper Storage Systems

        Access safeguards are outlined in the document "Maintaining the Security, Confidentiality & Integrity of Customer Information." The University’s warehouses are locked and alarmed or monitored when not occupied.

      2. Computer Information Systems

        Missouri State University-Springfield Computer Services and Missouri State University-West Plains Computer Services serve as the central information security offices on their respective campuses.

        Missouri State University’s Information Technology Policy, including the Privacy Policy, is available on the web.  This policy also includes links to the University’s site on "RESCU: Responsible, Ethical, and Safe Computer Use".

        Reports generated by Computer Services at Missouri State University-Springfield are kept in locked boxes in Computer Services until picked up by the requesting unit. The locked boxes are monitored by video surveillance. At Missouri State University-West Plains, the vast majority of reports are printed in the user departments. In cases when reports are generated in the Missouri State-West Plains Computer Services Department, the report is delivered to the requesting department as soon as the report has been printed.

        The Computer Services departments at both Missouri State University-Springfield and Missouri State University-West Plains are secure areas. Only authorized personnel are allowed entry to secure locations.

        All online access to customer information is restricted to individuals requiring access to perform their jobs.

        Personal information accessible via the web requires a user ID, password, customer identification number, and personal identification number (PIN).

      3. Customer Information Disposal

        When paper documents containing customer information can no longer serve a purpose to the University, the unit that "owns" the document is responsible for shredding it (or ensuring the document is shredded by a qualified commercial shredder) prior to disposal.

        Documents containing customer information that are stored in the University’s warehouse are shredded on-site via a commercial shredding company.

        As computers and storage devices are disposed, the University erases all data from these devices. The University’s Property Surplus Form requires this process to be completed prior to disposal of these devices.

        Missouri State University-Springfield Computer Services and Missouri State University - West Plains Computer Services magnetically erase all storage tapes and diskettes prior to disposal. All CDs containing customer information are broken prior to disposal.

    3. Managing System Failures and Minimizing System Intrusions
      1. Written Contingency Plans

        Both the Missouri State University-Springfield and Missouri State University-West Plains campuses have developed procedures to be followed in response to major or minor system failures. For security reasons, these plans are not made public. Maintenance contracts are established to expedite computer and network hardware repairs and/or replacements as necessary. Business continuity plans dictate that the University’s mission-critical systems receive priority when re-establishing computer systems following a major system failure. System data will be restored from backup media. The Missouri State University-Springfield and Missouri State University-West Plains technical staffs will communicate and coordinate their respective responses with each other and with senior administrators on both campuses.

      2. Centralized Protection for E-Invasion

        The University mandates the use of anti-virus protection software on mission-critical file servers and all desktop computers. Every attempt is made to keep operating systems and application software at the most current versions with all patches applied to avoid exploitation of security holes. All passwords are encrypted on the systems that will support encryption. Security measures are in place to protect data from being intercepted and viewed as it is transmitted via our campus network.

      3. System Back-ups

        Systems residing within the server farms on the Missouri State University-Springfield and Missouri State University-West Plains campuses are backed up on a regular basis. Both full and differential backups are taken. Back-up media are stored off-site as a precautionary measure.

        System back-ups are addressed in Missouri State University-Springfield’s Backup Procedures and Schedules document.

        System back-ups are conducted on the Missouri State University-West Plains campus based on a published schedule.

      4. Security Breaches

        In the event that information security is compromised, a prompt disclosure will be made to any customers that may have been impacted.

    4. Service Providers
      1. Contracts

        All contracts with service providers are reviewed by the University’s Director of Procurement Services and General Counsel to ensure appropriate contracts include a provision requiring external service providers to observe our high standards of information security and confidentiality. Contracts will not be approved with providers that cannot provide and maintain appropriate safeguards. Contracts with external service providers handling, or with access to, University customer information will include language requiring the implementation and maintenance of appropriate safeguards.