Wright State University IT Security Policy
Policy Number: 1106
Date Issued: Revised/November 2012

References: Department of Computing and Telecommunications Services
Authority:   Office of the Provost

1106.01 Purpose

Wright State University (WSU) is responsible for collecting, storing, and distributing very large amounts of information. Some of this information is federally legislated as private and must be protected in accordance with laws such as the Family Education Rights and Privacy Act (FERPA) of 1974 (for student records), the Gramm-Leach-Bliley Act (GLBA) of 1999 (for personal financial information), the Health Insurance Portability and Accountability Act (HIPPA) of 1996 (for personally identifiable health information), and the Payment Card Industry Data Security Standards (PCI DSS). All members of the university have responsibility to protect information about our students and employees from public disclosure.

  1. Protected Information

    Information that is classified as "protected" cannot be disclosed or disseminated to the public. Much of the information about our students and employees is considered protected.

    • Social Security Number
    • Birth Date
    • Credit card security code
    • Encoded magnetic strip information
    • Health Information
    • Student grades
    • Gender
    • Ethnicity
    • Citizenship
    • Citizen visa code
    • Veteran and disability status
    • Courses taken
    • Schedule
    • Test scores
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Credit card numbers & expiration dates

The Wright State IT Security Policy is designed as a set of measures to protect the confidentiality, integrity and availability of sensitive data, such as those outlined above, as well as any Information Systems that store, process or transmit this data.

Note: Students have the right to withhold their directory information from being released by completing a "Request to Prevent Release of Directory (public) Information" form in the Registrar's Office. Once received, a confidentiality flag will be noted in the student information system to indicate that no directory information for that student is to be released. The existence of such a confidentiality flag must be confirmed before any directory (public) information is released for any student. Questions should be directed to the Registrar's Office (937-775-5588; registrar@wright.edu).

1106.02 Scope

This policy applies to all faculty, staff, student employees, and any third parties designated as agents authorized to handle institutional data and/or access University computing systems.

1106.03 General Privacy Guidelines

All employees and users of network computing resources at Wright State University have a role in protecting the university's information assets because their computers provide potential gateways to protected information stored on the network. Therefore, whether or not you deal directly with protected or confidential university information, you should take the following steps to reduce the risk of data theft:

  1. Don't give out information to someone you don't know
  2. Be alert to any incident that would indicate the possibility of identity theft. Please reference WSU's Red Flags Policy for more information: /wrightway/1105
  3. Restrict access to information and systems to only those people who need it to perform their jobs
  4. Encrypt documents containing sensitive information before transmitting them via email, ftp, and other forms of electronic transmission. Do not include sensitive information in the body of an email unless the email is encrypted
  5. Regularly review the list of users who have access to systems that store protected information, and remove those who should no longer have the access
  6. Test internal processes to ensure data integrity and security
  7. Printed pages, CDs, diskettes, etc should be stored in a locked cabinet when not in use and identify as "PROTECTED"
  8. Immediately retrieve or secure protected documents that are printed on copy machines, fax machines, and printers
  9. Do not store sensitive data on cloud storage provide by 3rd party services such as Microsoft Skydrives, Google Docs, iCloud, etc.
    1. FERPA Information

      The Family Educational Rights and Privacy Act of 1974 (FERPA) as amended sets forth requirements designed to limit the disclosure of student educational records. The law governs access to records maintained by educational institutions and the release of information from those records. In early 2009 new FERPA regulations took effect, which prohibit the public posting of grades by any part of the student UID number in addition to any part of the Social Security Number or name. Restrictions were included covering the electronic transmission of information – information covered under FERPA must be transmitted in a secure manner. This includes the transmission via email, ftp services, and other forms of transmitting information electronically.

      For more information on FERPA: /wrightway/4010

    2. Credit Card Information

      Credit card data, including the expiration date, is sensitive, confidential information which must be stored in a secure manner and destroyed when it is no longer needed. Note that the maximum retention time to keep this data is 18 months. In addition, the credit card security code and encoded magnetic stripe information should never be stored. Sensitive credit card information such as the full 16 digit card number should never be stored on a computer hard drive, network drive, or portable device such as a flash drive.

      For more information on the Cash Collection & E-commerce Policy and Procedures: /wrightway/5003

    3. GLBA Information

      Wright State University is committed to the ongoing protection of confidential financial information that it may collect from faculty, staff, students, alumni and others. The Gramm-Leach-Bliley Act*('GLBA") addresses the privacy of non-public identifying information and describes the necessity for administrative, technical and physical safeguarding of that type of information. GLBA mandates the University develop, implement and maintain a comprehensive information security program (the "Plan") to insure the safeguarding of Confidential Financial Information ("CFI"). The University obtains CFI from students, faculty, staff and others that may include, but is not limited to:

      1. *15 U.S.C. §6801
      2. Names
      3. Social Security Numbers
      4. Date and location of birth
      5. Gender
      6. Credit card numbers
      7. Drivers license information
      8. Salary history
      9. Personal check information
      10. Tax or financial information from a student or a student's parents

      For more information on GLBA please see the following: http://www.wright.edu/cats/policy/privacy/glba.html

    4. HIPAA Information

      The Health Insurance Portability and Accountability Act (HIPAA) regulates the protection of private health information for individuals. HIPAA requires an individual's medical records be safeguarded and kept confidential. HIPAA-related date must be available to only those with sanctioned access and be encrypted when transmitted electronically.

      For more information on HIPAA, see Wright State University's HIPAA Privacy Manual.

1106.04 Password Standards

The following are general password policies applicable for network, system resources and internet access use:

  1. Users must abide by policies state in the WSU Computing and Telecommunications Account Policy Statement
  2. CAMPUS passwords and user logon IDs should be unique to each authorized user.
  3. CAMPUS passwords will follow the standard set forth on the WINGS portal: http://wings.wright.edu
  4. CAMPUS passwords will be kept private i.e., not shared, coded into programs, or written down.
  5. CAMPUS passwords will be changed every 180 days. Systems will enforce password change with an automatic expiration and prevent repeated or reused passwords.
  6. CAMPUS user accounts will be locked after 9 failed logon attempts. All failed login attempts will be recorded.
  7. Successful systems logons should display the date and time of the last logon and logoff.
  8. Logon IDs and passwords are suspended if a client is not authorized during current term unless authorized by Computing and Telecommunications Account Policy Statement.

1106.05 Password Best Practices

Every user is responsible for keeping their password secure. The following are some best practices which help keep your password a secret:

  1. Do not write your passwords on sticky notes or other pieces of paper around your desk.
  2. Do not share your passwords with anybody. Computing and Telecommunications Services (CaTS) will never ask for your password. If you receive an email purported to be from CaTS requesting your password, it is likely an attempt to gain your credentials by a fraudulent source.
  3. Do not hide your passwords under your keyboard. This is like hiding your house key under the door mat—crooks know to look there! Try to memorize your password.
  4. Avoid logging into your Wright State accounts from third party computers. It is difficult to know for certain if other computers have been compromised with a computer virus or a key logger. Be especially cautious if your user account has access privileges to highly sensitive areas such as banner.

1106.06 Operating System Updates

  1. Operating System updates are small programs or files that patch operating systems (such as Windows) from known problems. These updates are crucial in defending against new viruses and attacks. Hackers are constantly looking for vulnerabilities in operating systems and programs, and can easily find and infiltrate a computer that has not been properly patched.
  2. For CaTS managed computers on the Wright State University network (normally defined as faculty, staff, and administrative computers), security updates are automatically installed from our update server. For students living in the residence halls, or home users, your computer should be setup to automatically download and install critical updates. For specific directions on how to do this for your particular operating system, Do IT Wright website, located at http://www.wright.edu/security/.
  3. All systems connected to the WSU's network should have a vendor supported version of the operating system installed.
  4. All systems connected to the WSU's network must be current with security patches.

1106.07 Virus Protection

  1. A computer virus is a program that implants instructions into your computer programs or storage devices that can then attack, scramble, or erase computer data. The destructiveness of viruses lies in their ability to replicate themselves and spread from system to system. It is very important to have anti-virus software running on your computer and to keep it up to date so that new viruses can be detected.
  2. CaTS requires all computers connected to the Wright State network have up to date anti-virus software. For CaTS supported systems on campus (faculty and staff offices), this is done automatically. Disabling anti-virus software is prohibited.

1106.08 Spyware Protection

  1. Spyware is any software that watches your computing activity and collects personal data without your permission. It can be hidden in programs that you download from the Internet. Once you install that program, the spyware can monitor your activity and send that information to someone else. Email addresses, web browsing habits, usernames, and passwords are just some of the data that spyware can collect. This data can then be used for identity theft, marketing, spam, and other activities. Along with the ability to steal your information, spyware also consumes large amounts of memory on your computer, making it more unstable and prone to crashing.
  2. To reduce the amount of spyware on your computer, all computers connected to the Wright State University network are required to have actively updated spyware protection software installed if available for that operating system.

1106.09 Firewall Protection

A firewall is a system that is designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software formats. Here at Wright State University, CaTS maintains both hardware and software perimeter firewalls for the entire campus community that control internet traffic in and out of our network. For individual computers, personal desktop firewalls, such as Windows Firewall, must be enabled to help prevent unauthorized access.

1106.10 Email

Keep in mind that email is not secure. Never put sensitive information, such as Student Grades, Social Security Numbers, Credit Card information, or Bank Account Numbers into any part of your email or email attachments unless the email and attachment are encrypted.

  1. Faculty and staff: Please note that any attachments containing ePI (electronic personal information) must be encrypted before being sent via email.
  2. When sending an encrypted message through email, never place the password to unlock the file in an email.
  3. Do not forward documents or emails containing institutional data to outside email accounts without first checking with your manager and/or the Department of Information Security.
  4. In addition to the above security concerns the following apply:
    1. Forgery (or attempted forgery) of electronic mail messages is prohibited.
    2. Attempts to read, delete, copy, or modify the electronic mail of other users are prohibited.
    3. Attempts at sending harassing, obscene and/or other threatening email to another user are prohibited.
    4. Use of electronic mail services for purposes constituting clear conflict of WSU interests or in violation of Policy for Responsible Use of Information Technology is expressly prohibited.
    5. The use of email in any way to facilitate the conduct of a private commercial purpose is prohibited.
    6. The contents of email messages will not be considered private and are subject to the Sunshine Laws.
    7. Users may not use WSU CaTS' mail servers for any purpose prohibited by this policy or applicable state and federal laws.

1106.11 Instant Messaging (IM) Applications

  1. Instant messaging software is not a secure form of communication. Information transmitted via these software packages is not encrypted and travels outside of the university network environment to arrive at its destination even if that destination is another individual at Wright State University. The following should be adhered to when using this type of software:
    1. Do not transmit Institutional Data in an instant message or via a file transfer or any other means of communication these programs provide.

1106.12 Data Integrity

Protecting the integrity of data is another very important step in the overall health of the university's information. You can do this in a number of ways, most notably through using data encryption methods, backing up the data on a regular basis, and using Virtual Private Network (VPN) software when connecting to university information from remote locations.

For more information concerning CaTS VPN go to: http://www.wright.edu/cats/policy/security/vpn_policy_printable.pdf

  1. Encryption

    Encryption is the process of transforming information from clear or plain text into a non-readable format so that only the intended reader can understand or change the message content. Encryption ensures privacy. It is a way to keep prying eyes from reading confidential information that is sent across the public internet.

    Certain software applications have encryption methods embedded in them for sending and receiving secure information and for the storage of information. There is also third party software available that can be used to encrypt information. For directions on encrypting files, check out the "Encryption" area on the following website: http://www.wright.edu/security/itwright/habits.html#integrity

  2. Backups

    One of the most important steps you can take to ensure that the integrity of your data is protected is to backup your files on a regular basis. Data loss can come at any time and for a number of reasons:

    1. Theft of computer
    2. File corruption
    3. Hard drive failure
    4. Accidental deletion of a file or files
    5. Viruses
    6. Natural disasters

  3. Perform a backup of your files at least once a week, and backup critical files more often if they change. If you need assistance in backing up your files, contact the CaTS Help Desk at (937) 775-4827 and they will be glad to assist you. If files are stored on the network shared drive or network personal storage space, backups are performed by CaTS on a nightly basis.

  4. Mobile and Cellular Devices

    Information stored on laptop computers, personal organizers (e.g. Blackberry, Palms), cellular phones, thumb drives, and other similar mobile devices is susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure—even networks using certain types of encryption are vulnerable to intruders. The following rules apply to all mobile devices:

    1. Encrypt documents containing sensitive information before they are placed on portable devices, unless the entire drive or data storage of the device is encrypted.
    2. Smart phones capable of receiving email should be configured to connect to our server via secure IMAP—Post Office Protocol is not to be used.
    3. Protect and secure mobile devices from theft at all times.
    4. Use CaTS VPN when transmitting sensitive information via wireless technologies.
    5. Use personal firewalls on laptops that will access the WSU Network from a remote location.
    6. Password protect mobile devices when not in use.
    7. Report any loss or theft of a mobile device containing sensitive information to the Department of Information Security.
    8. Backup the data on your mobile devices on a regular basis—backup media should be stored in a secure location or the backup should be encrypted.
    9. Bluetooth wireless is to be disabled to protect mobile devices from unauthorized access.
  5. Security of Surplus Equipment

    When university owned computer systems reach the end of their usefulness in your department, you have the option to surplus that equipment through ESPM. However, this presents its own share of security risks that need to be addressed. Due to the significant risk of sensitive Information leaving the university on hard drives that have not been properly erased, all computer (desktops and laptops) that are being sold through ESPM must have their hard drive removed by CaTS before being processed through ESPM. CaTS will ensure proper disposal of the drive. To arrange a removal, contact the Cats Help Desk at (937) 775-4827.

  6. Security of Physical Media

    Ensuring the confidentiality of information requires that all physical media (CDs, floppy disks, hard drives, etc) be disposed of properly. This means that, in addition to being properly erased before being discarded, hard drives must also be erased before being returned for any type of warranty work. Additionally, other media such as floppy disks, CDs, DVDs, and paper must also be carefully destroyed if they contain confidential information. Floppy disks should be destroyed by breaking the disk in half, and cutting the center ring with scissors. CDs and DVDs should be broken into multiple pieces, and paper documents should be shredded. If assistance is needed in properly disposing of any physical media, contact the CaTS Help Desk at (937) 775-4827.

1106.13 Incident Handling

  1. The Office of Information Security will oversee information security incident handling in cooperation with designated Technical Managers, Office of General Counsel, University Police Department, Office of Student Affairs (only where students are involved), and other designated support staff.
  2. Any person who suspects, receives notification of, or discovers an information security incident must contact the Office of Information Security and responsible IT department and file an accident report prior to taking any action.
  3. To report an incident: https://www.wright.edu/cgi-bin/incidentresponse.cgi

1106.14 Supporting Documents

Information Security Framework: http://www.wright.edu/cats/policy/it/wsu_it_security_framework.pdf