Administrative Guideline 1114

Adopted: November 13, 2007
Revised: April 26, 2022

ADMINISTRATIVE GUIDELINE TYPE: Information Technology

ADMINISTRATIVE GUIDELINE TITLE: Employee Guidelines for Securing Confidential Data

DEPARTMENT RESPONSIBLE: Information Technology

GUIDELINE STATEMENT OF PURPOSE: Employee Guidelines for Securing Confidential Data

I. Statement of Purpose

SCC has implemented security controls to ensure “confidential” data is protected and accessed exclusively for job related responsibilities. Confidential data includes personal, financial and educational records for employees, students, alumni and friends of the College. This guideline covers both paper and electronic records.

II. Definitions

The following table defines SCC’s data categories and lists examples of each classification.

Category 1

Category 2

Category 3

Strictly Confidential

Information protected by statutes, regulations or institutional policies that may cause personal or institutional information/financial loss. The access or release of this data requires explicit approval by a member of the President’s Executive Council (PEC).

SSN, Birth Date/Year,
Medical/Disability Info.,
Bank/Credit Card, User ID’s/Passwords, Transcripts, Personnel Records, Financial Aid, Grades

Note: Administrative Guideline 1119 documents SCC’s privacy policy/confidentiality procedures for students from European Union (EU) Countries.

Internal/Non-Public

Information whose loss, corruption or unauthorized disclosure is of importance only inside the organization. This data requires information owner approval before being distributed.

Intranet Forms, Non-Category 1 HR, Financial Records, Email Correspondence, Network Folders, Class Schedule

Public

Information that may or must be open to the general public. This data may be made available without specific approval.

Directory Information, Published Bills/Salaries, Press releases, IR approved data, Catalog Web Site

III. Employee Responsibilities

SCC employees who have access to confidential data (Categories I and II), information and reports are responsible for the following:

Maintain adequate key control and limit access to sensitive areas to authorized employees
Ensure confidential data is physically secured by locking rooms and/or file cabinets where data is located when authorized staff is not present. Departments that store confidential data in public areas will develop a formal “Office Security Plan” for securing confidential data based on their office hours, personnel and the accessibility of their area.
Incorporate “strong passwords” that meet the following requirements and conditions:
1. Use at least 12 characters that include letters, numbers and special characters that are not easily guessable such as !, #, %, etc.
2. The Information Technology Services Department strongly recommends using “passphrases” for your password. Passphrases are easier to remember and helps to meet the “12” character length requirement described in C.i. above.
3. Do not leave your password in written format.
4. The College may require all SCC employees to change their passwords periodically.
5. Never share your password with anyone.
6. SCC is implementing Multi-factor Authentication (MFA) on July 1, 2022. Never share your MFA credentials.
The Information Technology Services department configures all machines with the “Windows Firewall” activated. Ensure that your “Windows Firewall” is active. (Contact the Information Technology Services department if you have questions about this resource).
All employees using SCC mobile devices (laptops, iPads, Surfaces, etc.) must store electronic files with ‘strictly confidential information’ on the College’s network folders (e.g. H Drive/P Drive). SCC employees using mobile devices must not store confidential data on local or mobile storage drives (USB, CD, DVD, etc.) Note: Faculty may store gradebook information for their specific courses on local device/storage or third-party resources, but must take appropriate measures to ensure security as documented in this administrative guideline.
Take measures to limit the view of computer screens and other resources (e.g. paper) displaying confidential data to only authorized employees.
Close screens that display confidential data when they are no longer needed to perform job responsibilities.
Do not store or access SCC strictly confidential data on a personally owned computing device (e.g. smartphone, laptop, iPad) or in the cloud (e.g. Microsoft OneDrive, Google Drive). Note: Faculty may store gradebook information for their specific courses on local device/storage but must take measures to ensure security as documented in this administrative guideline.
Lock or log off your computer when leaving your work area for an extended period of time.(Examples include lunch, end of day, etc.)
Paper documents that list confidential data should be shredded when they are no longer needed. If reports are needed for an extended period, they should be locked in a secure manner.
Refer calls and mail requesting confidential data to the Institutional Research office in the Information Technology Services department.
All employees should report suspicious activities related to technology systems and confidential data to the Vice President of Technology Services. (Note: Please refer to Administrative Guideline 1116, “Employee Guidelines for Reporting Security Incidents,” if you have experienced any suspicious activity.

IV. Confidential Data Training & Awareness

The College facilitates the following training/awareness initiatives in reference to “Securing Confidential Data”.

Core Training – SCC employees complete Core training before they receive access to the Ellucian (Student Information ERP) system.
FERPA Training – Annual training for all SCC employees.
Non-Disclosure Form – All SCC employees that have access to “Reporting Services” must read and sign “Non-Disclosure” form to ensure they understand the importance of securing data and the confidentiality of this information.
Non-Disclosure Gateway – All employees accessing Ellucian system have a “pop up” non-disclosure reminder that must be accepted before each login.
Annual Data Security Training – Information Technology Services department will provide annual data security training/policy review to departments that access/house “confidential data.”
Awareness – Information Technology Services department communicates security related topics/issues on a periodic basis. (Example: Reminder on Phishing scams based on emails that may get through spam filter).

V. Audits, Controls & Monitoring

The following auditing and control measures have been implemented to secure, assess and improve data security.

Security Class Review (Least Privilege) – ITS Security Team will review security class alignment with job responsibilities on a monthly basis. Any discrepancies will be communicated to the appropriate member of the President’s Executive Council (PEC) and updated if needed.
Virtual Private Network (VPN) Review – ITS Security Team will review external access alignment with job responsibilities on a monthly basis. Any discrepancies will be communicated to the appropriate member of the President’s Executive Council (PEC) and updated if needed.
Background Checks – All applicants for SCC positions must pass a background check before employment is offered.
Computer Encryption – All new computers will have software based encryption deployed to protect confidential data.
PCI/DSS Controls – SCC collaborates with banking partner to ensure the College meets
PCI/DSS regulations. This includes, but is not limited to, quarterly scans, network segmentation, etc.
Other Audit Reviews – Central Management Software is utilized to detect errors and abnormal traffic for the following:
1. Firewall
2. Authentication (Active Directory)
3. DHCP
4. Network Equipment (Routers and Switches)
5. Wireless
6. Internet
SCC deploys firewall, IPS/IDS, Antivirus (Enterprise, Local), Windows Firewall (Access Points), VLANS (Access Control Lists), etc.

Administrative Guideline 1114