NWCCD Privacy Statement
Policy Series 3000 | Board Policy 3005
Information Security
The District shall have data security procedures that comply with all local, state, and federal laws, rules, and regulations to safeguard the security and confidentiality of all records. Employees shall be trained regularly on data security.
Policy Series 3000 | Policy 3005 | Procedure 3005.1
Data Security Information Program
I. Purpose and Background
In order to protect confidential information and data, and to comply with federal laws, this document summarizes the Northern Wyoming Community College District (NWCCD or District) comprehensive written information security and identity theft prevention procedure.
The Gramm-Leach-Bliley Act of 2000 (GLBA) mandates that financial institutions must take steps to safeguard the security and confidentiality of customer information. The Federal Trade Commission (FTC) ruled that GLBA applies to institutions of higher education. Compliance with GLBA involves compliance with 1) the privacy provisions of the Act, and 2) provisions regarding the safeguarding of customer information. The Fair and Accurate Credit Transactions Act (FACT Act) requires financial institutions to establish a program to help detect, prevent, and mitigate identity theft of “covered accounts.” The FTC has said that colleges are deemed in compliance with the privacy provisions of GLBA if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). With respect to the second area, GLBA and the FACT Act specify new requirements for colleges to safeguard non-public customer information and certain covered accounts, such as family financial information, social security and identification numbers, by having an institutional security program and security plans in specific offices of the college that handle such information.
II. Gramm-Leach-Bliley and FACT Act Requirements
GLBA mandates that the District designate information security program representatives to coordinate the information security program, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to customer information, oversee service providers and related contracts, and evaluate and adjust this program periodically. The FACT Act has similar requirements, including mandating schools to have a program to identify, detect, and respond appropriately to relevant “red flags;” this is further detailed in Procedure 3015.2: NWCCD Identify Theft Program.
III. Designated Security Program Officers – Colleague Manager’s Group
The members of the Colleague Manager’s Group are the designated GLBA Security Program Officers for the District and are listed here.
- Assistant Vice President, ITS/Chief Information Officer, Co-chair
- Assistant Vice President, Enrollment Management/Registrar, Co-chair
- Assistant Vice President, Human Resources
- Executive Director, Admissions
- Director, Finance/Controller
- Director, Financial Aid
- Director, Advising Services
- Director, Administrative Services, Gillette College
- Director, Enrollment Services, Gillette College
The following positions provide support, leadership and are a resource to the Colleague Manager’s Group to ensure appropriate data security protocols for their designated areas:
- Assistant Vice President, Facilities
- Director, Facilities, Gillette College
- Director, Dental Hygiene (HIPAA Compliance for the Dental Clinic)
- Clinic Manager, Dental Hygiene (HIPAA Compliance for the Dental Clinic)
The Colleague Manager’s Group and the individuals who serve as the GLBA security program officers provide leadership to the administration and maintenance of the procedures and processes included in the data security information program, the identity theft prevention plan, and the information technology services security procedure as outlined in this procedure and Procedure 3005.2: Identify Theft Prevention Program and Procedure 3005.3: Information Technology Services Security.
The Colleague Manager’s Group members provide leadership to campus-wide data security efforts and advisory support to ITS staff in these endeavors. This includes the management of the following processes:
- Maintenance of the Data Security Training Guide which provides a general overview of the District systems, definitions, remote access considerations, and processes for reporting a data breach.
- Administration of the annual employee training and prevention program.
- Annual review of the Federal Financial Institutions Examination Council cybersecurity and preparedness assessment.
- Development of an annual monitoring report to the NWCCD Board of Trustees that includes preventative activities, risk assessment, data breaches, and future initiatives.
IV. Customer Information
For purposes of FERPA and GLBA, the District considers students, employees, alumni, and any other third party engaged in a financial transaction with NWCCD as “customers.” Customer information that must be safeguarded is “any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form.” It includes financial information, student’s financial accounts, academic and employment information, and other private paper and electronic records.
V. Privacy Provisions
With respect to the privacy provisions of the GLBA, NWCCD complies with FERPA. Directory information (name, address, enrollment at the college and degree information) is considered public, unless a student has requested otherwise in writing. All non-directory information is restricted or confidential, what GLBA calls “non-public.” Under FERPA, restricted information (for example, academic or financial records) is released outside the District only with the student’s written consent. Designated school officials, including faculty, key employees and occasionally outside service providers, have access to restricted, “non-public” information on a need-to-know basis only. Confidential information (for example, a faculty member’s or department chair’s private notes) is even more protected than restricted information and released only in certain unusual circumstances as outlined in FERPA.
In addition, the District complies with HIPAA (Health Insurance Portability and Accountability Act of 1996) with respect to the dental hygiene clinic. The academic department director provides leadership to ensure that patient information is secured in accordance with all privacy guidelines.
VI. Security Provisions
With respect to the safeguarding provisions of the GLBA Act, this procedure is designed to ensure the security, integrity, and confidentiality of non-public customer information, protecting it against anticipated threats, and guarding it against unauthorized access or use. This procedure applies to all District departments and covers all physical, technical, and administrative safeguards used in the collection, distribution, processing, protection, storage, use, transmission, handling, or disposal of non-public customer information.
VII. Physical Safeguards
The District uses direct personal control or direct supervision to control access to and handling of all non-public customer information when an office is open. Whether the information is stored in paper form or any electronically accessible format, departmental non-public information is maintained, stored, transmitted, and otherwise handled under the direct personal control of an authorized employee of the District.
Departmental non-public information is collected, processed, transmitted, distributed, and ultimately disposed of with constant attention to its privacy and security. Conversations concerning non-public information are held in private. Papers with non-public information are mailed via official campus mail, US mail, or private mail carrier. Departments are encouraged to password-protect electronic files of non-public information when transmitting electronically. When best practices permit the disposal of non-public information, it is destroyed; paper containing such information is routinely shredded.
Confidential material is kept secure. Most offices have locked windows and locked doors with restricted access. For those that do not, materials are kept in locked filing cabinets or other locked storage areas. When offices are open, confidential information is kept out of sight from visitors, and computer screens are not visible to visitors. Offices and/or computers are locked when the office will be vacant for an extended length of time.
Key access is limited to authorized District employees only, in the context of District key control governing the distribution of keys.
Departmental cloud storage and information processing generally conforms to the same practices as onsite storage and is safeguarded under the provisions for outside service providers, as described below.
VIII. Technical Safeguards
Procedure 3005.3: Information Technology Services Security outlines the technical safeguards managed by the Information Technology Services Department (ITS). According to industry standards, the District relies on the ITS to provide network security and administrative software password access security. This protects non-public student information that is accessed electronically but stored outside of a department. Departmental desktop computers and other electronic devices storing non-public student information are protected by physical safeguards.
IX. Employee Management and Training
All District employees including part-time, temporary, student employees, and volunteers are trained when they are hired and are provided annual training thereafter in reference to security of sensitive and confidential material used in their respective offices. Employees are held accountable to know and understand that they are not permitted to access non-public information for unapproved purposes or to disclose it to unauthorized persons. Their access is only to perform their duties for the District. The training includes processes to detect and not respond to “pretext calling” or e-mail “phishing” which occurs when someone attempts to obtain confidential information via unauthorized calls or electronic means in order to commit identity theft. The Employee Handbook articulates that violation of security policies could result in disciplinary action up to and including dismissal from employment, legal action, or both.
X. Outside Service Providers
ITS shall guide the entire purchasing process of their-party software services to manage the contract details pertaining to data ownership, security, stewardship, and backup. All contracts must be reviewed by both the director of the functional area requesting the contract and the Chief Information Office prior to VP of Administration/CFO approval. Each area ensures that third party service providers are required to maintain appropriate safeguards for non-public information to which they have access. Contracts with service providers, who within their contracts have access to NWCCD non-public student information, shall include the following provisions:
- Explicit acknowledgment that the contract allows the contract partner access to confidential information;
- Specific definition of the confidential information being provided;
- Stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- Guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract;
- Guarantee from the contract partner that it will protect the confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers’ confidential information;
- Provision allowing for the return or destruction of all confidential information received by the contract partner upon completion of the contract;
- Stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract;
- Stipulation that any violation of the contract’s protective conditions amounts to a material breach of contract and entitles NWCCD to immediately terminate the contract without penalty;
- Provision allowing auditing of the contract partners’ compliance with the contract safeguard requirements;
- Provision ensuring that the contract’s protective requirements shall survive any termination agreement.
XI. Review, Reporting, & Assessment Procedure
An annual assessment of data security occurs annually. The assessment includes the review of the procedures that are included as part of Policy 3005: Data Security by the Colleague Manager’s Group. The GLBA Security Program Officers circulate these procedures to each department and request a review and assessment. The annual review also includes identification and assessment of internal and external risks to the security, integrity, and confidentiality of nonpublic customer information and covered accounts, including review of outside contractors and their contracts to ensure that proper safeguards are in place. The results from each department will be included in a comprehensive review of the District. These reports are used to inform improvements to the systems and training priorities. A summary of these reports is provided to the NWCCD Board of Trustees in an annual monitoring report.
Policy Series 3000 | Policy 3005 | Procedure 3005.2
Identity Theft Prevention Program
I. Background
In compliance with the Federal Trade Commission’s Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003, the Northern Wyoming Community College District (NWCCD or District) developed this procedure initially in 2010.
II. Definitions
Identity theft – fraud committed or attempted using the identifying information of another person without authority.
Covered account – an account that a creditor offers or maintains, primarily for personal, educational, family, or household purposes, that involves or is designed to permit multiple payments or transactions.
Red flag – a pattern, practice, or specific activity that indicates the possible existence of identity theft.
III. Purpose
The purpose of the Identity Theft Prevention Program (ITTP) is to prevent, detect, and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the ITTP. The ITTP shall include the following processes and incorporate existing procedures and processes that
control reasonably foreseeable risks:
a. Identification of relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the program;
b. Detection of red flags that have been incorporated into the Program;
c. Appropriate responses to any red flags that are detected, to prevent and mitigate identity theft; and
d. Assurance that the program is reviewed annually and updated as needed to reflect changes in risks from identity theft to individuals, and to the safety and soundness of the creditor.
IV. Covered accounts include the following:
- Student accounts, degree-seeking
- Student accounts, non-degree-seeking
- Employee accounts
V. Identification of relevant red flags
a. The ITTP considers the following risk factors in identifying relevant red flags for covered accounts:
i. The types of covered accounts as noted above;
ii. The methods provided to open covered accounts: acceptance to the District and enrollment in classes requires a common application with personally identifying information; employment with the District requires a background check and confirmation of personally identifying information.
iii. The methods provided to access covered accounts:
-
-
- Username and password generated from a verified student application or employment.
- Disbursements obtained in person require photo identification.
- Disbursements obtained by mail can only be mailed to an address on file.
- Disbursements via ACH are verified by a pre-note process.
-
iv. The District’s previous history with identity theft.
b. The ITTP identifies the following red flags:
i. Documents provided for identification appear to have been altered or forged;
ii. The photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification;
iii. A request to mail something to an address not listed on file; or
iv. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
c. The ITTP detects red flags relevant to each type of covered account as follows:
i. Degree-seeking student account with a credit balance involving a PLUS loan – as directed by federal regulation (U.S. Department of Education) these balances are required to be refunded in the parent’s name and mailed to their address on file
within the time period specified. No request is required. Red Flag – none as this is initiated by the District.
ii. Student account with a credit balance, no PLUS loan – the refund check can only be mailed to an address on file or be deposited directly into a student’s preferred banking account via ACH. Red Flag – information does not match District records.
iii. Requests from current or former students via phone require confirmation of identify using the Student Identification Verification process which is maintained by the Colleague Manager’s Group. Red Flag – information does not match District records.
iv. Emergency funding – Requests must be made in person by presenting a photo ID. The check can only be mailed to an address on file or picked up in person by showing photo ID. Red Flag – photo ID not appearing to be authentic or not matching the appearance of the student presenting it.
VI. Response – The ITTP provides appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate response(s) to the relevant red flags are as follows (more than one response may apply):
-
-
- Deny access to the covered account until other information is available to eliminate the red flag;
- Contact the student;
- Change any passwords, security codes or other security devices that permit access to a covered account;
- Notify law enforcement; or
- Determine no response is warranted upon review.
-
VII. Oversight of the ITTP
Responsibility for developing, implementing, and updating this Program lies with the Vice President for Administration/CFO. As named in Procedure 3005.1: Data Security Information Program, the members of the Colleague Manager’s Group are responsible for the daily management of the program implementation; ensuring appropriate training of District staff on the program; reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft; determining which steps of prevention and mitigation should be taken in particular circumstances; recommending improvements to the program; and producing an annual report that includes all red flag reports.
This ITTP will be reviewed annually and updated to reflect changes in risks from identity theft to students and the soundness of the District. The Colleague Manager’s Group will consider any experiences with identity theft, changes in identity theft methods, changes in identity theft detection and prevention methods, changes in types of accounts the District maintains, and changes in the District business arrangements with other entities.
VIII. Staff Training
The Colleague Manager’s Group will provide leadership to the development, execution, and assessment of the training program for the District staff responsible for implementing the ITTP.
IX. Oversight of Service Providers
The District shall take steps to ensure that the activity of a service provider that interacts with student accounts (e.g., collection agency, payment plan processor) is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with one or more covered accounts. Current contracts are kept with the Director of Finance/Controller.
Policy Series 3000 | Policy 3005 | Procedure 3005.3
Information Technology Services Security Procedure
I. Roles & Responsibilities
- Protecting customer information is a shared responsibility between NWCCD offices and the Information Technology Services (ITS) staff. Several District offices have procedures and processes in place to manage and reduce risk related to student and employee information.
- ITS maintains NWCCD procedures and processes that protect against any anticipated threats to the security or integrity of electronic customer information and that guard against the unauthorized use of such information. This document is an outline of ITS expectations and practices that protect electronic information.
- The Colleague Manager’s Group members, as outlined in Procedure 3005.1: Data Security Program, provides leadership to campus-wide data security efforts and advisory support to ITS staff in these endeavors. This includes the management of the following processes:
-
- Maintenance of the Data Security Training Guide, which provides a general overview of the District systems, definitions, remote access considerations, and processes for reporting a data breach;
- Administration of the annual employee training and prevention program;
- Annual review of the Federal Financial Institutions Examination Council cybersecurity and preparedness assessment; and
- Development of an annual monitoring report to the NWCCD Board of Trustees that includes preventative activities, risk assessment, data breaches, and future initiatives.
II. ITS Practices/Policies
Access and security to sensitive information comes from a combination of several factors: network security protocols, user credential security permissions, independent system security permissions, and physical restrictions to network infrastructure.
Printed reports containing confidential and sensitive data are secured within offices or behind locked doors. Reports that are no longer needed, containing confidential and/or sensitive data, are shredded or stored securely until they are shredded.
For increased security of information shared electronically, NWCCD has enhanced the email system to identify received emails from external entities. It is also encouraged that the sharing of information be done using Microsoft Teams, OneDrive or the NWCCD Hub.
In addition to network and physical security, the security access request process is a fundamental layer of protection. This process is key to protecting administrative information and describes the procedures by which system privileges are granted, passwords maintained, security monitored and issues communicated. System privileges are managed through an ITS process that includes department directors, ITS staff and the Colleague Manager’s group members.
Faculty and staff granted access to institutional data may do so only to conduct District business.
In this regard, employees must follow Procedure 3005.1: Data Security Program, Procedure 3005.2: Identify Theft Prevention Program, the Employee Handbook, and the items contained within this procedure. In summary, employees must:
- Respect the confidentiality and privacy of individuals whose records they access;
- Observe ethical restrictions that apply to the data to which they have access; and
- Abide by applicable laws or policies (e.g., FERPA, HIPAA) with respect to access, use, or disclosure of information.
Furthermore, employees shall not:
- Disclose data to others, except as required by their job responsibilities;
- Use data for their own personal gain, nor for the gain or profit of others; and
- Access data to satisfy their personal curiosity.
Students and employees who violate this procedure are subject to disciplinary procedures managed for students by the Vice President for Student Affairs (Procedure 5075.2: Student Code of Conduct) and managed for staff by Human Resources as described in the Employee Handbook.
III. Administrative Information
Administrative information is any data related to the business of the District including, but not limited to, financial, personnel, student, alumni, and physical resources. It includes data maintained at the departmental and office level as well as centrally, regardless of the media on which they reside. Administrative information does not include library holdings or instructional notes unless they contain information that relates to a business function. The District recognizes administrative information as a District resource requiring proper management in order to permit effective planning and decision-making, and to conduct business in a timely and effective manner. Employees are charged with safeguarding the integrity, accuracy, and confidentiality of this information as part of the condition of employment.
Access to administrative systems is granted based on employee need to use specific data, as defined by job duties, and is subject to appropriate approval. As such, this access cannot be shared, transferred or delegated. Failure to protect these resources may result in disciplinary measures being taken against the employee, up to and including termination of employment.
Requests for release of administrative information are referred to the Public Information Office as outlined in Policy 3030: Public Records. The District retains ownership of all administrative information created or modified by its employees as part of their job functions. Administrative information is categorized into three levels:
- Confidential information requires a high level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration, or destruction of the data. This includes information whose improper use or disclosure could adversely affect the ability of the District to accomplish its mission.
- Sensitive information requires some level of protection because its unauthorized disclosure, alteration, or destruction might cause damage to the District. It is assumed that all administrative output from the administrative database is classified as sensitive unless otherwise indicated. Examples include class lists, contract data, and vendor information.
- Public Information can be made generally available both within and beyond the District. It should be understood that any information that is widely disseminated within the campus community is potentially available to the public at large. Official requests for public records can be made through the NWCCD Public Information Office.
IV. Employee Information
All aspects of personnel records are confidential. Directory information for faculty and staff as published in the NWCCD online Directory is public. Directory information may include some or all of the following: name, department, position title, campus address, campus phone, and email address. All data maintained in the published Directory is also available on-line from off-campus locations. All other employee related data, especially that which is available to users outside Human Resources, such as social security number and birth date, must be vigilantly safeguarded and treated as confidential.
V. Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) of 1974 governs all information about students, current and former, maintained by NWCCD. FERPA generally requires that NWCCD have the student’s written permission to release any information from their records except certain types of “directory information.”
VI. Student “Directory Information” as defined by FERPA
Certain information, classified as “directory information,” is available for public consumption unless the student specifically directs that it be withheld. Current and former students may contact Enrollment Services (or the Records Office) to indicate not to disclose such information.
Directory Information as defined by the Act includes: name, address, e-mail, telephone number, campus, program of study, dates of attendance, degrees and awards, date and place of birth, previous school attended, participation in officially recognized sports and activities, and weight and height of athletic team members.
VII. Security process of the central administrative database (i.e., Colleague)
- Assigning privileges – as noted in Section II, system privileges are managed through an ITS process that includes department directors, ITS staff and the Colleague Manager’s group members.
- Training – members of the Colleague Manager’s Group provide leadership to develop required on-boarding materials for all employees who have access to the central administrative database. It is also responsible for on-going training with employees who have access. This includes, but is not limited to, the review of the procedures, updates to security protocols, and standard office procedures as they relate to data security.
- Modification and Termination
a. Employees – ITS is notified by Human Resources on employee termination so that the ITS System Administrator can disable all account access.
i. ITS reviews, monitors, and assesses system logs, including unsuccessful attempts by individuals to access systems which they are not authorized to access. Failed login attempts are logged and alerts are generated to reflect those attempts. ITS will respond immediately to accounts reflecting unauthorized access and will notify department directors of unusual account activity.
ii. Human Resources immediately notifies ITS of new hires, terminations and changes to employment status (part-time to full-time, etc.).
iii. Modifications of access are managed by the ITS Process through the Colleague Manager’s Group.
b. Students – ITS is notified by the Registrar on student suspensions and dismissals so that the ITS System Administrator can disable all account access temporarily or permanently depending upon the situation.
- Passwords and User Login Credentials
a. Administrative information is protected through the vigilant use of user-defined passwords.
b. There are minimum password requirements that employees and students must meet. Passwords shall:
-
-
- Be changed by the user every 180 days;
- Consist of a combination of letters, numbers, and special characters;
- Be a minimum of 12 characters in length; and
- Not match previous two passwords or include users’ name or username.
-
c. Individuals are expected to protect passwords from disclosure including the transmission of passwords through email, instant messaging, etc.
d. Individuals must have a unique user login.
e. Sharing of login information with another employee is strictly prohibited.
f. District login credentials (ie, District email and password) should not be used as a login for any other site or system.