American Business and Technology University Information Security Program
1.0 Policy Statement
The American Business and Technology University Information Security Program Security Program is intended as a set of comprehensive guidelines and policies designed to safeguard all sensitive data maintained at the University, and to comply with applicable laws and regulations on the protection of Personal Information, as that term is defined below, found on records and in systems owned by the University.
The SECURITY PROGRAM was implemented to comply with regulations issued by the Department of Higher Education, In accordance with federal and state laws and regulations, American Business and Technology University is required to take measures to safeguard personally identifiable information, and to provide notice about security breaches of protected information at the University to affected individuals and appropriate state agencies.
In addition, American Business and Technology University is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the University. American Business and Technology University has implemented a number of policies to protect such information, and the SECURITY PROGRAM should be read in conjunction with these policies that are cross-referenced at the end of this document.
The purposes of this document are to:
- Establish a comprehensive information security program for American Business and Technology University with policies designed to safeguard sensitive data that is maintained by the University, in compliance with federal and state laws and regulations;
- Establish employee responsibilities in safeguarding data according to its classification level; and
- Establish administrative, technical and physical safeguards to ensure the security of sensitive data.
This Program applies to all American Business and Technology University employees, whether full- or part-time, including faculty, administrative staff, contract and temporary workers, hired consultants, interns, and student employees, as well as to all other members of the American Business and Technology University community (hereafter referred to as the “Community”). The data covered by this Program includes any information stored, accessed or collected at the University or for University operations. The SECURITY PROGRAM is not intended to supercede any existing American Business and Technology University policy that contains more specific requirements for safeguarding certain types of data, except in the case of Personal Information, as defined below. If such policy exists and is in conflict with the requirements of the SECURITY PROGRAM, the other policy takes precedence.
Personal Information (PI), as defined by Federal law, is the first name and last name or first initial and last name of a person in combination with any one or more of the following:
- Social Security number;
- Driver’s license number or state-issued identification card number; or
- Financial account number (e.g. bank account) or credit or debit card number that would permit access to a person’s financial account, with or without any required security code, access code, personal identification number, or password.
For the purposes of this Program, PI also includes passport number, alien registration number or other government-issued identification number.
4.2 Data Classification
All data covered by this policy will be classified into one of three categories outlined below, based on the level of security required for each, starting with the highest level.
Confidential data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a significant level of risk to American Business and Technology University or the Community. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration or disclosure.
Confidential data includes any data that is protected by federal or state laws or regulations, including, but not limited to, data protected under privacy law, Family Educational Rights and Privacy Act (FERPA), and the FTC’s Red Flag Rules.
Confidential data also includes other sensitive personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations or reputation of American Business and Technology University. This data includes, but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), University financial and investment records, employee salary information, or information related to legal or disciplinary matters.
Internal Use Only
Internal Use Only data refers to any data where unauthorized access, use, alteration or disclosure of this data could present a moderate level of risk to American Business and Technology University. This data should be limited to access by individuals who are employed by or matriculate at American Business and Technology University and who have legitimate reasons for accessing such data. Any non-public data that is not explicitly designated as Confidential should be treated as Internal Use Only data. A reasonable level of security should be applied to this classification to ensure the privacy and integrity of this data.
Public (or Unrestricted)
Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to American Business and Technology University or members of the American Business and Technology University community. Any data that is not classified as Confidential or Internal Use Only should be considered Public data.
All data at the University is assigned a data owner according to the constituency it represents. Data owners are responsible for approval of all requests for access to such data. The data owners for each constituency group are designated as follows:
- Faculty data – the Dean (or his or her designee) serves as the data owner
- Staff data – the Human Resource Office serves as its owner
- Student data – ownership is distributed across many departments. Student data is safe guarded by electronic security measures. The Registrar is responsible for accuracy of data and is responsible for the security of physical student files. The Chief of Operations and his designees are responsible for electronic security of student data.
- emails are not a secure method of transporting sensitive information without proper encryption. All parties should be aware of the risks of unsecured emails and are responsible to safeguare sensative data.
- Faculty and Students have access to school provided email accounts which are issues once the students identify is identified. This account is used to notify the student / Faculty of important dates and events. ABTU does not have access to information within these email accounts and can only reset the password if asked by the user.
- The student and adjunct faculty are responsible for checking their email at least weekly to stay notified about important school happenings including any data breaches.
- Failure to maintain email access will result in the deletion of the email account after 180 consecutive days for students. Faculty lose access to email if terminated from teaching positions. In both cases, the University is not responsible for lost data.
- Staff are required to check email daily, all staff emails are monitored and archived for compliance purposes. A staff member has no reasonable expectation of privacy when using University email accounts.
- Students are responsible for ensuring their homework files are backed up in their possession. Once homework is uploaded to the portal, ABTU is not responsible for producing a copy back to the student at anytime.
- In all cases involving emails and homework, the student is responsible for creating a local backup to safe guard from instances of lost data. The University is not responsible for lost data as a result of breaches with third party vendors associated with the University.
- ABTU staff are however responsible for breaches of student sensitive data which is controlled by ABTU staff and housed internally on ABTU servers.Staff access to material
Human Resources will inform technology services staff about an employee’s change of status or termination as soon as is practicable but before an employee’s departure date from the University. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s access to University data. Technology Services staff will terminate all of the employee’s account access upon the employee’s termination date from the University, as specified by Human Resources.
Department heads will alert Technology Services at the conclusion of a contract for individuals that are not considered American Business and Technology University employees in order to terminate access to their American Business and Technology University accounts.
The American Business and Technology University Information Security Officer (ISO), in collaboration with the University’s Compliance Committee, is in charge of maintaining, updating, and implementing this Program. The ISO can be contacted at Lute@abtu.edu The University’s Chief Information Officer (CIO / President) has overall responsibility for this Program.
All members of the Community are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure or alteration. All members of the Community are required to access, store and maintain records containing sensitive data in compliance with this Program.
5.2 Identification and Assessment of Risks to University Information
American Business and Technology University recognizes that it has both internal and external risks to the privacy and integrity of University information. These risks include, but are not limited to:
- Unauthorized access of Confidential data by someone other than the owner of such data
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of Confidential data by employees
- Unauthorized requests for Confidential data
- Unauthorized access through hard copy files or reports
- Unauthorized transfer of Confidential data through third parties
American Business and Technology University recognizes that this may not be a complete list of the risks associated with the protection of Confidential data. Since technology growth is not static, new risks are created regularly. Accordingly, Technology Services will actively participate and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks.
American Business and Technology University believes the University’s current safeguards are reasonable and, in light of current risk assessments made by Technology Services, are sufficient to provide security and confidentiality to Confidential data maintained by the University. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.
5.3 Policies for Safeguarding Confidential Data
To protect Confidential data, the following policies and procedures have been developed that relate to protection, access, storage, transportation, and destruction of records, computer system safeguards, and training.
- Only those employees or authorized third parties requiring access to Confidential data in the regular course of their duties are granted access to Confidential data, including both physical and electronic records.
- Computer and network access passwords are disabled upon termination of employment or relationship with American Business and Technology University.
- Upon termination of employment or relationship withAmerican Business and Technology University, physical access to documents or other resources containing Confidential data is immediately prevented.
- Members of the Community will not store Confidential data on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives). In rare cases where it is necessary to transport Confidential data electronically, the mobile device containing the data must be encrypted.
- To the extent possible, making sure that all Confidential data is stored only on secure servers maintained by the University and not on local machines, unsecure servers, or portable devices.
- Paper records containing Confidential data must be kept in locked files or other secured areas when not in use.
- Electronic records containing Confidential data must be stored on secure servers, and, when stored on authorized desktop computers, must be password protected.
Removing Records from Campus
- Members of the Community are strongly discouraged from removing records containing Confidential data off campus. In rare cases where it is necessary to do so, the user must take all reasonable precautions to safeguard the data. Under no circumstances are documents, electronic devices, or digital media containing Confidential data to be left unattended in any insecure location.
- When there is a legitimate need to provide records containing Confidential data to a third party, electronic records shall be password-protected and/or encrypted, and paper records shall be marked confidential and securely sealed.
Destruction of Confidential Data
- Paper and electronic records containing Confidential data must be destroyed in a manner that prevents recovery of the data.
Third-Party Vendor Agreements Concerning Protection of Personal Information
American Business and Technology University exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PI provided by the University to them. The primary budget holder for each department is responsible for identifying those third parties providing services to the University that have access to PI. All relevant contracts with these third parties are reviewed and approved by the American Business and Technology University Purchasing Department to ensure the contracts contain the necessary language regarding safeguarding PI. It is the responsibility of the primary budget holders to confirm that the third parties are required to maintain appropriate security measures to protect PI consistent with this Program and Missouri laws and regulations.
5.5 Computer system safeguards
The ISO monitors and assesses information safeguards on an ongoing basis to determine when enhancements are required. The University has implemented the following to combat external risk and secure the University network and data containing PI:
- Secure user authentication protocols
- Unique passwords are required for all user accounts; each employee receives an individual user account.
- Server accounts are locked after multiple unsuccessful password attempts.
- Computer access passwords are disabled upon an employee’s termination.
- User passwords are stored in an encrypted format; root passwords are only accessible by system administrators.
- Secure access control measures
- Access to specific files or databases containing PI is limited to those employees who require such access in the normal course of their duties.
- Each such employee has been assigned a unique password, different from the employee’s password to the computer network, to obtain access to any file or database that contains PI needed by the employee in the course of his or her duties.
- Files containing PI transmitted outside of the American Business and Technology University network are to be encrypted.
- The ISO performs regular internal network security audits to all server and computer system logs to discover to the extent reasonably feasible possible electronic security breaches, and to monitor the system for possible unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of PI.
- All University-owned computers and servers are firewall protected and regularly monitored.
- Operating system patches and security updates are installed to all servers at least every 30 days automatically.
- Antivirus and anti-malware software is installed and kept updated on all servers and workstations. Virus definition updates are installed on a regular basis, and the entire system is tested and checked at least once per month.
5.5 Employee Training
All employees who access Confidential data via the firewall or who otherwise have access to PI are required to complete a yearly training on data security and their responsibilities related to this Program. The training is also strongly recommended for all employees. The ISO maintains records of all such training.
5.6 Reporting Attempted or Actual Breaches of Security
Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of PI, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the ISO.
The ISO is charged with the identification of all data security incidents where the loss, theft, unauthorized access, or other exposure of sensitive University data is suspected. The ISO reports any such incidents to the Chief Information Officer (CIO). When the ISO confirms an incident involving sensitive information, the ISO will alert the CIO. The CIO will contact the President of the University to conduct an assessment and prepare a response team. The CIO and the President is responsible for coordinating the Incident Team and determining appropriate actions in their response to the breach. This team is external to the University and used only in the event of a substantial incident.
The ISO will document all breaches and subsequent responsive actions taken. All related documentation will be stored in the President’s office.
Any employee or student who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises data classified as Confidential or Internal Use Only without authorization, or who fails to comply with this Program in any other respect, will be subject to disciplinary action, which may include termination in the case of employees and expulsion in the case of students.
To report a security incident email: submit a support ticket, or email: Lute@abtu.edu or call: 816-279-7000
Updated 12/14/2017: Renamed to Information Security Program
Updated 7/17/2014: Replaced “American College of Technology” with American Business and Technology University”. Replaced “College” with “University”.