IT and Data Policies

The Acceptable Use Policy may be viewed here.

Policy Statement

This document outlines the policy and procedures governing the retention and destruction of records on Southwestern Michigan College. This policy applies to the administrative units responsible for maintaining records pertaining to College business.

Policy

Records Subject to Document Retention and Disposal

The records identified in this policy are essential to the ongoing, legal, and effective functioning of Southwestern Michigan College. These records include:

• Institutional and Legal Records
• Application Materials for Students
• Individual Student Records
• General Student Records
• Conduct Records
• Financial Aid Records
• Employment Records
• Payroll Records
• Personnel Files
• Employee Medical Health and Safety Records
• Pension and Benefit Records
• Federal Tax Records
• Accounts Receivable
• Accounts Payables
• Capital Property Records
• Financial Records
• Institutional Publications
• Facilities Records
• Litigation Records

Establishing Retention Schedules

The retention period for necessary business or operational records depends on a number of considerations, including the retention periods specified in state or federal statutes and regulations. In the absence of a specific legal duty to retain records, each division will need to balance the importance of specific records to the College against the costs of retaining records. Records not subject to any retention requirement should not be kept longer than necessary to accomplish the task for which they were generated.

In determining an effective retention period, Southwestern Michigan College has adopted Record Retention and Disposal, a Manual for College Decision Makers, ed. 2008 as the College’s recommended source of retention schedules. All legal authorities, including but not limited to federal laws and regulations will encompass this policy. Administrative Managers will be responsible for complying with changes to retention policies and managers should reflect department retention schedules to reflect changes in the law.

Record Disposal

Southwestern Michigan College will organize an annual disposal campaign. This is done with a third party who follows the Fair and Accurate Credit Transactions Act.

It is recommended that all document reviews be carried out after the spring semester with a targeted disposal date after the beginning of the fiscal year.

Addendum to Retention

Student Final Exams: 30 days

Grade Books (with no unresolved grade issues and no longer than one semester after grades are distributed: 30 days

The Electronic Communication Policy may be viewed here.

The FERPA policy may be viewed here.

Policy Statement 

The protection of Confidential and Sensitive Information assets and the resources that support them are critical to the operation of Southwestern Michigan College and for the protection of students and employees from identity theft. As information assets are handled they are placed at risk for potential threats of employee error, malicious or criminal actions, theft, and fraud. Such events could cause Southwestern Michigan College to incur a loss of confidentiality or privacy, financial damage, fines, and penalties.

The purpose of this policy is to reduce the risk of a loss or breach of Confidential and Sensitive Information through guidelines designed to detect and prevent errors or malicious behavior. Southwestern Michigan College recognizes that absolute security against all threats is an unrealistic expectation. Therefore, the goals of risk reduction and implementation of this policy are based on:

• An assessment of the Confidential and Sensitive Information handled by Southwestern Michigan College.
• The cost of preventative measures designed to detect and prevent errors of malicious behavior.
• The amount of risk that Southwestern Michigan College is willing to absorb.

These policy guidelines were derived through risk assessment of Southwestern Michigan College methods of handling Confidential and Sensitive Information. Determination of appropriate security measures must be a part of all operations and shall undergo periodic evaluation.

Policy

Definitions

• Confidential and Sensitive Information
  Confidential and Sensitive Information includes, but is not limited to, the following identifiers whether contained in hard copy or electronic format:
  • Personal Information
    As the custodian of sensitive and private information; all printed material containing confidential, personal information related to business, financial or medical transactions, including name, birth date, address, telephone number, social security number, personal photograph, amounts paid or charged or account number, are to be safeguarded.

    Additionally, the College provides two specific policies in reference to social security numbers and document retention and disposal. Please refer to these College Policies for specific information on how social security numbers are handled and for the disposal of confidential and sensitive information.

  • Financial Information
    Financial information security encompasses Southwestern Michigan College as well as anyone doing business with the College. Examples of financial information that should not be shared without the consent of the owner of the information are as follows:
    • Credit Card Numbers
    • Credit Card Expiration Dates
    • Credit Card CCV Numbers
    • Bank/Credit Union Account Numbers
    • Credit Reports
    • Billing Information
    • Payment History
  • Medical Information
    The U.S. Department of Health and Human Services has issued regulations as part of the Health Insurance Portability and Accountability Act of 1996. These regulations, known as the Standards for Privacy of Individually Identifiable Health Information, were effective on April 14, 2003 and control how medical information may be used and disclosed. Southwestern Michigan College provides a current Notice of Privacy Practices for eligible employees, to inform you of the policies that it has established which comply with the Standards for Privacy. For further information regarding medical information and privacy practices, please contact the Department of Human Resources.
  • Business Information
    As identified under the Gramm-Leach-Bliley Act, includes personal identifiable financial information that SMC collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available. Financial products or services offered by Southwestern Michigan College include: (1) Student Financial aid packages, and (2) student loan agreements. Items included in this policy include but are not limited to:
    • Federal ID Numbers
    • Proprietary Information
    • Trade Secrets
    • Business Systems
    • Security Systems
    • Employee Identifiers
    • Access Numbers/Passwords
    • Customer Identifiers
    • Vendor Numbers
    • Account Numbers
  • Spoken Word
    Spoken word refers to the transfer of Confidential and Sensitive Information verbally and audibly through electronic media.
  • Hard Copy Format
    Hard Copy Format refers to any Confidential and Sensitive Information that exists physically on paper.
  • Electronic or Soft Copy Format
    Electronic or Soft Copy Format refers to any Confidential and Sensitive Information that exists electronically on CDs, DVDs, phones, computers, networks, portable devices, etc.
• Roles and Responsibilities
  • Information Security Officer
    The Information Security Officer is responsible for the following:
    • Risk Assessment – Conduct periodic risk assessment of Confidential and Sensitive Information handling method.
    • Design – Design of more specific or new policy guidelines as needed.
    • Implementation – Conduct training for your employees on a periodic basis.
    • Monitor – Evaluate the policy and procedures regularly.
    • Enforce – Take disciplinary action with employees as needed.
    • Response Plan – Create a plan to respond to security incidents.
  • Employees, contractors, consultants, temporaries, students, and personnel of third party affiliates.
    All personnel are responsible for adhering to these guidelines, and for reporting any security incidents to the Information Security Officer immediately.
• Policy Guidelines
  The following policy guidelines cover issues related to the collection, retention, transfer, and destruction of Confidential and Sensitive Information.
  
  
  • Destruction
    Southwestern Michigan College generates, receives, and stores many documents and records of a confidential nature. If confidential documents and records are not securely maintained and periodically destroyed/shredded, there is potential danger that individuals' confidential information can be obtained and misused for illicit purposes such as identity theft; fraud; and wrongful access to facilities, materials, and information. Confidential and/or Highly Confidential information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Confidential information that has exceeded our legal requirements for retention should be destroyed in accordance with the Record Retention and Disposal Manual. Confidential information not subject to records retention policies that is no longer required for business reasons should be discarded in a secure manner. Paper should be shredded using a cross-cut shredder prior to disposal and shredding bins should be emptied on a regular basis.
     
    • Hard Copy Format
      In-house Destruction - Destruction of information in hard copy is governed by Southwestern Michigan College’s Document Retention and Disposal policy, which also includes appendices for documents relevant to Southwestern Michigan College. Southwestern Michigan College has adopted record retention strategies provided in “Record Retention and Disposal, A Manual for College Decision Makers,” By: Kent M. Weeks and Patricia Kussmann. If the documents contain information of a sensitive nature; proper security and supervision shall be provided to insure the security of the documents is maintained until destroyed.
      
      
    • Contractors – When outside contractors are utilized for the purpose of destruction of hard copy documents, proper care shall be provided to insure that the integrity of the information contained in the documents is maintained until the document is destroyed. Appropriate documentation is to be obtained from the contractor before the shredded materials leave the Campus indicating the transfer of responsibility for the materials.
      
      
  • Transferability
    Whenever sensitive information is transmitted the sender must take care to protect that information and inform the recipient(s), including those involved in the delivery process, that the transmission contains sensitive information and must be protected.
    
    
    • Security of Paper Transmissions
      When transmitting sensitive information on paper (via hardcopy), the sender should mark the envelope as “CONFIDENTIAL” as appropriate to minimize the chance of unnecessary exposure.
    • Campus Mail
      Confidential information sent via campus mail must be sealed and marked Confidential. Highly Confidential information must also be sealed and marked Confidential, and should be hand-delivered.
      
      
    • Security of Fax Transmissions
      • When possible, computers, fax machines and printers that might be used for confidential data should be placed in secure areas where access is restricted to only those individuals with permission to access confidential information.
      • Verify correct FAX numbers when sending confidential information, and always use a confidentiality cover sheet. If you receive an unintended FAX that contains confidential information, immediately inform the sender and either secure or destroy the information.
      • Stand at public FAX machines or printers or have documents containing confidential information retrieved immediately so that unauthorized individuals have no opportunity to see the information.
      • All faxes should state the confidential nature of the contents of the communication and have instructions should the fax be misdirected.
  • Information Accessibility
    • General Guidelines — Control measures should be practiced to prevent the inadvertent release of Confidential and Sensitive Information (CSI) to any extent not authorized by Southwestern Michigan College.
    • Authorization — Individuals shall scrutinize information to determine if it should be controlled as CSI. Employees should not have in their possession, and they shall report to their supervisor any persons in possession of CSI for which they are not authorized or have a need-to-know. The custodian possessing CSI is responsible for determining any recipient’s need-to-know before passing on any CSI.
    • Contractors and Other Departments — CSI shall only be disclosed to sources outside of their department under the following circumstances:
      • In the case of an SMC employee if the disclosure is necessary for the employee to perform his or her official duties it may be released.
      • For on-site contractors if the disclosure is consistent with the College’s rights in or to the CSI, and the disclosure is necessary for the contractor to perform an authorized task under the contract it may be released.
      • In the case of disclosure not covered by (1) and (2) if the disclosure is consistent with the College’s rights in the CSI and the disclosure is subject to the terms of a duly authorized confidentiality agreement with the party receiving the information it may be released.
• Information Technology Standards and Guidelines
  • Confidentiality and Privacy
    Southwestern Michigan College and all members of the College community are obligated to respect and, in many cases, to protect confidential data. There are, however, technical and legal limitations on our ability to protect confidentiality. For legal purposes, electronic communications are no different than paper documents. Electronic communications are, however, more likely to leave a trail of inadvertent copies and more likely to be seen in the course of routine maintenance of computer systems.

    Certain areas of the College permit incidental personal use of computer resources. The College may monitor the content of personal web pages, e-mail or other on-line communications. However, the College must reserve the right to examine computer records or monitor activities of individual computer users (a) to protect the integrity or security of the computing resources or protect the College from liability, (b) to investigate unusual or excessive activity, (c) to investigate apparent violations of law or College policy, and (d) as otherwise required by law or exigent circumstances. In limited circumstances, the College may be legally compelled to disclose information relating to business or personal use of the computer network to governmental authorities or, in the context of litigation, to other third parties, Administrators of college, department or division networks should notify computer users if incidental personal use is not permitted and that the College cannot ensure the confidentiality of personal communications. Please refer to the Acceptable Use Policy for Computing Resources for additional information.

  • Access
    No one may access confidential records unless specifically authorized to do so. Even authorized individuals may use confidential records only for authorized purposes. The College’s Acceptable Use Policy requires that members of the College community respect the privacy of others and their accounts, not access or intercept files or data of others without permission, and not use another's password or access files under false identity. Violators of any of these rules are subject to discipline consistent with the general disciplinary provisions applicable to faculty, staff or students.

    Technology assets are to be housed in an appropriately secure physical location. Technology assets include servers, personal computers that house systems with controlled access (laptops are a category of special consideration), ports (active ports in public areas), sniffing devices (PC's set up to do this for diagnosis should be secure), modems and network components (cabling, electronics, etc.).

    Passwords help protect against misuse by seeking to restrict use of College systems and networks to authorized users. Each authorized user (specific individual) is assigned a unique password that is to be protected by that individual and not shared with others, is difficult to crack, is changed on a regular basis, and is deleted when no longer authorized.

    The management for each area will ensure that controls are in place to avoid unauthorized intrusion of systems and networks and to detect efforts at such intrusion.

    Each College controlled information system must have an Access Policy that defines access rights and privileges and protects assets and data from loss or inappropriate disclosure by specifying acceptable use guidelines for users, operations staff and management. The Access Policy will provide guidelines for external connections, for data communications, for connecting devices to a network, and for adding new software to systems. As part of the policy, the responsibility and accountability for its implementation must be established.

    The management for each area will also ensure that administrative access procedures include provisions for alternative administrative access in the event that the primary access holder is incapacitated or otherwise unable to perform required administrative activities.

  • Accountability
    Individual users are responsible for ensuring that others do not use their system privileges. In particular, users must take great care in protecting their usernames and passwords from eavesdropping or careless misplacement. Passwords are never to be 'loaned.' Individual users will be held responsible for any security violations associated with their usernames.

    Each user permitted to access a controlled system is to be made aware of the access policy for that system. Management will provide this information to the employee when first granting access and make the employee aware of the auditing capability in place to verify compliance.

    All controlled systems must maintain audit logs to track usage information to a level appropriate for that system. All user sessions and all failed connection attempts must be logged. For user sessions, the following will be recorded: user, source IP, session start time/date, and session end time/date. For failed connection attempts, the number of attempts must also be recorded. Management has the discretion to determine whether additional logging is necessary.

    Audit logging may also apply to networks. Logging of network traffic flow and access is a standard practice. If inappropriate use of the network is suspected, and management so requests, Network Technology Services may authorize specific traffic logging on portions of the campus network.

    If the operations staff believes a security incident has occurred, they will immediately notify their management. Management will assess the potential implications of the incident, notify Network Technology Services, and take any remedial and necessary action. All audit logs will be immediately duplicated and moved to secure media for further analysis.

    Before adding new software to college computers and networks, system defaults should be carefully reviewed for potential security holes and passwords shipped with the software should be changed. Downloading software, particularly software that is not job-related or endorsed by the administration, may introduce security risks and should be controlled.

  • Authentication
    Authentication and data encryption or point-to-point communication will be implemented for all systems that send or receive sensitive data or when it is critical that both parties know with whom they are communicating. The decision of whether to encrypt data should be made by the professional system administrator responsible for the particular application being distributed, with the knowledge of the appropriate dean, director, or department head.
    
    
  • Availability
    Mission critical systems are expected to be available at all times during applicable business hours. Each critical system must have a published availability statement which details redundancy and recovery procedures, and specifies hours of operations and maintenance downtime periods. It must also include contact information for reporting system outages. This statement must be submitted to and approved by Network Technology Services.

    Backup of data will be well-documented and tested. Backups of mission critical data must be maintained in secure off site storage to guard against the impact of disasters.

  • Information Technology Systems and Network Maintenance
    In the course of doing business, SMC’s Computing Services, College Information Systems management, Network Technology Services, and Schools and departments may contract for all or some system and network local or remote maintenance or support. Representatives of these contracted companies must follow all College policies.

    Schools and departments are expected to establish appropriate guidelines for building, equipment and system access. It is the responsibility of the contracting school/department to inform the contractor of all appropriate policies and, in addition, to provide oversight of the contractor and contractor representatives during the time they have access to College resources.

  • Reporting Violations
    Owners or managers of computer, network, or applications systems, as well as users of these systems, have the responsibility to report any apparent violations of law, to local management and Computing Services whenever such violations come to their attention.

    Owners and managers of school or department computing, network, and applications systems shall make available to management and users of the systems guidelines for reporting security violations. These guidelines will provide specific guidance on what, when, where, to whom, and within what timeframe the violation should be reported and a copy will be filed with Computing Services.

• Plan for a Loss or Breach
  • General Guidelines - It is the responsibility of all college employees to be aware of an actual or suspected information security breach, as defined below, to report it immediately to their respective supervisor and the SMC Information Security Officer for review.
  • Audits – Compliance with the college’s information security policies and procedures shall be monitored regularly in conjunction with the college’s monitoring of its information security program. The Information Security Officer will direct periodic internal audits to ensure compliance with federal and state laws and regulations as well as college policy.
  • Discovery of a Breach in the Workplace
    • Employee Protocol – It is the responsibility of all college employees aware of an actual or suspected information security breach, as defined below, to report it immediately to their respective supervisor and the SMC Information Security Officer for review. A “security breach” means an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of information maintained by SMC and covered under this policy. This includes breaches that involve physical as well as computer or information system security.
    • Information Security Officer Protocol – As soon as an incident has been reported, the Information Security Officer will:
      • Inform the SMC President’s Office of the incident and determine if outside counsel assistance is required.
      • Conduct an investigation of the actual or suspected breach as well as review internal procedures and controls.
      • Determine the scope of the actual or suspected breach.
      • Note: Departments should not conduct their own investigations without first consulting the SMC Information Security Officer.
      • If a breach has been confirmed, a final report of the findings will be forwarded to appropriate senior administrators and outside counsel. The Information Security Officer shall make recommendations to the appropriate senior administrators for review and implementation and assist in implementation of such recommendations, as appropriate.
    • Discovery of a Breach through Accusation
      • Employee Protocol – As indicated above, it is the responsibility of all college employees aware of an actual or suspected information security breach to report it immediately to their respective supervisor. Examples of warning signs of a breach include, for example, unusual account activity, suspicious documents, suspicious addresses, notices from our students, or other customers, and law enforcement authorities.
      • Information Security Officer Protocol – The Information Security Officer through consultation with the accuser and appropriate senior administrators will determine if a breach has occurred or if there is sufficient evidence that a breach has occurred. If the breach is confirmed, the same protocol as outlined above shall be followed.
    • Suspicious Behavior
      • General Guidelines – Suspicious behavior is defined as “arousing or likely to arouse suspicion in others.
      • Contractors, Vendors, and Guests – Suspicious behavior is not just one thing or action, it can also be one or several things combined.
      • Suspicious things - One is the appearance of things in places where they should not be. For instance files, boxes, books, etc. that are not normally where they should or should not be.
      • Suspicious people - Besides objects that are suspicious, we need to deal with people who are suspicious. In this case, suspicious generally means one of three things.
      • Strange Behavior – The first and most obvious suspicious person is someone behaving strangely. Strangely may mean that someone is doing something unexpected, such as working in an area where work is not generally done. A suspicious person can also mean someone whom you don’t know somewhere that only people you do know should be. Example, if you see a stranger working at a terminal in your office, you should ask who they are, what they are doing, and tell someone about it.
      • Correlation over time – Repeated sightings of the same individuals is the second thing that should raise your suspicions.
      • Correlation over distance – The third variant on this theme is to see the same people in different places. For example you may see a person in the hall and then see the same person in an office or a faculty hallway without any obvious purpose or reason for being there. This should be reported.
    • Suspicious Feelings – The final category of suspiciousness is a gut feeling that something is wrong. If something seems wrong, then there is a good (albeit not infallible) chance that something is wrong.

      In the end, the process of dealing with suspicion is a straightforward three-step process:

      1. See something
      2. Tell someone
      3. Do something
         (“Informed Source” Newsletter November 2003 page 27-28)
  • Enforcement
    The Information Security Officer has the authority to enforce this policy. Any employee, temporary, contactor, or consultant found in violation may be subject to disciplinary action, up to and including termination of employment as provided in current Board Policy.

    All college faculty, staff and other employees must comply with this policy, including all future information security policies and implementing procedures.

    Compliance with the college’s information security policies and procedures shall be monitored regularly in conjunction with the college’s monitoring of its information security program. The Information Security Officer will direct periodic internal audits to ensure compliance with federal and state laws and regulations as well as the Faculty Procedures Manual.

    Violations of this policy will be handled consistent with College disciplinary procedures applicable to the relevant persons or departments.

The Privacy Policy may be viewed here.

Policy Statement 

This policy provides for the confidentiality of social security numbers obtained by the College in the ordinary course of business. This includes references to social security numbers regardless of form (i.e., paper, electronic, etc.). Effective January 1, 2006, this policy applies to all College employees.

Policy

Access to Social Security Numbers

The College restricts access to information or documents containing social security numbers only to those employees who have a legitimate College business reason to access such information.

Prohibited Disclosures

College employees shall maintain the confidentiality of College information and documents containing social security numbers. College employees shall not do any of the following with the social security number of an employee, student, or other individual:

• Publicly display the social security number.
• Use the social security number as an individual’s primary account number.
• Visibly print the social security number on any identification badge or membership card.
• Mail a document containing an individual’s social security number unless it falls within one of the following exceptions:
  • State or federal law, rule, regulation, or court order or rule authorizes, permits, or requires that the social security number appear in the document.
  • The document is sent as part of an application or enrollment process initiated by the individual.
  • The document is sent to establish, confirm the status of, service, amend, or terminate an account, contract, policy, or employee or health insurance benefit, or to confirm the accuracy of a social security number of an individual who has an account, contract, policy, or health insurance benefit.
  • The document is mailed in connection with an ongoing administrative use to do any of the following:
    • Verify an individual’s identity, identify an individual, or accomplish another similar administrative purpose related to an existing or proposed account, transaction, or employment.
    • Investigate an individual’s claim, credit, criminal, or driving history.
    • Detect, prevent, or deter identity theft or another crime.
    • Lawfully pursue or enforce the College’s legal rights.
    • Provide or administer employee or health insurance benefits, claims, or retirement programs.
    • The document is mailed by or at the request of the individual whose social security number appears in the document or at the request of his/her parent or legal guardian.
    • The document is mailed in a manner or for a purpose consistent with the federal Health Insurance Portability and Accountability Act (HIPAA), or the Michigan Insurance Code of 1956.
• Require an individual to transmit his/her social security number over the Internet or a computer system or networks unless the connection is secure, or the transmission is encrypted.
• Mail any document containing a social security number that is visible on or from outside the envelope or packaging for the document.

Authorized Uses

This Policy does not prohibit the use of social security numbers where the use is authorized or required by state or federal statute, rule, regulation, or court order or rule, or pursuant to legal discovery or process.

This Policy also does not prohibit the use of social security numbers by the Department of Police and Public Safety for criminal investigation purposes or the provision of social security numbers to a Title IV-D agency (child support/support orders), law enforcement agency, court, or prosecutor as part of a criminal investigation or prosecution.

Disposal of Social Security Numbers

Documents that contain social security numbers shall be properly destroyed when those documents no longer need to be retained pursuant to College document retention policies. Paper documents containing social security numbers should be shredded.

Violations

Violations of this Policy may result in disciplinary action, up to and including termination of employment. Individuals who violate this Policy may also be subject to the civil and criminal penalties provided for in the Michigan Social Security Number Privacy Act.

The Web Accessibility Policy may be viewed here.