University Business - September 2007 - (Page 63)

‘you’re exposing the college and yourself to security and conﬁdentiality issues’ by transferring data to a laptop,” he says. They will also be informed that information should not be taken oﬀ campus and that such data should only be accessed remotely through a VTN line-encrypted server. Fill the Security Gaps Most security training is designed to guard SISs from the outsider, when teaching system users how to use technology to safeguard personal information is equally—and perhaps more—important. “A lot of the security training that needs to be provided is awareness-type training,” says Volz. EDUCAUSE’s Petersen advises that it is increasingly important to emphasize the following as part of any security training session: • Roles and responsibilities. Make it clear what information each SIS user is authorized to access and who is a “data steward”—someone authorized to share conﬁdential data with others. For example, in student records, the data steward is frequently the registrar. • Security practices. Training users in such tactics as password protection, operating system updates, antivirus protection, and spyware protection, to fortify the system’s defenses. • Privacy protections for personally identiﬁable information (PII). This includes: limiting the type of information that is accessed or displayed to that which is essential for the function to be performed; limiting downloads of SIS data into spreadsheets or other formats to workstations, laptops, or storage devices unless the data is encrypted or under strict controls; and eﬀective methods of disposing of devices or data. User group: Coppin State recruited faculty and students to determine how much training would be needed on a new security system. weight). However, years ago, student Social Security numbers were also routinely published, he says. “Rules change over time to address the threats that are out there,” he explains. More recently, the university decided it would no longer publish e-mail addresses. That doesn’t necessarily mean that all students are included in the institution’s directory, however, since FERPA provides students the option to prohibit release of any personal information. Most SISs have an attribute, or ﬁeld, within the system to identify students who have declared their privacy rights, says Volz. Spotting that attribute can be tricky, however, and system users need to be trained to look for that identiﬁer to prevent unauthorized release of information. Make Training an Ongoing Eﬀort At Ursinus College in Collegeville, Pa., Chief Information Oﬃcer John King reports that the institution’s approach to security and conﬁdentiality has been revamped in the last three to four years. “We’ve had some turnover, but no incidents, and we wanted to make sure everyone understood their role in securing data and the importance of conﬁdentiality,” King explains. Today, security training is done on an ongoing basis at Ursinus, following a process the college has developed to ensure that everyone is aware of the college’s policies and their own responsibility. When new employees are hired they are required to complete and sign a form indicating their understanding of the college’s data security policies and procedures. Learning the importance of information security is now part of the college’s orientation procedure, which also applies to student workers. Their supervisor sits down with them to review the policies and procedures and they, too, sign the conﬁdentiality form indicating their understanding and compliance. The college is in the process of implementing a new SIS—the Blackbaud Education Edge—and as part of that, says King, they will incorporate a new module into the security training regarding safeguarding data on laptops. “We’ll remind [employees] that universitybusiness.com ‘The breaches are absolutely increasing in frequency.’ —Rob Guido, Oracle Identify Weaknesses Cindy Bixler, CIO of Embry-Riddle Aeronautical University, which has campuses in Prescott, Ariz., Daytona Beach, Fla., and at more than 130 centers in the United States through its Worldwide Campus, says that about two years ago the university instituted an integrated student services training program for staﬀ to increase awareness of the need for data security. While that training has been successful, there is currently no ongoing training to remind longtime employees of their responsibilities and to correct risky behavior, such as downloading information from the university’s core SIS onto a laptop or USB drive. The university is conducting an information systems audit of its Oracle Portal with the help of Ernst & Young, whose auditors are looking over the system to identify weaknesses that need to be addressed. Bixler says that lack of ongoing security training will September 2007 | 63 http://universitybusiness.com

Table of Contents for the Digital Edition of University Business - September 2007

University Business - September 2007
Contents
College Index
Company Index
Advisory Board
Editor's Note
People Watach
Sense of Place
Viewpoint
Human Resources
Money Matters
Financial Aid
Community Colleges
Una Fuerza to Reckon With
The Right Stuff
Making an Impact
Going VoIP
Training Your Staff to Protect SIS Data
Summer Conference Report
Business Technology
What's New
Calendar of Events
End Note

University Business - September 2007