Information Security Policy

Purpose

This policy is to protect the security, confidentiality, integrity and availability of Willamette University’s information and data. It is applicable to all university faculty, staff, student employees, volunteers and affiliates.

Policy

Protecting Confidential Information

Each individual who is granted access to data or information, in any format (verbal, via a computer system, hard copy, etc.), that is generally viewed or officially deemed “confidential” holds a position of trust and must preserve the security and confidentiality of that information. Confidential information includes, but is not limited to, the information described in the Definition of Confidential Information section at the end of this policy. All individuals must abide by the following:

  1. Do not access confidential information unless you have been authorized as a function of your role to have access and you have a legitimate need to know that information.
  2. Do not disclose confidential information except when such disclosure is within the function of your role, in full compliance with all university policies, and either (i) to a person employed by or in the service of Willamette University who is also bound by this policy and has a legitimate need to know such information to facilitate university-related business; or (ii) to an individual or organization outside of Willamette University only if you have appropriate internal authorization for such disclosure (i.e., human resources relative to employee information, registrar relative to student information, student health center director relative to student medical information, communications relative to any media inquiry).
  3. Do not post or store confidential information on social media, a website or a publicly accessible computer.
  4. Do not access confidential data in a computer system unless it is granted through authorization from the appropriate department director or manager, dean and/or vice president.
  5. Do not leave paper documents containing confidential information where they are accessible to others. Such documents should be stored in a secure or locked suite, office, desk or file cabinet. Paper records containing confidential information must be disposed of in university-provided shred bins and must not be disposed of via regular recycling or trash receptacles.
  6. Ensure that government-regulated confidential data as described in the Government-regulated Confidential Information section at the end of this policy is not stored on cloud drives (e.g., DropBox, MS OneDrive), except Google Drive can be used for documents that need to be editable by multiple university employees.
  7. Electronic media containing confidential information (e.g., USB drives, CD, DVD, floppy disk, hard disk, tape, etc.) are to be physically controlled and secured by the user at all times.
  8. Do not email or fax, either internally or externally, government-regulated confidential information unless no other options exist. When WITS has the appropriate tools in place, encrypt all emails that contain confidential information.
  9. Retain confidential information only as long as required for legal, regulatory and business requirements. Consult the processing archivist and records manager at 503-370-6147 for the legal and regulatory specifications.
  10. When disposing of confidential information in electronic form, use an approved method specified by the WITS Help Desk at 503-370-6767.
  11. Keep all shred bins and shred dumpsters locked when not in use to prevent unauthorized access.
  12. If you have access to government-regulated confidential information, you must read, understand and abide by the laws applicable to the function of your role.
  13. Immediately report any violation to the protection of confidentiality of information to your supervisor or dean.

Protecting University Data

Any individual with authorized access to computer information systems owned, leased, operated or contracted by the university must abide by the following with respect to university records and information:

  1. Access data solely in order to perform the function of your role.
  2. Do not engage in or permit unauthorized use of any information in the university’s information system or records.
  3. Do not exhibit or divulge the contents of any record, file or information system to any person unless it is necessary for the function of your role and their role.
  4. Do not enter, change, delete or add data to any information system or files outside of the scope of the function of your role.
  5. Do not include or cause to be included in any record or report, a false, inaccurate or misleading entry known to the user as such.
  6. Do not alter or delete, or cause to be altered or deleted, a true and correct entry from any records, report or system.
  7. Ensure that all electronic information created or managed as part of your work function is stored on departmental shared drives, your personal network storage drive, or Google Drive, as these devices are backed up and accessible by other appropriate individuals in the university.  The information may also be shadow copied to your hard drive.
  8. Immediately report any unauthorized (including accidental) deletion or alteration of Willamette University data or information, including any event that may result in substantial loss in integrity or accuracy of university data or information to your supervisor or dean.

Controlling System Access

All users of university information systems are supplied with an individual user account to access the systems and data necessary for their role. This applies to all systems owned, leased, operated, or contracted by the university. All transactions processed by a user ID are the responsibility of the person to whom the user ID was assigned. Users of the university’s information systems are required to abide by the following:

  1. Treat credentials (i.e., user IDs, passwords, etc.) for access to university systems as confidential. Such credentials are non-transferable.
  2. Using someone else’s password is a violation of policy, no matter how it was obtained.
  3. Establish strong passwords to secure access to university systems and personal computers. When the university’s systems can comply, passwords will be required to be a minimum of 16 characters in length and users will be encouraged to create pass phrases where multiple words are combined. Passwords will expire every year and new passwords must be substantially different from previous passwords and must be strong as determined by a commercial password strength calculator.
  4. Change your password immediately if there is reason to believe your credentials have been compromised or revealed.
  5. Do not write down passwords where they are easily accessible to others.
  6. Do not save passwords that access university systems on public computers.
  7. Lock or logout of your computer when you are finished working, or if you will be away from your computer for more than a few minutes.

Preventing Malware

Malware is software that is intended to damage or disable computers and computer systems. All university users must actively prevent malware by abiding by the following:

  1. If you receive an email from an unknown sender or a suspicious email from a known sender, do not open attachments, click on links or provide any information to the sender.
  2. When downloading or installing computer programs or software, ensure it is from a trusted source.  If you have questions about the software consult with the WITS Help Desk at 503-370-6767. WITS will administer the installation of all software onto university computers when we have the appropriate tools and resources to make the process seamless to users.
  3. If you use a personally-owned device to access the university network, make sure you comply with the university’s Antivirus Software Policy.
  4. Immediately report all instances of malware infection, whether suspected or confirmed, to the WITS Help Desk at 503-370-6767.

Securing Mobile Devices

Mobile devices are electronic devices that are easily transportable and capable of accessing, storing, or transmitting information. Some examples include laptop computers, tablets, mobile phones and portable storage devices. This policy applies to all mobile devices that are owned, leased, operated or contracted by the university, as well as any individually-owned device that is connected to the university network. They pose an increased security risk due to their portability. Take the following steps in order to minimize the risk of theft or loss of data:

  1. Secure university-owned mobile devices out of sight in a locked room, office or drawer, or use a locking cable where possible.
  2. Protect all mobile devices that are used to access university data with a strong password or biometric authentication.
  3. Immediately report all lost or stolen university-owned mobile devices or personal devices on which university information is stored to the WITS Help Desk at 503-370-6767.

Other Security Measures

  • Read and agree to abide by the university’s Responsible Use of Information Technology Resources policy.
  • When prompted by HR or WITS, complete Information Security Awareness training courses.
  • Immediately report suspected information security breaches or unauthorized account access directly to the chief information officer at 503-370-6004 or the WITS Help Desk at 503-370-6767.

Definition of Confidential Information

General Definition

“Confidential information” means all information about Willamette University or in the university’s possession or care that it deems confidential or is required by law or contract to keep confidential.  

Government-regulated Confidential Information

Some types of confidential information are government-regulated and are therefore subject to stricter requirements in this policy.  Government-regulated confidential information includes the following:

  • The following types of Personal Identifying Information (PII): Social Security number, driver license number, passport number, other government-issued identification card number, birthday, biometric identifiers (e.g., fingerprints) and personal medical information;
  • Protected Health Information (PHI) as specified by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) which includes information relating to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual (e.g., diagnosis, treatment, or insurance-related information);
  • Education records of students, applicants and alumni as defined by the Family Educational Rights and Privacy Act (FERPA), including information about test results, grades, and other academic performance information, financial aid information, disciplinary records, and records received from previously attended academic institutions;
  • Personally Identifiable Financial information as specified by the Financial Services Modernization Act of 1999 (Gramm Leach Bliley Act or GLB) that protects the disclosure of customer financial information. Examples include information on student loan or financial aid applications, information about loans or financial aid received by a student, and any list of students who received or applied for a loan or other financial aid.
  • Human subject research data which falls under the jurisdiction of the university’s Institutional Review Board (IRB);
  • Confidential medical records used to provide an employee with a reasonable accommodation under the Americans with Disabilities Act of 1990 (ADA); and
  • Payment card data such as credit and debit card numbers, security codes or PINs covered by the Payment Card Industry (PCI) standards.

Other Types of Confidential Information

Other types of confidential information include but are not limited to:

  • Payroll records or employment and/or personnel information such as disciplinary or grievance information, annual review information; and
  • Nonpublic information about third parties that the university has a contractual obligation to keep confidential, including confidential information about or received from suppliers, vendors, sources of funding, grantors, donors, alumni, and research partners and sponsors.