Information Security Program

The protection of the private information of Augsburg community members is of critical importance to the IT Department.  The three components below describe in broad terms how the institution is protecting that private information.  In addition, this program ensures compliance with Title IV financial aid requirements for protecting student financial aid information.

From October to November 2017 we held weekly information sessions about this program.  A recording of the session (19 minutes) is available for viewing.

Augsburg is taking three main approaches

  1. Defining
  2. Protecting
  3. Educating

Defining

Through a data classification policy Augsburg has defined three types of data and how such data should be handled.  These definitions provide a common language to describe the information used by departments in various ways.  Those three types are

  1. Public Data.  This is information that is available to the general public.  Examples include press releases, campus maps, and other information on public websites.
  2. Regulated Data. This is information that is protected or controlled by statutes, regulations, institutional polices or contractual language. Examples include student record information (protected by FERPA), credit card numbers (regulated by PCI-DSS), or financial records.
  3. Confidential Data. This is information that must be guarded due to proprietary, ethical or privacy considerations.  Examples include Alumni information, donor information, or research data.

Protecting

Servers found on campus which are maintained by the IT Department have multiple layers of protection from being within a secure campus network.  With the growing use of cloud data storage we need to keep in mind that data that is considered regulated should not be kept in cloud storage, with the exception of FERPA data in Augsburg’s Google Drive.

FERPA data may be stored in Augsburg’s Google Drive starting in 2018 with the rollout of Cloudlock.    Augsburg will be using a product called Cloudlock to secure Google Drive.  Cloudlock is also used by Carleton, St Olaf, Macalester and Hamline.  Cloudlock is configured to look for regulated data and take action if it shared.  Below is what actions it takes on specific kinds of regulated data.  Cloudlock only applies to faculty, staff and student workers. Cloudlock will not be fully activated until December, 2017.

Social Security Numbers and Credit Card Numbers should never be stored in cloud storage.

Social Security Numbers or Credit Card Numbers found in shared documents

  • Notify the document owner that their document appears to have such data.
  • Remove any sharing on the document.

Student ID Numbers found IN shared documents

  • Notify the document owner that their document appears to have such data.
  • If the document is shared outside of augsburg.edu, remove sharing.
  • Sharing within augsburg.edu is fine.

Please see the Cloudlock FAQ to learn more about what it does and does not do.

Educating

Faculty and staff are the best defense against preventing a loss of data. They are also the most frequent targets through email phishing scams. People are no longer trying to break into organizations. They are trying to trick people into handing over their keys (i.e. their password).

To ensure all faculty and staff are aware of effective practices Augsburg has subscribed to Data Security training from EverFi which provides various HR-related trainings.  Training faculty and staff ensures we remain compliant with the Title IV financial aid requirements for protecting student information.