Effective Date:  02/28/2024

Owner:  PPAC

Team Members:  Jeff Chapko, Ron Hughes, Mike Dano, Justin Vance, Todd Janiak

1.0          PURPOSE

1.1              The purpose of this procedure is to regulate how Baker College users handle protected information for the institution. This includes the transmission, access control, and storage of protected information across the organization. Any member of the Baker College community, including all faculty, staff, and students, who have access to Baker College records that contain protected information covered by IT Foundational Policy 400, must comply with this procedure. This also applies to any third party that deals with the transmission and storage of protected information.

2.0          DEFINITIONS

De-Identification of Information

De-identified data describes records that have a re-identification code and have enough personally identifiable information removed or obscured so that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. The re-identification code may allow the recipient to match information received from the same source.

Encryption

The transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key (password).

Student

Any person who attends or has attended Baker College.

Users

Any authorized individual, including faculty, staff, students, vendors, or courtesy affiliate.

Virtru

Virtru is data encryption software that protects data, through email and file-sharing, Cloud, SaaS, CRM solutions and across internal and external ecosystems.

3.0          GUIDELINES

NONE

4.0          PROCEDURES

4.1              Data Handling and Storing

4.1.1         Data in transit (internal and external)

a.)              Encryption or information de-identification is required for protected data in transit.  Secure protocols must be utilized during transfer between systems.

b.)              Paper - Address to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”.

c.)              Email - The following best practices should be used to encrypt protected information via email:

i.)                Users with a Virtru license will use the built-in controls to send encrypted emails. Only select departments have Virtru licenses.

ii.)              For users without a Virtru license, any email with protected data must be encrypted and password protected. Please contact IT for obtaining a Virtru license.

d.)              External storage - Protected information shared via external storage must be encrypted and password protected. For encryption options and best practices please contact IT.

4.1.2       Data at rest

a.)                Paper

i.)                Keep in locked filing cabinets located in physically secure areas that are accessible only by authorized individuals. Keep the number of copies of the data to a minimum.

b.)                Electronic

i.)                Baker College protected data should be stored on the departmental drive or within an authorized application (OnBase, Jenzabar).

ii.)              Protected data can be shared on Google Drive (with appropriate sharing permissions in place) or a portable electronic device (utilizing encryption and password protection). The protected data must also be removed from Google Drive or the portable device when its intended purpose is fulfilled.

iii.)            Baker College admin computers will be encrypted via industry best practices.

4.2             Auditing

4.2.1       Departmental supervisors will conduct periodic reviews of where protected information / data is located, who has access to it, and the access control mechanisms.

4.3             Data Disposal

4.3.1        Electronic

a.)              When electronic data is no longer required it must be disposed of in a way that prevents recovery. A user should defer to departmental best practices to identify the appropriate lifecycle of an electronic file and delete it when necessary.

4.3.2       Paper

a.)              To securely destroy paper documents, employees working at a Baker College campus should use the designated secure disposal boxes (i.e. Shred-It) located on each campus on a daily basis.

b.)              Remote workers should destroy paper documents by placing them in a designated secure disposal box (i.e. Shred-It) at a physical campus as frequently as possible or by utilizing a device in their home office to shred the documents on a daily basis.

5.0          RESPONSIBILITIES

5.1              IT

5.1.1         Responsible for consultation and training concerning security best practices

5.1.2        Maintains the security of the central network and secure email service

5.1.3        Provides resources for implementing and supporting encryption technologies.

5.2             Faculty / Staff

5.2.1        Responsible for complying with all Baker College policies.

6.0          FORMS/DOCUMENTS

NONE