Sensitive Information Policy (IT 400-002)

Image of the Baker College Logo (Red on Black background)    Baker College Policy

     IT 400-002  Sensitive Information Policy

     Responsible Oversight: Director of ISS

     Date of Current Revision / Creation: February 28, 2024

1.0 Purpose

The purpose of this procedure is to regulate how Baker College users handle protected information for the institution. This includes the transmission, access control, and storage of protected information across the organization. Any member of the Baker College community, including all faculty, staff, and students, who have access to Baker College records that contain protected information covered by IT Foundational Policy 400, must comply with this procedure. This also applies to any third party that deals with the transmission and storage of protected information.

2.0 Definitions

De-Identification of Information - De-identified data describes records that have a re-identification code and have enough personally identifiable information removed or obscured so that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. The re-identification code may allow the recipient to match information received from the same source.

Encryption - The transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key (password).

Student - Any person who attends or has attended Baker College.

Users - Any authorized individual, including faculty, staff, students, vendors, or courtesy affiliate.

Virtru - Virtru is data encryption software that protects data, through email and file-sharing, Cloud, SaaS, CRM solutions and across internal and external ecosystems.

3.0 Scope

This policy applies to all Baker College employees who handle or manage the access to sensitive information owned by the Baker College organization.  The policy also applies to employees who manage the systems that store sensitive information (both physical and digital).

4.0 Policy Statement

Data Handling and Storage

Data in transit (internal and external)

  • Encryption or information de-identification is required for protected data in transit.  Secure protocols must be utilized during transfer between systems.
  • Paper - Address to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”.
  • Email - The following best practices should be used to encrypt protected information via email:
    • Users with a Virtru license will use the built-in controls to send encrypted emails. Only select departments have Virtru licenses.
    • For users without a Virtru license, any email with protected data must be encrypted and password protected. Please contact IT for obtaining a Virtru license.
  • External storage - Protected information shared via external storage must be encrypted and password protected. For encryption options and best practices please contact IT.

Data at rest

  • Paper
    • Keep in locked filing cabinets located in physically secure areas that are accessible only by authorized individuals. Keep the number of copies of the data to a minimum.
  • Electronic
    • Baker College protected data should be stored on the departmental drive or within an authorized application (OnBase, Jenzabar).
    • Protected data can be shared on Google Drive (with appropriate sharing permissions in place) or a portable electronic device (utilizing encryption and password protection). The protected data must also be removed from Google Drive or the portable device when its intended purpose is fulfilled.
    • Baker College admin computers will be encrypted via industry best practices.

Auditing

Departmental supervisors will conduct periodic reviews of where protected information / data is located, who has access to it, and the access control mechanisms.

Data Disposal

Electronic

  • When electronic data is no longer required it must be disposed of in a way that prevents recovery. A user should defer to departmental best practices to identify the appropriate lifecycle of an electronic file and delete it when necessary.

Paper

  • To securely destroy paper documents, employees working at a Baker College campus should use the designated secure disposal boxes (i.e. Shred-It) located on each campus on a daily basis.
  • Remote workers should destroy paper documents by placing them in a designated secure disposal box (i.e. Shred-It) at a physical campus as frequently as possible or by utilizing a device in their home office to shred the documents on a daily basis.

5.0 Procedures

None

6.0 Responsibilities

IT

Responsible for consultation and training concerning security best practices

Maintains the security of the central network and secure email service

Provides resources for implementing and supporting encryption technologies.

Faculty / Staff

Responsible for complying with all Baker College policies.

7.0 Citations & Related Information

None

Was this helpful?
0 reviews
Print Article