Technology Data Security Policy

Purpose

Cedar Crest College recognizes the importance of diligence when it comes to securing data.  To address the issue of data security, this policy has been created in order to help create and maintain procedures and consistency in regards to data security, and also to remain compliant with applicable government regulations (FERPA, GLBA, GDPR).  This policy applies to all Cedar Crest College employees, students and their data.

Policy Statement

Responsibility

The responsibility for access to, retention of and security of the data that is important to the college resides within the Office of Information Technology.  An important aspect of this is to work with college-wide departments to assist with the integration of relevant compliance regulations into the operations of those departments, and also to assure the compliance with these regulations across college-wide operations.

The College has appointed a Chief Data Security Officer who responsible for creating and enforcing policies, training and educating the college-at-large on procedures and policies and overall compliance with regulations.  This individual leads and coordinates the college-wide security training program and is available to work with other departments across the college to assist with security policy implementation.  The Chief Data Security Officer works closely with the departments responsible for financial operations to ensure the objectives and requirements of GLBA, FERPA, GDPR and other relevant regulations.

Policy Practice

The College has a series of regularly run assessments that are designed to test and report on vulnerabilities and risks to the security posture of the organization.  These include, but are not limited to:

1. Internal vulnerability scans on network resources (servers, network access)
2. External vulnerability scans on firewall and web-accessible resources
3. Microsoft Advanced Threat Protection to monitor and remediate threats to Office 365
4. Reports are delivered to the CDSO after completion of scans or when threats are identified.
5. The Chief Data Security/Protection Officer is the Director of Information Technology.
6. The Data Controller is the Registrar.
7. The Data Processors are the departments that own the application processing the data.

The College has multiple layers of technology used to detect, prevent and respond to attacks, intrusions or system failures.  The College also reviews and implements controls on a regular basis when requirements for compliance are required.  These are accomplished based on an analysis of regulations, best-practices and evaluating processes through an iterative process.  Remediation of issues are performed as a response based on risks that are identified through a number of different assessments.  All processes and policies are reviewed as needed and annually.

The College has taken steps to reduce the risk to our student information and financial aid systems by hosting them with a provider that specialized in higher-education and financial data security.

Data Retention

Data retention policies are available in specific policies that govern the specific types of data in question at https://help.cedarcrest.edu.