Statement on Aurora University’s Information Security Program
Aurora University (AU) sincerely values the wide array of data with which it has been entrusted. While we are committed to the security of all of our data, we are particularly committed to protecting the wide range of personally identifiable information (PII) in our databases. The minimum standards that Aurora University employs for the protection of all data, especially PII, are defined by federal law including the Family Educational Rights and Privacy Act, the Higher Education Act, and the Graham-Leach-Bliley Act, and the National Institute of Standards and Technology (NIST) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (CUI). AU will take the necessary steps to implement management responsibility, quality equipment deployments, meaningful evaluations, and business strategies designed to protect all secure information, especially PII.
AU designates its Chief Information Officer as its official responsible for the implementation, coordination, evaluation, and remediation of its information security program. As indicated in 16 CFR 314.4 it is the information security officers duty to: “identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of AU operations”.
While the Chief Information Officer is ultimately responsible for information security, each constituent department plays a significant role.
Each set of University data will be classified as having an “owner”. The owner will be represented by a specific individual within the University department responsible for that data. Any time a department or individual wishes to gain access to another department’s data, they must obtain permission from the official responsible for the data sought. Permission will only be granted if there is a demonstrable and legitimate educational need to know. Permission must be explicit, written, designate any expiration date, and be provided to the Chief Information Officer for filing.
ENFORCEMENT OF POLICY:
Each department is responsible for enforcing this data security policy.
It is AU policy that confidential information is to be used only when necessary for University, college, or departmental business. Refusal to adhere to this policy is a clear violation of the Family Educational Rights and Privacy Act of 1974, The Higher Education Act, and /or the Graham, Leach, Bliley Act, and NIST 800-171 CUI. Offenders will be subject to disciplinary action and possible referral of the violation to the proper authorities.
In the event that a breach of information security policy is discovered, the Chief Information Officer is to be immediately notified. The Chief Information Officer will then apply the University’s Data Breach Policy as deemed necessary.
Confidential data includes any information subject to University or legally imposed confidentiality regulation. Examples include, but are not limited to, personally identifiable information (PII) such as Social Security, Driver’s License, or Passport Numbers; Birth Date; financial information; individual’s medical or academic information; any data covered by FERPA, HIPAA, GLB, or PCI regulations and standards NIST 800-171 CUI. Unauthorized access, transmission, collection, or storage of confidential data is prohibited. Access to and storage of confidential information on personal (user owned) devices can pose substantial risk to the University (as well as the individual) and is prohibited.
TYPES OF CONFIDENTIAL DATA:
For the purposes of this policy, types of confidential information are categorized as follows:
- Student Information
- Student Financial Aid Information
- Student Prospect, Inquiry or Applicant information
- Student Housing Information
- Administrative Financial Information
- Human Resources Information
- University Analytics Information
Data Owner – University Registrar
The Office of the Registrar is the official custodian of information on individual students. For security purposes, student information is divided into the two categories of directory and academic.
University personnel may have access to directory information and may, without restriction, disseminate information for official use on and off campus. The Family Educational Rights and Privacy Act of 1974 specifies the following as directory information:
- Student’s name, address, telephone number, e-mail address, photograph, date, and place of birth;
- Major, dates of enrollment, degree conferred and dates of conferral, any honors, and awards;
- Most recent institution attended prior to admission to AU;
- Grade level such as Freshman or Sophomore, and Enrollment status such as graduate or undergraduate;
- Participation in officially recognized activities and sports and weight and height of members of University athletic teams.
If a student does not wish any of the above information released to non-institutional persons or organizations, a Non-Disclosure of Directory Information must be completed in the Registrar’s office. Once the student has completed the form, the confidential flag is marked in Colleague. A ‘Confidential’ comment will appear in the upper left-hand corner on all Colleague screens. This request will remain in effect until the student notifies, in writing, the Registrar’s office to remove the flag.
Academic information, including grades, academic status, class schedules, etc., cannot be released to third parties without the student’s written permission. Academic information can be used by AU employees having a legitimate educational interest in the student and who are acting within the limitations of their need to know may access student educational records without prior consent of the student. This includes personnel in academic offices as well as student support offices, such as Admissions, Student Accounts, Financial Aid, Registrar, etc.). This is true even if the student has been granted non-disclosure.
Academic information not available from Colleague should be requested from the Office of the Registrar. Requests for information from students or from agencies or individuals outside the University should also be referred to the Office of the Registrar.
Summary Student Information
The office of University Analytics is the official source of aggregate or summary student information, such as enrollment or credit hour data intended for on- or off- campus dissemination. Requests for reports and analyses involving summary student data to be produced through internal systems will be developed in conjunction with the office of University Analytics. This will ensure that reports and analyses are based upon the most accurate information and will enhance the consistency and integrity of information generated by colleges and departments.
Student Disability Information
Student disability information is the responsibility of the Disability Resource Officer. Any requests concerning student disability information should be referred to the Disability Resource Officer in the Academic Support Center
Student Health Information
Information requests concerning student physical health are governed by the Director of the Wellness Center. Information requests concerning student mental health are the responsibility of the Director of the Counseling Center. Such requests should be referred accordingly.
Student Athlete Information:
Information concerning student athlete is under the governance of the Athletic Director. All requests concerning student athletic information should be referred to the Athletic Director.
Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA.