Institutional Information Security Procedures

Introduction

The Western State Colorado University Board of Trustees have approved two policies that govern the treatment of High Risk Confidential Information (HRCI) and Data Protection and Security on the Western campus. The following are acceptable methods for access, storage, transmission and protection of electronic HRCI. 

For more information about the polices, please see the HRCI Committee Information Security page.

Definition: HRCI

From BOT policy: 'High-risk confidential information (HRCI) is defined as any combination of full name, SSN, date of birth, permanent address, driver’s license number/passport/other government-issued identification number, credit/debit card number, bank information, personal medical information and academic records. This information, if maliciously obtained and misused, carries a high risk of causing personal, financial or reputational damage to its owner."

Access

Access to HRCI (and all enterprise information) is governed by policy and all employees are required to sign a confidentiality agreement.  In addition the Enterprise Information Access Request (under constrcution) must be submitted and approved by the appropriate Data Owner (under construction)

Remote (Off Campus) Access

Many campus resources can be made available from off campus. Authorization to access HRCI from off campus must be authorized from the overseeing Vice President. Please contact IT Services if you have obtained this permission.

Storage

According to policy, HRCI kept in electronic format must be stored exclusively in secured network drives and databases.  Storage of HRCI data on any device, including but not limited to, desktop hard drive, laptops, PDAs, phones, USB Drives, CD/DVD, and diskettes is prohibited unless otherwise authorized by your overseeing vice president. If authorized to store HRCI on a device, please contact IT Services.

Allowed storage locations are:
  • Your Department shared network drive(s). This is appropriate storage space for HRCI that can be shared among members of your department. **
  • Your My Documents folder. This is transparently stored on a network server. Use this for storing private (to you) information.**
  • Approved Western managed databases:
    • e.g., Banner/Oracle, Donor2, EMAS
  • Approved third party storage and use:
    • Third party applications (e.g. cloud or hosted services not managed by Western) that contain HRCI information must be registered with ITS.  Please see our Third Party Registration page for more information (under construction).

**PLEASE NOTE:  These locations are authorized for storing HRCI data if you are not using the Windows feature that allow for offline (not connected to campus network) file use.  This feature caches a copy of your server based files on your local machine.

Transmission to Outside Entity

Acceptable methods of transferring HRCI data are as follows:

  • Secure File Transmission Protocols (e.g. sftp:// or https://).
    • These are secure sites, set up either by us or a third party with whom we have an agreement, that allow for the secure transfer of data via the internet.  They require at least a username and password to log on and the communication between your computer and the remote site is encrypted. Examples are banking or insurance sites or our own file sharing site, https://collaborate.western.edu.
  • Encrypted attachment to email (see Encryption below).
    • IMPORTANT: If you use this method, you must transfer the password to the encrypted document by an independent path, e.g. you send the document via email then call the recipient and transfer the password verbally.

If you are unsure which to use or if these methods will not work for your needs, please contact IT Services.

Protection

Managing your Desktop

Screen locking, windows +L, screen saver, log off.  For more details see our campus workstation locking policy.

Managing your Monitors

Position your monitors to reduce unauthorized viewing.  Purchase a privacy filter (prevents periferal viewing) if your office situation prevents you from limiting access.

Encryption

Documents may be sent as attachments to email if they are properly encrypted.  The preferred method of encryption of single Microsoft Office documents is to use the built in Encryption feature.  If you need to send a large number of files, a file that is too large to email, or will have a recurring need to transfer sensitive data, please contact IT Services.

Requesting Authorizations 

In rare situations that in order to conduct necessary university business you will need to be exempted from WSCU policy you must fill out and submit a Request for Special Use of HRCI form. This form must be signed by your overseeing vice president and the Director of Information Technology Services.  IT Services will assist in taking the appropriate security steps to mitigate the risks incurred.