by Linc Nesheim and Larry Gilbert
Information Services staff members take the privacy and security of your data very seriously. We want to inform you of the steps we take to ensure the privacy of your data - and also let you know what you can do to help.
There are typically three categories of data stored on computers on campus:shared departmental/university data, university records and private individual work data. Examples of shared data would be information stored on the shared network drives (i. e. the P: drives) and in shared Outlook mailboxes, where that information can be accessed by more than one person based on group control lists. Official university records include Human Resources data, financial records, and registration data. Examples of private data would be your personal network U: drive, data stored on your work desktop or laptop, and your own Outlook or other email box. Each of the three categories are reviewed below, with emphasis on steps we can take together to continue the security and privacy of our data.
Although shared storage drives and mailboxes can be a great resource for making information available to a group, it's very important that you pay close attention to the privacy and security of data in shared spaces. With any shared data, it's especially critical that there be one individual assigned responsible for maintaining and updating control over each shared folder on the P: drive or shared Outlook mailbox; it's also a good idea to have a back-up person assigned to this task in case the primary administrator is unavailable. When you place information on a shared drive, are you sure you know that the access list is current and that everyone on that list is authorized to see that specific information? Have you checked to ensure there's no personal or private data in documents that should not be shared? Have shared mailbox lists been cleaned up so that former employees are no longer able to see that shared mail? Have new employees been appropriately added? The ATUS Help Desk or ATUS staff members can assist you in determining how to best manage access to departmental shared data. For example, it is possible to grant other departments and individuals from outside your area access to specific areas 'inside' your shared P: drive (and the same can be done for Outlook shared mailboxes), but this must be done carefully to ensure the privacy and security of your data.
University records, such as data stored in WWU's Banner system, receives the highest degree of security. That's because this data contains the type of information that can be used for identity theft or that could otherwise compromise personal privacy. First, all critical university records are maintained in a special high-security network zone, distinct from the systems used to store shared and individual desktop data. This high security zone requires use of special security rules and passwords that must be aged (i.e. changed) every 120 days. In addition, the campus operates a data access firewall at the border to the campus that highly restricts access to university data from off-campus. There's also a second firewall especially for administrative systems that further restricts access to Banner and other administrative data systems. Periodic vulnerability scans are run against key WWU servers to ensure that no 'holes' exist in our security. Finally, audits are conducted of university data systems by both external and internal auditors. The Information Technology group must also conduct a comprehensive review of Western's security and disaster plans under state scrutiny each year. Near-term enhancements to this already robust data security include the addition of a Cisco Adaptive Security Appliance that will provide ongoing monitoring of data security, review and certification of all credit card processing, increased security scans of the entire campus network, increased audits, and a move to further hardening of passwords used by all employees and students.
As you know from reading the newspaper, such security over university records is only as good as the weakest link. We need your help with data security too. You can assist by paying close attention to how you handle any confidential information (e.g. student records). Are you careful to never inadvertently expose private student information (e.g. post grades with W#)? Are you sure to never carry confidential data on a laptop that could be stolen? Do you have a time-out on your desktop login so that unauthorized persons can't use your login to access private information?
Although anything we do on our work computers is accessible to public records requests, your individual work data is intended to be accessed by you alone. Our default approach is to always protect the privacy and confidentiality of your data on campus. Access to your personal data stored on the network is restricted in the same way data on your desktop computer itself is - only you can see that data through use of your individual ID and password (that's why you should never share or post your ID and password). Technicians who work on your computer often need to gain administrative access to your computer, which technically allows them to see any data on your computer or network drives. However, all Information Technology Services employees sign a strict confidentiality and privacy agreement prohibiting any access to or release of private information. Even when there is a legitimate need for access to individual workstation data (e. g. serious illness of an employee, a theft of data, or a public records request) your individual work data can only be released with the specific authority of a Western Vice President.
It's in the interest of everyone to ensure the privacy and confidentiality of data on campus. If we all continue to work together to keep a watch on data security, we can continue our excellent record in protecting those data. For further information, you can read more at WWU Security & Data Management Best Practices and Policies.