Information Systems

Whitworth Home Page > Information Systems > Policies & Standards >

Information Security Plan

The Whitworth Information Security Plan contains policies and procedures used by the university to support its interests and to comply with the growing number of regulatory requirements from external agencies. These include, among others, VISA regulations, the Family Educational Rights and Privacy Act, the Federal Trade Commission and the Department of Homeland Security. This plan is a summary of the security policies contained in the staff handbook, the student handbook, the Whitworth computer policy, the Whitworth FERPA policy and various information-systems documents, procedures and policies.

Responsibility for information security is provided by the following personnel for the areas indicated.

Information and Systems Security Director, Information Systems
Financial Data Controller
Academic Data Registrar
Employee Data and Training Director, Human Resources
Financial Aid Data Director, Financial Aid
Institutional Advancement Data Asst. Director, Gift Accounting and Information Systems
Physical Security Director, Facility Services
Health Center Data Director, Health Center

Section I. Employee Management and Training

  1. References will be checked prior to hiring employees who will have access to personally identifiable information.
  2. All employees must agree to the information security policies of the university by completing an online tutorial and quiz which include the Whitworth computer policy, the Whitworth FERPA policy, the code of ethics and the educational record.
  3. Employees will be given training appropriate to their position in the basic steps to maintain security, confidentiality and integrity of personally identifiable information. A FERPA video and tutorial are available online.
  4. Employees in breach of information security policies and procedures are subject to disciplinary action.

Section II. Information Systems

  1. Information security will be a primary consideration in the design and implementation of all computer and network systems used in a production environment at Whitworth.
  2. All servers which contain personally identifiable data will be located in the department of information systems secure area with limited key distribution and electronic alarms.
  3. Backup data is located in the built-in safe in the registrar's office.
  4. Tapes, disks, hard drives or other media containing institutional data will be destroyed or wiped prior to disposal.
  5. Internet access to personally identifiable data will be through the Intranet or through SSL connections. In addition, proprietary encryption systems from Security Smith and the Datatel Messaging Interface are used for communications between the web servers in the DMZ (demilitarized zone) and the administrative system.
  6. Complex passwords are required for network access and system-generated passwords are used on the administrative system. Access to the network is by individual accounts except with the approval of the Director of Information Systems. Access to the primary administrative software from Datatel requires another password and access to critical internal functions require a further password.
  7. Access to individual screens, records or fields is provided based upon business reasons and is granted by Information Systems after a request is received from the custodian of the data. The custodian of student data is the registrar, the custodian of financial data is the controller, the custodian of financial aid data is the director of financial aid, the custodian of alumni data and institutional advancement data is the assistant director of gift accounting and information systems, and the custodian of employee data is the director of human resources.
  8. Release of individually identifiable information to a third party requires the approval of the custodian and a signed data confidentiality agreement.
  9. A full description of security systems in place is contained in network and computer documentation and includes:
    • Redundant firewall blades in the 6509 core router.
    • Cisco Intrusion Detection System in the DMZ.
    • Cisco Intrusion Detection System blade in the core router.
    • Cisco VPN (Virtual Private Network).
    • SSL (Secure Socket Layer) on the Intranet and on the Web email interface. Verisign digital certificates are used for both servers and personal certificates.
    • Norton Enterprise Virus Protection is required on all systems connected to the network.
    • Cisco Clean Access system for student network access.
    • VLANs (Virtual Local Area Network) controlled by ACLs (Access Control Lists) are used to separate various constituencies on the network.

Section III. Information Systems Failures

  1. The Information Systems Disaster Recovery Plan will be implemented in the event of full or partial loss of system data. The DRP is an element of the Whitworth Emergency Response Plan.
  2. In general, it is the policy of information systems to stay current on all system and application software patches with particular emphasis on security patches. SMS (Systems Management Service) and SUS (Software Update Services) are used to update computer systems with current security and other critical patches.
  3. Anti-virus software updates and data files are downloaded and applied automatically using the Norton console software.
  4. Firewall, switch and router firmware versions are regularly downloaded and applied.
  5. The Retina Software Suite, Cisco MARS Analysis Module and Microsoft Baseline Security Analyzer are used to perform security audits on the network and computer systems.
  6. Cisco MARS is used to configure and report on network security and to respond to cyber attacks.
  7. A full backup of the administrative system is performed every night with the exception of Saturday.

Last Update: May 1, 2006