Pursuant to 16 CFR Part 314, which was promulgated as a result of the passage of the Gramm-Leach-Bliley Act, colleges and universities are required to develop plans and establish policies to protect the security and confidentiality of information records.
It is the policy of Arkansas Tech University to secure all information systems and to protect all business, personnel, and student information from unauthorized access or disclosure.
Arkansas Tech University's designated Compliance Officer is the Vice President for Finance and Administration. The Office of Information Systems approves access to computer-based functions.
- Primary electronic (computer) data is coordinated by and stored under the supervision of the Office of Information Systems. This ERP data is stored on a centralized IBM mainframe system in a proprietary format using a secure database management software program. Access to this data is coordinated by key Office of Information Systems personnel who are responsible for establishing access rights for University staff/students as required based on written recommendations and approval by university departments and upper-level management.
- Information access to personal data held on ATU faculty, staff and students is controlled by a multi-level user-id/password system supplied by the vendor(s) of the software that is utilized. Local policies require these passwords must be changed on a regular basis. Access rights for individuals are reviewed periodically. All access to data is stopped immediately as part of the employee or student dismissal or termination procedures. All reports containing data held in these databases are produced by programs written by Office of Information Systems personnel, and are printed on devices physically located under direct supervision of the Office of Information Systems or at physically secure print stations located with the supervising department for the specific data. All online access to this data requires a proprietary protocol with inbuilt security. All data is backed up in a proprietary format on a daily basis and backups are stored within a secure area contained inside the Office of Information Systems. Monthly backups of the entire computer system are kept in a locked and fireproof vault at an off-site location that is staffed by University personnel.
- All staff (including students) employed by the Office of Information Systems are required to sign a non-disclosure agreement prior to employment in which they agree not to disclose any private information that may be observed during the performance of their assigned duties. Other personnel working within the various departments are also required to undergo a period of training and familiarization before being allowed access to university systems.
- All access to university computer systems, both network and online, is monitored by software programs, and logs are maintained for review. Firewalls are in place to minimize unauthorized access to the entire system and to detect intrusions. The hardware systems housing the data are all located within physically locked areas requiring either keyed or encoded access.
- All contractors/service provides who are employed to service our systems work under the supervision of Office of Information Systems personnel, and are generally well known to the university prior to being retained. All such service is performed under contracts that contain non-disclosure clauses for private information.
- All contracts will contain a statement that the contracting entity agrees to ensure the security and confidentiality of any personal information that it receives about Arkansas Tech University employees or students unless otherwise required by state or federal law or court order.
- Each office should make sure that all files, records and other personal information about employees or students are placed in a secure location.
- All offices should follow the Family Educational Rights and Privacy Act guidelines with regard to disclosure of educational records.
- All personal information of employees and students should be disposed in a secure manner. For example, shred information of this nature that is recorded on paper.
- Erase all data when disposing of computers, diskettes, or other electronic media containing information about employees or students.
- Store paper records in a room, cabinet or other container that is secure.
- All offices must maintain a close inventory of all computer hardware.
Every reasonable effort is made by Arkansas Tech University to ensure that personal information that has been collected in order to conduct business at the University is secure from unauthorized access. Procedures and policies shall be evaluated and adjusted as necessary, including changes in the University's business arrangements or operations, or as a result of testing and monitoring the safeguards.
Last Updated (Monday, 03 May 2010 - 1:47:32 pm CDT)