Campus Support Center

Purpose

According to 16 CFR Part 314, promulgated due to the passage of the Gramm-Leach-Bliley Act, colleges and universities are required to develop plans and establish policies to protect the security and confidentiality of information records.

Arkansas Tech University's policy is to secure all information systems and protect all business, personnel, and student information from unauthorized access or disclosure.

Arkansas Tech University's designated Compliance Officer is the Vice President for Finance and Administration. The Office of Information Systems approves access to computer-based functions.

Security Actions

1. Primary Electronic Data: Coordinated and stored under the Office of Information Systems supervision. ERP data is stored in an Oracle database on an AWS Cloud-based server system. Office of Information Systems personnel coordinate electronic access to this server and its data. They are responsible for establishing access rights for university staff/students as required based on written recommendations and approval by university departments and upper-level management.

2. Information Access: Controlled by 2-factor authentication, and a multi-level user-id/password system following NIST security guidelines for least privileged access. State policies require that passwords be changed regularly. Access rights for individuals are reviewed periodically. All access to data is stopped immediately as part of the employee or student dismissal or termination procedures. Reports containing data in these databases are produced by programs written by Office of Information Systems personnel. They are printed on devices physically located under the direct supervision of the Office of Information Systems or at physically secure print stations situated in the supervising department for the specific data. All online access to this data requires a proprietary protocol with built-in security. All data for the Ellucian Cloud Banner system is backed up daily and maintained by the Ellucian Banned Cloud services team.

3. Staff Agreements: Personnel across various departments must complete training and become familiar with university systems before being granted access.

4. Security Awareness Training: Arkansas Tech University will conduct information security training for all employees and inform department heads of changes in new legislation. Departments should review departmental security procedures to reinforce the importance of adhering to security protocols and assist employees in recognizing potential threats.

5. Monitoring and Firewalls: All access to university computer systems, both network and online, is monitored by software programs, and logs are maintained for review. Firewalls are in place to minimize unauthorized access to the entire system and detect intrusions. The hardware systems housing the data are located within locked areas requiring either keyed or encoded access.

6. Contractor Supervision: All contractors/service providers employed to service our systems work under the supervision of Office of Information Systems personnel and are generally well-known to the University before being retained. All such services are performed under contracts that contain non-disclosure clauses for private information.

7. Contract Statements: All contracts will contain a statement that the contracting entity agrees to ensure the security and confidentiality of any personal information it receives about Arkansas Tech University employees or students unless otherwise required by state or federal law or court order.

8. Secure Locations: Each office should ensure that all files, records, and other personal information about employees or students are placed in a secure location.

9. Compliance with Privacy Laws: All university offices must adhere to the guidelines established by the Family Educational Rights and Privacy Act (FERPA), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) to ensure the proper handling and disclosure of educational records and other sensitive information. Compliance with these regulations safeguards data privacy, upholds institutional integrity, and protects individual rights. 

10. Secure Disposal: All personal information of employees and students should be disposed of securely, such as shredding information recorded on paper.

11. Data Erasure: Ensure that all data is securely and thoroughly erased from computers, USB drives, external hard drives, SD cards, CDs/DVDs, or other electronic media containing information about employees or students.

12. Secure Paper Records: Store paper records in a room, cabinet, or secure containers.

13. Inventory Maintenance: All offices must maintain a close inventory of all computer hardware.

14. Efforts to Secure Information: Arkansas Tech University makes every reasonable effort to ensure that personal information collected to conduct business at the University is secure from unauthorized access. Procedures and policies shall be evaluated and adjusted as necessary, including changes in the University's business arrangements or operations or as a result of the testing and monitoring of the safeguards.

15. Temporary Access Suspension: The University may temporarily suspend or block access to any individual or device when it appears necessary to protect the institution's integrity, security, functionality, and computer resources. Violations of this policy may result in penalties and disciplinary action per the Student Handbook, Faculty Handbook, and rules governing employment at Arkansas Tech University.

16. Risk Assessments: The University will conduct regular risk assessments to identify foreseeable internal and external risks to customer information's security, confidentiality, and integrity. The assessments will evaluate the sufficiency of existing safeguards and recommend improvements as necessary.

17. Testing and Monitoring of Safeguards: The University will regularly test and monitor the effectiveness of critical controls, systems, and procedures to protect customer information. This includes periodic audits and vulnerability assessments.

18. Utilization of Public or Open Generative Artificial Intelligence (GenAI) Platforms: When utilizing GenAI tools, it is crucial to exercise caution to ensure that sensitive or regulated data, including personally identifiable information (PII), is not shared with these systems. Data protected by privacy laws or regulations in the “Compliance with Privacy Laws” section outlined above must not be used in GenAI systems. It is necessary to ensure legal compliance and maintain confidentiality. Confirm that the data is sourced from a publicly accessible platform without restricted or internal information. Always verify that anyone can freely access the data without requiring special permissions or authentication. If you are uncertain about the data's eligibility for sharing, please contact the Campus Support Center for guidance.

19. Incident Response Plan: The University will develop and maintain an incident response plan to address and manage security breaches promptly and effectively. The plan will include procedures for notifying affected individuals and authorities, containing and mitigating the breach, and documenting the incident and response actions.