920 Information Security
Approved by President
Effective Date: June 5, 2017
Responsible Division: Information Technology
Responsible Office: Information Technology
Responsible Officer: Vice President for Information Technology
This policy ensures the confidentiality, integrity, availability, and regulatory compliance of Middle Tennessee State University’s (MTSU or University) information assets. This policy pertains to all University information assets, whether the assets are individually or departmentally controlled; enterprise managed; stand-alone; and/or stored via electronic, paper, or other media. The policy reflects MTSU’s commitment to stewardship of sensitive personal information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of University constituents, safeguarding vital business information, and fulfilling legal obligations. It is MTSU’s intent to protect the personal information of its students, staff, faculty, alumni, and other individuals associated with the University from unauthorized access or disclosure and possible misuse or abuse.
This policy establishes awareness and provides guidance on the proper handling of personally identifiable information (PII) including individual social security numbers (SSN) maintained by or on behalf of MTSU. MTSU has implemented this policy to reduce the risk of exposure when PII is used as a primary identifier at the University and in other valid business applications and to ensure that all PII is handled consistently throughout the University. Personally identifiable information may not be captured, retained, communicated, transmitted, displayed, or printed, in whole or in part, except where required by law, and/or in accordance with the standards outlined in this policy. For example, because MTSU is a public institution, some PII may be subject to disclosure pursuant to the Tennessee Public Records Act, T.C.A. § 10-7-101 et seq. In addition, the University may disclose information to third parties, when such disclosure is required or permitted by law.
The information assets of the University, including the network, hardware, software, facilities, infrastructure, hard-copy documents and any other such assets must be available to support the teaching, learning, research, and administrative roles for which they are created. The University strives to employ appropriate physical and technical safeguards without creating unjustified obstacles to the conduct of the business and research of the University and the provision of services to its many constituencies in compliance with applicable state and federal laws. As a result, the University requires all employees to complete Information Security training annually to educate University employees on the safeguards and procedures available to protect the University’s information assets.
This policy serves as a companion to Policy 910 Information Technology Resources.
II. Policy Development and Maintenance
This policy was drafted by the Information Security Task Force, and shall be reviewed by the Chief Information Security Officer (CISO) at least every three (3) years. Revisions shall be forwarded to the Vice President for Information Technology and CIO for further review.
MTSU maintains records to carry out its educational mission. Federal and state laws and regulations govern access to these records. This policy and related procedures are established to ensure compliance with these laws and regulations and to protect the integrity of University records and the privacy of individuals. This policy applies to all University students, faculty, staff, affiliates, third-party support contractors, and all others granted access to MTSU information assets. The policy applies to the use of PII including SSN whether that information is maintained, used, or displayed, wholly or in part, and in any data format, including, but not limited to, oral or written words, screen display, electronic transmission (especially email), stored media, printed material, facsimile, or other medium as determined.
A. Personally Identifiable Information (PII). Any information which can potentially be used to uniquely identify, contact, or locate a person. Under Tennessee law, personal information means an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements, when either the name or the data elements are not encrypted: (i) social security number, (ii) driver license number; or (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. T.C.A. 47-18-2107(3).
B. Public/Directory Information. Some information that is considered to be PII is available in public sources such as telephone books, public websites, university listings, etc. This type of information is considered to be public/directory PII and includes, for example, first and last name, address, work telephone number, email address, and general education credentials. Public/directory information is available to the public via the Tennessee Public Records Act and other laws. See Policy 120 Public Records – Inspecting and Copying. For guidance on student directory information, contact the registrar’s office and/or review Policy 500 Access to Education Records.
C. Non-public/Confidential Information. All personally identifiable information except that information defined as directory/public information, unless the student has designated his/her directory/public information confidential. MTSU’s requirement to protect non-public/confidential PII is largely governed by law or contract (e.g. HIPAA, FERPA, GLBA, human subject data, Tennessee Public Records Act, etc.). Examples include, but are not limited to, SSN, credit card numbers, health records, human subject data, bank account numbers, certain employment records, and all FERPA non-directory information about students and former students.
D. SSS. May be interpreted to include Taxpayer Identity Number (TIN).
E. Individual Workstations. Includes, but is not limited to, desktops, laptops, and mobile devices.
F. Removable or Transportable Media. Includes, but is not limited to, paper forms, reports, cassettes, CDs, USB drives, flash drives, hard drives, and other forms of portable electronic storage.
G. Enterprise Systems. The term is applicable to any infrastructure as a means of describing its importance to the University’s mission and how it should be administered, protected, and funded. From a functional viewpoint, an Enterprise System will be either (a) the only delivery platform for an essential service, or (b) a platform for a service to a very broad constituency spanning organizational boundaries. An enterprise system is most frequently administered and protected by an institutional unit with expertise in both the technology and the business functions delivered.
H. MTSU ID Number. MTSU has created a unique identifier sometimes referred to as the M-Number to reduce the need for using the SSN in most business processes including instruction. Unique MTSU ID Numbers are assigned to all students and employees of the University and are not reused.
I. Department Chair/Director or Designee. An individual serving as the point of contact with respect to information security related issues within the department.
A. The University does not permit the use of PII as a primary identifier for any person or entity in any information system, except where the PII is required by law and/or permitted by University policy. Prior to using PII, users are required to complete the Checklist for Usage of PII form and file the Checklist with the appropriate department chair/director or designee.
B. The University will limit access to records containing PII to those individuals requiring access as determined by job function. Individuals permitted access to PII will be instructed on the appropriate handling, protection, and destruction of this data by their management or designated representative.
C. Except where the SSN is required by law, the MTSU ID Number replaces use of the SSN and will be used in all electronic and paper data systems and processes to identify, track, and service individuals associated with the University. The MTSU ID Number will be permanently and uniquely associated with the individual to whom it is originally assigned.
D. Where required by law and University policy, SSN may be stored as a confidential attribute associated with an individual and may be used as an optional key to identify individuals for whom a primary identifier is not known.
E. Where the collection and use of PII including individual SSN is permitted by university policy, but not required by applicable law, the collecting entity shall use and collect such information only as reasonably necessary for the proper administration or accomplishment of its respective business, governmental, educational, and medical purposes.
F. Individuals shall not be required to provide PII, including SSN, verbally or in writing, at any point of service, nor shall they be denied access to those services should they refuse to provide PII, except where the collection of that information is required by law or otherwise permitted by University policy. A department’s request that an individual provide their PII for verification of the individual’s identity, where such information has already been disclosed in accordance with this policy, does not constitute a disclosure for purposes of this policy. Questions about whether a particular use is required by law or permitted by policy should be directed to the Department Chair/Director or designee, who will consult with the Vice President for Information Technology and CIO and the Office of the University Counsel with respect to the interpretation of law or policy.
G. Where the collection of SSN is required by law or permitted by University policy, all university departments shall inform individuals of their federal privacy rights when they collect such information.
1. In the first instance where a department requests that an individual disclose his/her SSN, it shall provide the notice required by Section 7 of the Federal Privacy Act of 1974 (5 U.S.C. 552a), which requires that the individual be informed whether the disclosure is mandatory or voluntary, by what statutory or other authority the number is solicited, and what uses will be made of it. A subsequent request for production of a SSN for verification purposes does not require the provision of another notice.
2. The notice shall use the applicable text from Sample Disclosures or such other text, as may be approved by the Department Chair/Director or designee, who shall consult as needed with the Office of the University Counsel with respect to the interpretation of law and Information Technology Department (ITD) Information Security Services personnel with respect to technical implementations of the statement.
3. It is preferable that the notice be given in writing, but in rare circumstances it may be necessary to give the notice orally, in which case, procedures shall be described on the approval form to collect SSN as documentation that the notice is properly and consistently given.
H. All newly developed or acquired application software will not be used to collect, store, or transmit PII as data elements until a business requirement is submitted and approved by the appropriate department chair/director or designee, CISO, the Vice President for Information Technology and CIO, and/or other authorities as deemed appropriate.
I. All proposed contracts that involve the transfer, storage, and/or electronic recording of PII must be reviewed and approved by ITD Information Security Services to ensure appropriate technical controls and best practices are accounted for before the contract is signed.
J. Access to servers housing databases or records containing PII must be restricted to permit only the access needed for the use and support of that application. The server must be protected by an ITD approved firewall and other technical security measures as deemed appropriate by ITD Information Security Services.
K. Records containing PII should be stored on secure network drives with access limited to those individuals or entities that require access to perform a legitimate University function. Individual workstations, laptops, mobile storage devices, and other personal computers (e.g., mobile devices and home computers, etc.) shall not be used to store records containing PII except where permitted by policy.
L. All removable or transportable media (e.g., paper forms, reports, cassettes, CDs, USB drives, etc.) containing PII must be physically secured when not in use. Reasonable security measures depend on the circumstances, but may include locked file rooms, desks, and cabinets. Reasonable efforts must be made to encrypt portable devices which store PII.
M. Subject to applicable document retention policies or unless required by law, when no longer required, paper documents and electronic media containing PII will be destroyed or disposed of using methods designed to prevent subsequent use or recovery of information. NOTE: All information subject to a litigation hold must be retained in whatever format the information is in and in whatever classifications in spite of otherwise general policies on retention.
N. PII will be released to entities outside the University only where required by law, for University business necessity, or with the express written permission of the individual or entity. Individuals with access to PII within the University’s electronic information systems may need to consult with ITD Information Security Services personnel regarding the technical implementation of the disclosure/release of such information.
O. All requests for information under subpoenas, court orders, compulsory requests from law enforcement agencies, etc. should be referred to the Office of the University Counsel before releasing any records. Records should only be released after consultation with the University Counsel.
Individual business units are responsible for the development, documentation, and implementation of applicable procedures to effectuate this policy. The departmental chair/director or designee is responsible for informing new departmental personnel regarding the MTSU Information Security policy. Procedures are subject to review by ITD Information Security Services.
VII. Incident Reporting and Response
Any member of the University who has knowledge of any evidence of PII being compromised or who detects any suspicious activity that could potentially expose, corrupt, or destroy PII must report such information to the departmental chair/director or designee. They will, in turn, report the information to his/her supervisor, ITD Information Security Services, University Counsel, and the appropriate Vice President.
Violation of this policy may result in one or more actions, including, but not limited to:
A. The immediate suspension of network access, access to administrative systems, and access to the internet.
B. Use of the regular disciplinary processes and procedures of the University for students, staff, administrators, and faculty.
C. Students may be recommended for discipline up to, and including, suspension or expulsion from MTSU. Employees may be recommended for discipline up to, and including, termination from MTSU employment.
D. Referral to appropriate law enforcement agencies, in the case where violation resulted in a suspected breach of sensitive information.
E. Personal liability for willful violation of this policy resulting in loss to the University.
IX. Approved Uses of SSN
University offices may not collect SSNs for purposes other than those noted in Section V. Standards.
The primary uses and reasons for the continued capture, storage, retention, and processing of SSN data are identified and documented in the Approved Uses of SSNs and Other Personally Identifiable Information form. Typically, processes that access historical SSN data, or require or permit continued use of SSN data, are described here. Additional processes may be added by contacting ITD Information Security Services.
References: Tennessee Public Records Act, T.C.A. §§ 10-7-101 et seq.; 47-18-2107(3); Federal Privacy Act of 1974, Section 7 (5 U.S.C. § 552a); Policies 120 Public Records-Inspecting and Copying; 500 Access to Education Records; 910 Information Technology Resources.