Gettysburg College acknowledges that it has an obligation to ensure appropriate protections for the information assets within its domain of ownership and control. This obligation is shared by every member of the campus community.
The purpose of this policy is to describe the College’s commitment to its stakeholders and to outline student, faculty and staff responsibilities for the protection of the College’s information assets. Information assets are any information received, created and maintained by the College as well as the systems, devices and procedures that support them, regardless of media. This document will:
• Describe basic information risk management principles.
• Define Gettysburg College’s policy for protecting its information assets.
• List information assets that require enhanced protections.
• Communicate information management roles and responsibilities.
The College faces threats, both internal and external, that put its information assets at risk. Potential consequences of the failure to manage risks include disruption of service, financial penalties, expensive litigation and negative publicity. All of these consequences have the ability to damage the College’s reputation and hinder its ability to attract quality students, faculty and staff and to fulfill its mission.
The College’s Information Management Policy is designed to support the College’s need to share information in a way that minimizes the exposure to loss.
Information Risk Management Principles
Information Risk Management is the process of analyzing exposure to the risks inherent in storing and transmitting information and making informed choices on how to best handle such exposures, including mitigation, acceptance and transference.
A well-structured information risk management program will address the following:
• Confidentiality: the privacy of information, including the issues of copyright.
• Integrity: the accuracy of information.
• Availability: the functionality of a system and its components.
Statement of Policy
• Gettysburg College has committed to the following:
• Gettysburg College will comply with all applicable federal, state and local laws and regulations concerning its information assets.
• The College will manage the risks to its information assets to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to availability.
• Some of Gettysburg College’s information assets are considered sensitive and need special controls to ensure their confidentiality. The College will implement these controls in a manner that effectively controls risk yet still enables the College to carry out its mission.
• The College will issue additional policies and guidelines that contain details regarding the management of information assets which may be found at: www.ettysburg.edu/information-management.
• This and other College policies shall be reviewed and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organizational policy or applicable regulations.
• The College will establish a program to ensure the effective communication of this and other policies to all members of the campus community.
Information Requiring Enhanced Protection
The following information requires particular protections by law, government or industry regulation. All members of the campus community who create, use, transmit or dispose of information in any of the following categories are expected to appropriately maintain the confidentiality of such information in accordance with the laws and regulations cited below:
• Education Records, including files, documents or other materials (regardless of the medium maintained) which contain information directly related to a student and maintained by Gettysburg College. Social Security Numbers, particularly when combined with an individual’s name or birth date are part of a student’s Education record. These records, as defined by federal law, are protected under the Family Educational Rights and Privacy Act of 1974 (FERPA).
• Payment Card Information, including credit and debit card account numbers, expiration dates, and other information. Payment Card Information is covered by the Payment Card Industry Data Security Standard (PCI-DSS).
• Protected Health Information, including information created or received by a health care provider that: (1) identifies an individual; and (2) relates to that individual’s past, present or future physical or mental health condition or to payment for health care. Protected Health Information is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
• Customer Information, as defined under the Gramm-Leach-Bliley Act, includes personal identifiable financial information that Gettysburg collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.
• Personnel Records, protected under state law, which include letters of offer, employment records, salaries, fringe benefits, and other personnel information.
• Research Records that are protected by copyright, trademark, trade secret, patent or other intellectual property right.
Roles and Responsibilities
Every member of the Gettysburg campus community has a role in protecting the College’s information assets.
President’s Council is responsible for making information risk management decisions regarding the College’s information assets and is responsible for oversight of all policy development.
The Data / Document Policy and Procedure Committee (DDPPC) is responsible for developing and maintaining institutional policies for the management of the College’s information assets. The DDPPC will also develop and implement the College’s information risk awareness program.
Managers are members of the College community who have management or supervisory responsibility for full time, part time or student employees or contractors. Manager responsibilities include ensuring that members of their oversight area:
• Comply with this and other institutional policies on information management.
• Participate in the College’s security awareness program.
Information Users are all the members of the Gettysburg campus community who access any of the College’s information assets. Users are expected to follow all institutional policies and are responsible for protecting the information assets to which they have access or that are in their care.
Vendors and other Third Parties that access Gettysburg information assets are required to comply with this and other policies on information management.
Reporting: Non-compliance with this policy should be reported as follows:
• For Students: to the Director of Student Rights and Responsibilities.
• For Faculty: to the Vice Provost.
• For Administrators, Staff, and Contractors: to your immediate supervisor.
If the person to whom you would normally report non-compliance is themselves the cause of non-compliance, please consult the College’s Whistleblower Policy.
The College Life Office staff will respond to issues arising from this policy involving students. The Provost’s Office staff will respond to issues arising from this policy involving faculty members and administrators within the division of the Provost. The Human Resources Staff will respond to issues arising from this policy involving other administrators and staff members as well as contractors.
The DDPPC will be responsible for reviewing and modifying this policy on a bi-annual basis. This policy may be changed in the interim by directive from President’s Council. Whenever changes are made to the policy they will be communicated to the campus community through updates to the student, faculty and employee handbooks.
Other Gettysburg policies related to information management, including ‘whistleblower’ procedures, can be found on the College’s policy website, http://www.gettysburg.edu/information-management.
Approved by President’s Council
April 21, 2009