- In response to the threat of identity theft primarily through financial transactions, the United States Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Public Law 108-159, an amendment to the Fair Credit Reporting Act. In accordance with sections 114 and 315 of FACTA, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission jointly adopted and promulgated rules known as the "red flags" rules.
- The Tennessee Board of Regents, on behalf of its institutions, has adopted an identity theft prevention policy and program, set forth in TBR Policy #4:01:05:60, in an effort to detect, prevent and mitigate identity theft, and to help protect institutions, faculty, staff, students and other applicable constituents from damages related to the loss or misuse of identifying information due to identify theft.
- Chattanooga State Community College developed this policy in order to satisfy the requirements of the Red Flag rules and TBR Policy #4:01:05:60 in consideration of the College's size and the nature of its activities, with oversight by the Program Administrator.
- The purpose of the program is to first: detect, prevent and mitigate identity theft in connection with any covered account and/or PII/PCI data. This program envisions the creation of policies and procedures in order to achieve these goals. While ChSCC currently does not provide common known covered accounts, ChSCC will incorporate new covered accounts or other identity theft concerns into the policy.
- ChSCC will ensure detected red flags will be incorporated into the policy;
- ChSCC will respond appropriately to any red flag that is detected to prevent and mitigate identify theft; and
- ChSCC will ensure the policy is updated periodically to reflect changes in risks to students and other College constituents from identity theft.
- ChSCC will promote compliance with state and federal laws and regulations regarding identity theft protection.
The scope of this policy includes all CSCC staff, faculty, students, authorized users, contractors and visitors that have access to College facilities, computing resources or College data, regardless of the medium on which it resides (e.g., paper, fiche, in electronic form on tape, cartridge, disk, CD-ROM, or hard drive, etc.) and regardless of form (e.g., text, graphics, video, voice, etc.) Additional specific department requirements and procedures may be required for student workers, if so determined by the individual department. Individual departments are responsible for providing additional training as necessary.
Included in the scope are all computer systems owned, leased or maintained by the College. This includes: microcomputers/PCs, servers, various peripheral equipment including, but not limited to, printers and modems; and all other IT equipment. Use of IT systems and resources, even when carried out on a privately owned computer that is not managed or maintained by CSTCC, is also governed by this policy.
- "Confidential Data" includes information that the College is under legal or contractual obligation to protect.
- "Covered Account" includes any account administered by the College that involves or is designed to permit multiple payments or transactions. New and existing accounts maintained by the College for its students, faculty, staff and other constituents for whom there exists a reasonably foreseeable risk: (1) to the students, faculty, staff, or other constituents related to identity theft, or (2) to the safety and soundness of the College itself from the financial, operational, compliance, reputation or litigation risks resulting from identity theft.
- "Identifying Information" is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including:
- Personal information such as:
- Maiden name
- Date of birth
- Telephone number
- Student/Faculty/Staff identification number (e.g., the "A" number assigned by the College)
- Computer internet protocol address
- Credit card or other account information such as:
- Credit card number, in whole or in part
- Credit card expiration date
- Tax identification numbers such as:
- Social Security number
- Business identification number
- Employer identification number
- Payroll information such as:
- Bank account/routing information
- Medical information such as:
- Doctor's name
- Insurance claim
- Any personal medical information
- Government-issues identification numbers such as:
- Driver's license number
- Alien registration number
- Passport number
- "Identity Theft" is a fraud committed or attempted using identifying information of another person without authorization.
- "Need to Know" authorization is given to a user for whom access to the information must be necessary for the conduct of one's official duties and job functions as approved by the employee's supervisor.
- "Public Record" is a record or data item that any entity, either internal or external to the College, can access.
- "Red Flag" is a pattern, practice, or specific activity that indicates the possible existence of identity theft.
- Sensitive Personal Information (SPI): Defined as an individual's name, address, or telephone number combined with any of the following:
- Social security number or taxpayer ID number
- Credit or debit card number
- Financial/salary data
- Driver's license number
- Date of birth
- Medical or health information protected under HIPAA
- Student related data protected under FERPA
IDENTIFICATION OF RED FLAGS
- In order to identify relevant red flags, the College considers the types of accounts that it offers and maintains; methods it provides to open its accounts; methods it provides to access its accounts; and its previous experiences with identity theft. While ChSCC currently does not handle specific "Red Flag" loans, the Tennessee board of Regents has provided extensive documentation concerning red flags that can be considered potential indicators of fraud in TBR Policy 4:01:05:06. Any time a red flag or a situation closely resembling a red flag is apparent, it should be investigated for verification using the TBR policy as guidance.
- Data Security and Classification Requirements: College data, regardless of its medium and/or form, shall meet the following requirements. At a minimum, data shall be classified as public or confidential, be appropriately secured and not accessible to non-approved users when not in use. (Refer to Responsible Use Policy, IT Policy 08.14 and PCI Questionnaire Section C 9.7.1)
- Made secure against unauthorized creation, updating, processing, outputting, and distribution.
- The decision on handling and classification is determined from three separate and distinct areas:
- Data identification - What is the institutional risk if the data is lost, stolen, or provided to unauthorized person?
- Data integrity - What is the institutional risk and impact on the institution should the data not be trustworthy?
- Data availability - What is the impact on the institution should the data not be available for some period of time?
Access to Data:
- Data will be accessed, used and disposed of in a manner commensurate with the data's classification and will be disseminated by officially designated offices only in accordance with ChSCC policies and procedures. All computer access granted to an authorized user will be removed when that user terminates employment, graduates, or withdraws from the College.
- Public: Access to Public institutional data may be granted to any requester and/or it is published with no restrictions. Public data is not considered sensitive. The integrity of "Public" data should be protected, and the appropriate department or unit must authorize replication or copying of the data in order to ensure it remains accurate over time. The impact on the institution should public data not be available is typically low, (inconvenient, but not debilitation). Examples of "Public" Data include published "whitepapers", directory information, maps, department websites, and academic course descriptions. This data may be made generally available without specific data custodian approval.
- Confidential: Access to confidential, internal, non-public institutional data must be requested from, and authorized by, the department or unit who is responsible for the data. Access to this type of internal data may be authorized to individuals based on job classification or responsibilities (role-based access), and may also be limited by ones' employing unit or affiliation. Some confidential information is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law. The impact on the institution should confidential data not be available can be from moderate to very high, depending on the information. Examples of the types of data that would moderate impact include project information, official college records such as financial reports, human resources information, some research data, unofficial student records (including grade books without SSNs), and budget information. Examples of confidential data that if lost, corrupted or unauthorized disclosure occurred, could result in business, financial or legal loss include: official student grades and financial aid data, social security and credit card numbers (PCI Compliance information), and individuals' health information. (See ChSCC IT Policy 08:14 Responsible Use and 08:15 Security Incident Response for reportable situation requirements based on TBR Policy B-080 and 08:20 Red Flag and Identity Theft Prevention Program., and PCI Questionnaire Section C9 (9.7.1).)
Data Security, Management, Retention, and Disposition Requirements:
ChSCC departments should not use, store, or display confidential data, identifying data, sensitive personal data, or PCI protected data, including Social Security Numbers (i.e., SSNs) unless required by law and then only within the requirements of this policy and federal/State/TBR policies. These types of data should not be stored on a PC or Laptop, unless at least one of the following security recommendations is met. (See PCI Questionnaire Section C 3.2)
- The data is only stored on an encrypted hard drive.
- The data is not stored on the PC or laptop, but stored on a server located in a secure area, that is protected for the required level of data access.
- The data is stored on an encrypted removable drive such as an encrypted USB flash drive that is secured when not in use.
- The data is not stored on the PC or laptop, but stored on a removable disk or drive that is locked in a secure container when not in use.
Requesting Banner Confidential/Protected Data Access for Staff or Faculty:
Only the specified owners of Confidential/Protected data can authorize access to the data under their control. A process is in place to handle requests for access and subsequent authorization, including requests for report data. If you have an employee that requires access for Banner Confidential/Protected data, refer to ChSCC IT Policy 08:17 Computer Access. In order to ensure employees only have the access that is needed to perform current job duties, if an employee changes jobs within ChSCC, current access of that employee will be disabled, and new access requests are required. Please notify the Computer Center when changes occur. (See PCI Questionnaire Section C 9.2)
User's Responsibility to Protect the Data:
- The best way to ensure data is kept secured is the user's dedication to protecting that data. Users should collect, distribute, and retain only the minimal amount of personal and protected data that is related to your business needs and/or assigned tasks. Ensure you delete personal and protected information when there is no longer a business need for its retention. When personal or protected data must be included in the distribution of data, include notification of that fact, including reference to this policy. Always comply with existing College policies/standards regarding the handling of Confidential/Protected data (e.g., do not leave data exposed on desks or on computer screens left unattended; properly store and/or dispose of data, etc.) (Refer to ChSCC IT Policy 08.14 Responsible Use, ChSCC IT Policy 08:15 Security Incidence Response and ChSCC IT Policy 08:20 Red Flag and Identity Theft Program, and PCI Questionnaire Section C 9.7a and B, and 9.9)
Supervisor's Responsibility to Protect the Data:
- Supervisors have a special duty to protect ChSCC data and that is to only request staff access to personal and protected data as needed to perform assigned duties. Review access lists on a periodic basis and if someone changes jobs, or otherwise impacts their requirement of access to protected data, ensure the Computer Center is notified so that requirement requests can be kept up-to-date. Design reports, database systems, etc., so that personal and protected information can be identified. Be aware of who is working with protected data and ensure that unauthorized individuals do not have access to the data. Be prepared to supply information needed (e.g., name, address, email) and to notify impacted individuals if a data security breach occurs. (See ChSCC IT Policy 08:15 Security Incident Response)
Confidential/Protected Data Requirements:
- This type of data requires that an audit trail be in effect that monitors access and modification, and is appropriately backed up to allow for recovery. Data stored on servers maintained by Computer Services will be backed up based on customer requirements documented on the Service Level Agreement. Data transmitted over any communication network shall be transmitted in encrypted form or other appropriate and equally secure method. This level of data will only be accessible on the WWW with the permission of the appropriate College data custodian. WWW access to such data shall be secured in a manner that is commensurate with the classification and confidentiality of the data contained on the page/publication. (See PCI Questionnaire Section C 9.7.2)
- Passwords are required on all computer systems (e.g., desktops, laptops, PDAs, etc.) in which Confidential or Protected data is stored or maintained or have access to College networks. (See ChSCC IT Policy 08.13 Computer Passwords.) Appropriate hardware and software security (e.g., cable lockdowns, password access control, data compression and encryption, audit log of access, updates, etc.) shall be placed on all microcomputers/PCs and transportable computers which have Confidential/Protected data stored in them (i.e., on the local drive).
Outside ChSCC access:
- Vendors, contractors, consultants and external auditors needing access to College data must read and acknowledge in writing that their firm has read, understood and will comply with all College data and computing guidelines/standards. Vendors will be assigned a CHSCC escort as needed by the department requiring the access.
Computer System and Resource Security Requirements before Installation:
- Computer system and resource security requirements or a documented, equivalent compensating control shall be documented and implemented in according with ChSCC Information Technology Policies. Specific controls required to be in place before a system, application, tool, etc., is considered ready to be installed as production include:
- All vendor-supplied default passwords are changed before any computer or communications system, printer, copier, fax machine or other equipment is used for College related business. (See ChSCC IT Policy 08.13 Computer Passwords and PCI Questionnaire Section C 2.1)
- Authorized user logon ids/operator ids on administrative and research computer systems are inactivated or an authorized user's access connection is immediately terminated if the authorized user does not provide a correct password after five (5) consecutive attempts. (See ChSCC IT Policy 08.13 Computer Passwords for complete details.)
- Passwords or pin numbers used to protect access to College data are not hard-coded into software/source code developed by ChSCC staff or students. (See PCI Questionnaire Section C 3.2.3)
Hardware Physical/Environmental Requirements:
- When technically and reasonably possible, workstations, personal computers, transportable computers and printers housed in unsecured public areas (e.g., student labs, libraries, etc.) should be physically secured, as needed to provide protection from theft and/or modification. All workstations and microcomputer/PC systems are outfitted with uninterruptible power supply (UPS) systems, electrical power filters, or surge suppressers, as appropriate in order to prevent damage.
- Master copies of software, to the extent consistent with applicable licenses and laws, shall be stored in a safe and secure location (preferably off-site as at an Iron Mountain facility or something similar). These master copies shall not be used for ordinary business, but must be reserved for recovery from computer virus infections, hard disk crashes, and other computer problems.
- Proper disk maintenance practices are followed (e.g., clearly label diskettes; back up data, application and operating system diskettes; store away from extreme cold/heat; protect from dust, excessive moisture or water; keep away from magnetic devices including radios, telephones, keys, wall magnets, etc.) When disposing (e.g., recycling, salvaging, transferring ownership to another party, etc.) of microcomputer/PC hard disks, the hard disks should be wiped/degaussed to make the data irretrievable.
References: These Standards comply with and are based on the laws of the United States, State of Tennessee, Tennessee Board of Regents, and other regulatory agencies. This includes all applicable federal and state laws which govern the privacy, confidentiality, security and use of data, and the use and security of computer systems and data including:
Payment Card Industry (PCI) Compliance and Questionnaire
1. The Department of Education "Family Educational Rights and Privacy Act of 1974" (as amended), 34 CFR, Part 99
2. Tennessee Board of Regents Guideline B-090 Gramm-Leach-Bliley Act, Safeguarding of Customer's Nonpublic Financial Information
3. Tennessee Board of Regents Guideline G-070 Disposal of Records - RDA2161.
If this Guideline conflicts with federal or state statute, the applicable statute shall apply.
Additionally, other College Policies, Guidelines, Standards and/or campus procedures may
impose certain restrictions that are not specifically covered by state and federal statue or
1. Chattanooga State Community College IT Policy 08.13 Computer Passwords
2. Chattanooga State Community College IT Policy 08:14 Responsible Use
3. Chattanooga State Community College IT Policy 08:15 Security Incident Response
4. Chattanooga State Community College IT Policy 08:17 Computer Access