Student Data Protection Policy
Students and their parents entrust Shaw University with their personal information with the expectation that this information will be used by the University to serve the needs of the students effectively and efficiently. Shaw University’s Office of Information Technology (OIT) appreciates the importance of protecting student personal information and is engaged in a number of on-going initiatives in the area of data security. Student record data contained in our administrative databases (Jenzabar and PoweFaids) are maintained strictly on Shaw University owned-and-operated computers and experiences the same high degree of safeguarding as does all of our institutional data.
II. Regulatory Guidelines
Shaw University follows federal, state and the University’s information security guidelines to protect the integrity, security, and confidentiality of data and/or information stored on University computing systems. All students are expected to review and follow the Shaw University Policy On Responsible and Ethical Use of Computer Technology (pp. 72-75) and the Social Media Policy (pp. 107-110) of the Student Handbook
(2017-2020, revised November 2016.
III. Operating Systems & Database Access Controls
All security-related events impacting Shaw University’s mission-critical servers are logged, and Operating System privileges are carefully administered and granted to as few people as necessary to support/maintain the system. The OIT staff is authorized to manage the implementation of Identification Controls, Authentication Controls, Access Controls, and Secure Configurations and Authorized Services (i.e. web, portals, email). Shaw University´s current Student Information System (SIS) offers layered security through a combination of in-house and vendor applications with access restrictions based strictly on administrative/academic need. Only authorized users have access to sensitive data in Jenzabar, which is the primary SIS, based on their assigned role.
Jenzabar runs on SQL server, which provides industry-leading security including role based-and-row level security, fine-grained auditing, and transparent data encryption.
Additionally, the university has implemented several security measures such as firewall and intrusion-detection systems, including in-house security systems, to protect the University’s digital assets. User IDs, passwords, and access restrictions will only be assigned to appropriate individuals who need to access student data on Jenzabar and Powerfaids.
IV. Password Protection
Another security initiative undertaken was to require that students, faculty, and staff present proper identification in order to have their password reset when required. This policy was put in place for two reasons: (1) recent internal/external control audits were requiring improved password security procedures. The second, and overriding reason, was the firm belief that passwords protect the security of our work and prevent unauthorized access to our accounts. All passwords granting access to Shaw University´s networks and systems, including Jenzabar, are required to be changed every 60 days. The University´s security policy requires training for anyone such as Jenzabar Module Manages, and Module Users who accesses student records. These trainings are provided by OIT staff, Jenzabar System Administrator, PowerFaids system Administrator and outside consultants.
In order to protect student data and digital identity, the Office of Information Technology (OIT) strongly promotes and communicates to all users the importance of two-step authentication and creation of strong passwords for accessing any Google/cloud-computing applications. Students are expected to immediately report any fraudulent use of their Shaw University credentials to the OIT; OIT will take necessary steps to rectify the situation and ensure the continued security of student data. The OIT strongly encourages students to report any spam or phishing received via email and to refrain from opening such emails and/or external links within them.
V. Disaster Recovery/Backup
Administrative databases containing student records are backed up nightly by Information Technology services (ITS) the backup data are stored on-campus and off-site for disaster recovery purposes. To further help reduce IT vulnerabilities, Information Technology Services (ITS) staff has been engaged in updating the department´s Contingency Recovery Plan. The plan provides a blueprint for the continuation of IT critical functions in the event of disruptions, the protection of sensitive data, and the restoration of normal operations.
VI. Network Security
A secure network provides the foundation for an overwhelming amount of the work of Shaw University’s faculty, students, and staff. A secure network is also a critical link among alumni, parents, and other constituents. OIT, Campus Network Security Administrator, and other IT staff have forged a strong partnership to help stem the rising tide of digital security problems through well-targeted educational/awareness efforts, trainings, streamlined remediation of compromised machines, and leading-edge network applications that provide technical barriers. Projects including firewalls, intrusion prevention and detection systems, vulnerability and application scanning, endpoint compliance, access control lists, access control, and encrypted wireless have been implemented and are continuously maintained in order to reduce security problems and enhance the protection and reliability of the University´s network.
VII. Policy Revisions
This policy is reviewed annually and revised as needed in order to comply with federal and state regulations and ensure that all user data is protected adequately.
Originally approved August 2004
Reviewed annually by OIT
Revised February 2011
Revised November 2017