300 User and Personal Information Security

301: Personal Information Privacy

Information Security Policies & Procedures Manual
Section 300: User and Personal Information Security
Effective: 01/11/2010

Purpose

The purpose of this policy is to establish clear guidelines for handling specific data elements which pose a risk of Identity Theft to our community members, should those data elements be compromised through unauthorized access due to a breach of security.  These data elements are generally used in conjunction with other information, such as full name, which may constitute enough information to establish credit or perpetuate other forms of fraud associated with Identity Theft.

Scope

This policy is applicable to all OSU community members including all employees, students, contractors, consultants, agents, and vendors working on OSU’s behalf.  It is applicable to all OSU Information Assets, regardless of form or media. It applies to information gathering, protection, use, processing, storage, communications, and transit.

Policy

Each element below merits extra protections beyond any baseline.

Social Security Number:   All access and use at Oregon State University of the Social Security Number is prohibited except for meeting federal or state requirements, compliance and reporting.

VISA/Credit Card Numbers:  All access and use at Oregon State University of VISA/Credit Card numbers shall meet Procurement Card Industry (PCI) security standards and any system handling these numbers shall have a responsible party of record who will be accountable to the Director of Business Affairs for ensuring compliance. 

Bank Account Numbers:  All access and use of bank account numbers at Oregon State University is restricted to the following uses:

Business Affairs

Processing direct deposit transactions; both incoming and outgoing

Processing wire transfers

Department Personnel

Processing wire transfers – Paper copies of this data may be stored during the processing phase. They should be kept in a physically secure location with limited personnel access.  Departments are prohibited from storing electronic copies of this data.  Once verification of transfer is complete the paper copy should be redacted or destroyed through approved OSU confidential document destruction method.

Driver’s License Numbers and/or National Identification Numbers:   All access and use of state or national Driver’s License and/or National Identification Numbers for Oregon residents at Oregon State University will be reported to the Chief Information Security Officer and all reasonable precautions will be taken to ensure the integrity and confidentiality of this information.       

Under no circumstance shall Social Security Number, VISA/Credit Card Numbers, Bank Account Numbers, or Driver’s License/National Identification Numbers be stored in a non-redacted form on any portable electronic media including but not limited to laptops, flash drives, CDROMS.

Procedures

Specific procedures for handling these elements will be defined by the Records Custodians for student records, employee data, and business transactions.

Responsibilities

All members of the OSU community have a responsibility to protect these elements and ensure that they are handled with the utmost care.  All efforts should be made to avoid the direct storage and use of these elements unless required by business need.

Records Custodians with student record, employee data, or business transactions responsibilities have a responsibility to ensure that those business needs that require handling these elements are limited to the employees required to handle this information and that reasonable controls and precautions to protect these elements are in place. 

302: User Specific Policies

Information Security Policies & Procedures Manual
Section 300: User and Personal Information Security
Effective: 01/11/2010

Purpose

The purpose of this section is to outline existing OSU User specific policies which fulfill OSU’s obligations under the OUS Information Security Policy.

Policies and Procedures

 

302-01 Acceptable Use Policy (AUP)

OSU maintains the Acceptable Use of University Computing Resources as part of the General Policies of the institution with the official and current copy residing at http://oregonstate.edu/aup.htm .  As stated in the AUP, it applies to “all users of university computing resources, whether affiliated with the University or not, and to all use of those resources, whether on campus or from remote locations. Additional policies may apply to computing resources provided or operated by individual units of the University or to uses within specific units.”  Acknowledgement of this policy and agreement to abide by it are part of the account activation process for all central computer systems.

 

302-02 Security Sensitive Personnel

OSU maintains a policy regarding criminal background checks for Security Sensitive Personnel in compliance with Oregon Administrative Rules and as part of the Office of Human Resources Policy and Procedure Manual.

 

302-03 Account Management

OSU creates system accounts, referred to as OSU Network ID (or ONID), for general access to OSU centralized resources.  These accounts are generated and disabled programmatically based on information stored in the Student and Human Resources Information Systems about current status as employee or student.  Accounts local to a specific system are defined by the department which manages the system.  In the case of the Banner Human Resources, Student, and Financial Information System, accounts are authorized and revoked in accordance with parameters set by the appropriate Records Custodian.