Information Security Policy

I. Introduction

Information is critical to the College’s teaching, learning and research mission, and to the administrative functions that support that mission. All members of the College community are responsible for protecting the security, confidentiality, integrity and availability of information against unauthorized access, use or disclosure in accordance with the requirements set forth in this policy. This policy applies to all College activities, whether on campus or off, and to all information regardless of the medium in which it is stored (paper, electronic, etc.)

II. Information Security and Assurance Requirements

The College grants to assigned individuals the reasonable and appropriate, minimum access to information necessary to accomplish their institutional or pedagogical goals. All members of the College community are responsible for protecting the security, confidentiality, integrity and availability of information entrusted to them against unauthorized access, use or disclosure in accordance with the following requirements:

A.  Basic Requirements

  1. Be familiar with and follow the requirements of the Responsible Use of Technology Policy.  

  2. Treat credentials for access to College systems as confidential. Such credentials are non-transferable.

  3. When possible, use strong passwords to access College systems and to secure personal computers.

  4. Do not write down passwords where they are easily accessible to others.

  5. Never share usernames and/or passwords, including your own.

  6. Do not save passwords that access College systems on public computers.

  7. Lock or logout of your computer when you are finished working, or any time you leave your computer.

  8. Do not download e-mail attachments from unknown senders.

  9. Be cautious about downloading or installing computer programs or software.  If you have questions about the software consult with IT.

  10. When prompted by IT, complete the general Information Security Awareness training course.

B.  Additional Requirements for Protecting Confidential Information

  1. Do not access Confidential Information unless you have been authorized as part of your job to have access and you have a legitimate need to know that information.

  2. Do not share Confidential Information (by email or other means) except when such sharing is in full compliance with all College policies, and only with those who have a legitimate need to know that information. Confidential Information may only be disclosed to third parties in full compliance with applicable law (for instance when a registrar responds to a written transcript request from a student, in response to a legally issued subpoena, or a professor shares general information from educational records of a student in a letter of recommendation requested by the student) or pursuant to a contract approved by the general counsel of the College wherein the third party is required to implement and maintain College approved safeguards.

  3. Do not post Confidential Information on a publicly accessible computer or website.

  4. Do not leave paper documents containing Confidential Information where they are accessible to others. Such documents should be stored in a secure or locked suite, office, desk, or file cabinet.

  5. When possible, Confidential Information should be emailed in an encrypted format, especially when exchanging information externally.

  6. Do not fax Confidential Information unless no other options exist.

  7. If you are unsure whether you are authorized to access, share, transmit or otherwise use Confidential Information, ask your supervisor or contact the College (CAS) Registrar’s Office (503-768-733), the Graduate Registrar’s Office (503-768-6030), the Law Registrar’s Office (503-768-6614), the Office of General Counsel (503-768-7691), or the Information Security Officer (503-768-7226).

  8. When prompted by IT, complete the business specific Information Security Awareness training course.

C.  Additional Best Practices for Mobile Devices and Off-campus Computing
Mobile devices, as defined below, pose an increased security risk due to their portability. Employees must take extra care to secure such devices, particularly when traveling. Take the following steps in order to minimize the risk of theft or loss of data:

  1. Secure mobile devices out of sight, in a locked room, office or drawer, or use a locking cable where possible.

  2. If accessing College data using mobile devices, secure them with a strong password and follow mobile security best practices on the Information Security Awareness website.

  3. Report all lost or stolen mobile devices to the Information Security Officer at 503-768-7226.

Employees who work from off-campus locations or those who travel out of the country should take additional steps to protect information. Contact Information Technology and see the tips for traveling abroad on the Information Security Awareness website for additional information and requirements for off-campus computing.

D.  Reporting Potential Information Security Breaches
Immediately report potential information security breaches, or evidence of potential illegal activity, to the Information Security Officer at 503-768-7226, and to your immediate supervisor. Suspected breaches of any system, or inappropriate disclosure of Confidential Information, must be reported directly to the Chief Information Officer at 503-768-7227.

III. Definitions

A.  Information means facts, records, results of academic discoveries, inventions and/or proprietary institutional data that is collected, generated, analyzed, and shared in the course of College business or activities.

B.  Information Security and Assurance means that information required to carry out College activities is preserved accurately for day to day use and is available to those who need it, and that Confidential Information is protected against inappropriate access, use or disclosure.

C.   Confidential Information refers to all information collected by, shared with, or reported to the College in the course of its business or activity that is protected by local, state or federal law or that the College is contractually obligated to protect. In addition, the College may designate information as confidential. Confidential Information includes but is not limited to:

  • Personal Identifying Information (PII) as defined by the State of Oregon is a person’s name in combination with a Social Security number, Oregon driver license number or Oregon identification card number, passport number, financial account or credit or debit card numbers along with security or access codes or password that would provide access to a financial account;

  • Financial information as specified by the Financial Services Modernization Act of 1999 (Gramm Leach Bliley Act or GLB);

  • Protected Health Information (PHI) as specified by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH);

  • Education records of students as defined by the Family Educational Rights Privacy Act of 1974 (FERPA);

  • Human subject research data which falls under the jurisdiction of the College’s Institutional Review Board (IRB);

  • Confidential medical records used to provide an employee with a reasonable accommodation under the Americans with Disabilities Act of 1990 (ADA);

  • Payroll records or employment and/or personnel information (such as health or disability information, disciplinary or grievance information, annual review information);

  • Controlled information or technology pursuant to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) that does not fall under the Fundamental Research Exclusion or other exclusions to ITAR/EAR; and

  • Payment card data (such as credit/debit card numbers, security codes or PINs) covered by the Payment Card Industry (PCI) standards.

D.   Mobile Device means an electronic device that is easily transportable and capable of accessing, storing, or transmitting information. Some examples include laptop computers, tablets, mobile phones, and portable storage devices.

E.  College Systems include College-owned or controlled computing networks, software, databases, services, facilities or other computing devices.

Approval Date

Approved by Executive Council: January 10, 2018