Support

Customer Services

Cal 1

April 2014
M T W T F S S
     
 123456
78910111213
14151617181920
21222324252627
282930  

Upcoming Events

There are no upcoming events at this time.

Administrative Information Systems Information and Data Security Manual

Administrative Information Policy

Administrative information is any data related to the business of being an Institution of Higher Learning. Jackson State recognizes administrative information to be a University resource which requires proper management in order to permit effective planning and decision making and to conduct business in a timely and effective manner.

Administrative information does not include library holdings or research or instructional notes unless they contain information which relates to a business function. Such functions include (but are not limited to) financial, personnel, student, alumni, communication, and physical resources data. It includes data maintained at the departmental and office level as well as centrally, regardless of the media on which it resides.

Jackson State retains ownership of all administrative information created or modified by its employees as part of their job functions.

 


 

Classification of Data

For security purposes, administrative information can be categorized into three levels of protection:

 

Confidential

 

information that requires a high level of protection due to the risk and magnitude of loss or harm that could result
from disclosure, alteration or destruction of the data. This includes information whose improper use or disclosure
could adversely affect the ability of the University to accomplish its mission as well as records about individuals
requiring protection under the Family Educational Rights and Privacy Act of 1974 (FERPA) and data not
releasable under the Freedom of Information Act.
Sensitive
information that requires some level of protection because its unauthorized disclosure, alteration, or destruction
will cause perceivable damage to the University. It is assumed that all administrative output from the central
computing facility is classified as sensitive unless otherwise indicated.
Unrestricted
information that can be made generally available both within and beyond the University.

 


Data Security Policy

Administrative information is one of Jackson State’s most valuable resources and requires responsible use by members of
the University community. Jackson State employees are charged with safeguarding the integrity, accuracy, and
confidentiality of this information as part of the condition of employment.

Employees are expected to act in a manner that will ensure the information which they are authorized to access is protected
from unauthorized access, unauthorized use, invalid changes, or destruction.

Access to administrative systems is granted to a particular individual based on the need to use specific data, as defined by
job duties, and subject to appropriate approval. As such, this access cannot be shared, transferred or delegated. Failure to
protect these resources may result in disciplinary measures being taken against the employee, up to and including termination.


Definition of Security

Information is secure only when its integrity can be maintained, its availability ensured, its confidentiality preserved, and its
access controlled. Security procedures protect information from unauthorized viewing, modification, dissemination, or
destruction and provide recovery mechanisms from accidental loss. The security of administrative information is the
responsibility of all people who are authorized to access it.


Contents

Appendices


Introduction

The provisions of the Information and Data Security Manual detail the responsibilities of Jackson State employees in
maintaining the security of administrative information. These individuals are also subject to the policies contained in Using
Computing Resources at Jackson State University as well as guidelines specific to the information which they access. The
sections that follow define responsibilities, establish authorization, and provide guidelines to assist people in the handling
of this resource – information.


Employees

Definition:

The term “employee” is used in this manual in its most general sense to incorporate not only people paid by the University
for their work but also those who perform service for Jackson State and are granted access to administrative information.
The term as used here does not, in and of itself, confer any special status or relationship with the University and is not
intended to confer employee status. In addition to regular staff and faculty, the term employee includes temporary staff,
student employees, consultants, volunteers, and adjunct, emeritus, and visiting faculty.

Responsibilities:

Employees are responsible for the security of administrative data. While these guidelines provide examples of appropriate
care, they are not intended to be exhaustive of all activities that ensure this security. Staff are expected to evaluate their
actions with respect to the protection of administrative data and to act in a manner which is in the best interest of the
University.

Requests for access to electronic administrative information must be made using the appropriate forms in the
Administrative Information Systems Forms Package available from the department computer liaisons (Administrative
Information Coordinators or Department Computing Coordinators). Included on each form must be sufficient information
to determine why an employee needs the requested access and the signatures of required authorized administrators.

The following outlines the responsibilities of an employee:

    • Refrain from accessing and using information in unauthorized waysEmployees who attempt unauthorized access to administrative computer access IDs are subject to disciplinary measures.
      Employees must not access microcomputers which have not been provided to them for their work without the express
      permission of their supervisor. They are also responsible for refraining from perusing administrative data not specifically
      provided to them for their work (even when it is left in an unprotected area) and from entering areas where
      administrative information is stored unless they are authorized to do so.
    • Follow procedures for storage of dataEmployees are required to follow departmental procedures which specify where administrative information is to be
      stored and the precautions associated with its storage. Such precautions include:

      • Securing copies of administrative information, such as microfiche and printouts, in file cabinets or desks.
      • Storing non-reproducible information in areas designed to safeguard it from unauthorized viewing and damage
        from natural cause.
      • Storing floppy disks in a locked file cabinet or desk. Disks with sensitive information must be locked in a cabinet
        with a non-standard key lock.
      • Regularly backing up locally maintained administrative information stored on disk to ensure that information is
        not lost in the event of disk failure.
      • Placing confidential data stored on a hard disk in a segment that is protected by an approved security program
        requiring an access password.
    • Follow procedures for dissemination of dataDistribution of administrative information must be accomplished through approved procedures.
      • Safeguarding the dissemination of information by phone, fax or printed materials to those approved to receive the
        data by following departmental procedures that conform to the policies established by the Data Responsible
        Custodian for that data.
      • Transferring, via network, computerized copies of administrative data through approved University procedures.
        Copies transferred by floppy disk follow procedures for non-computerized dissemination.
    • Follow procedures for disposal of dataEmployees must adhere to departmental procedures specifying how administrative information is to be disposed of when
      it is no longer needed for business purposes.

      • Shredding or burning of paper or microfiche copies to ensure the security of the information.
      • Observing retention guidelines in selecting documents to be destroyed.
      • Erasing recording tapes (from Dictaphones or recorders); not just writing over them.
      • Properly discarding computer disks (hard disks and floppy) containing administrative information. Mac disks
        must be re-initialized. Other PC disks require a more sophisticated utility to remove access to the data.
    • Protect data from unauthorized accessKeys and access cards that permit entry into storage facilities where confidential data is stored must not be loaned or left
      where others could use them to access the secure areas. Passwords are the key to accessing on-line administrative
      information.

      • Never share passwords, even with a supervisor.
      • Select passwords which are not obvious choices. Passwords other than family member names, nicknames, and
        words found in a dictionary make it more difficult for someone to discover a password (e.g. LQREFW or
        JK224L).
      • Never tape passwords to a wall, under a keyboard or in other easily discoverable areas.
      • Change passwords every 90 days even if a system does not force it.

 

In order to protect centrally maintained administrative information from unauthorized viewing, workstations must be
logged off to a point that requires a new log-on whenever employees leave their work area, except for specially designated
areas. All access IDs must be logged off whenever an employee leaves for the day. Employees must also follow policies
regarding the physical security of computer equipment.

Screens must be oriented to prevent unauthorized people from reading sensitive information. The location of the screen
must face away from any traffic areas.

    • Report any breach of securityWhen there is an actual or suspected breach of security that might compromise administrative information, the incident
      must be reported immediately for investigation to the supervisor, the Information Security Officer, or the University
      Auditor

Supervisors

Definition

The term “supervisor” is used in this manual in its most general sense to incorporate not only people whose job function is
defined to include supervision of staff but also to apply to people who informally direct the work of others. Such titles as
supervisor, manager, director, chairperson, department head, dean and vice president are used to formally denote
supervisors; however, many other positions are also supervisory.

Responsibilities:

It is the responsibility of supervisors to maintain a high level of security in the work place. Supervisors have a
responsibility to inform their staff of the proper manner of handling administrative information, to evaluate the
effectiveness of these procedures, and recommend changes to improve this security. In addition to the security
responsibilities applicable to all employees, supervisors have responsibilities regarding data security as outlined below:

    • Review access of their staffStaff with a need to access administrative information as determined by the chairperson/department head are to be issued
      keys, access cards, and/or combinations to areas where administrative information is maintained within the guidelines
      for access established by the chairperson/department head. Special locks which provide a higher level of security than
      those provided by furniture manufacturers can be obtained from Plant Operations and must be used to protect sensitive
      administrative information. Supervisors must review the physical access of their staff periodically (as defined by
      departmental procedures) at least annually since staff can assume different responsibilities within a department over time.Supervisors must review all requests by their staff for access to computerized administrative information. The requests
      must fall within the departmental guidelines of appropriate access to be approved. Supervisors must review the access of
      each staff member periodically.Supervisors are also responsible for providing copies of this policy and manual to consultants, temporary staff and other
      special employees and assisting them as needed to understand the policy.
    • Ensure that employees comply with security policies and proceduresSupervisors should recognize and encourage staff who are particularly conscientious in the proper handling of
      administrative information. Supervisors must counsel staff who violate security procedures as outlined in the Employee
      section of this manual and are responsible for managing improvements in staff behavior. If violations continue, the
      problem must be resolved.
    • Monitor use to identify problemsSupervisors must ensure that upon the conclusion of the work day staff have properly secured administrative
      information and must periodically observe the staff work areas for persons attempting to gain access to documents left
      unattended. Supervisors are also responsible for noting employees’ behavior that constitutes “browsing” through data
      beyond the needs of their positions.Reports of usage and other access information must be reviewed by supervisors to ensure that staff are properly using
      their access. Supervisors must report problems to the chairperson/department head and assist appropriate University
      personnel in the resolution of the problem.
    • Remove access when staff leaves the departmentSupervisors must ensure that staff who terminate their employment with the department return their physical access keys
      and cards on their last day of work in the department. Staff who are dismissed from the University must return their
      keys/cards at the time they are notified of their dismissal. If this does not occur, access cards must be immediately
      canceled and areas controlled by the outstanding keys must be reprogrammed.When an employee separates from the department voluntarily or by transferring, IT must be notified to close his/her
      access at the end of the employee’s last day in the department. However, when disciplinary measures are involved, the
      supervisor must report the dismissal to the Information Security Officer prior to meeting with the employee in order that
      the computer access can be canceled during the meeting.

Chairperson/Department Heads

Definition

The term “chairperson/department head” is used to denote the director of an administrative, academic or research unit
within the University. This person has full fiscal responsibility for the department including preparing budgets and
monitoring spending. A chairperson/department head reports directly to a senior administrator.

Responsibilities:

The chairperson/department head is responsible for establishing an environment of security awareness for the data handled
by the department. (S)he sets procedures related to the security of the data and supports these procedures by the distribution
of funds. Chairpersons/department heads must review office procedures at least on an annual basis and make updates to
respond to changes in technology and policies. Annual budgets should anticipate the need for funding of resources to
protect administrative information located in the department. In addition to the security responsibilities applicable to all
employees and supervisors, chairpersons/department heads have the following responsibilities regarding data security:

    • Translate policies into office proceduresThe Data Security and Administrative Information policies contained in this manual form the basis upon which office
      procedures are to be developed to protect administrative information. Procedures should ensure that access is provided
      based on information required to perform the assigned work. Practices that reflect handling of specific types or
      classifications of data should be included in office practices. Office procedures must address the following situations:

      • The transfer of non-electronic forms of administrative information must maintain a level of security which
        ensures that only people authorized to handle the data have access to it. Procedures must include specific
        measures to be taken to protect confidential information and to track the flow of data through the department and
        between sections within department (for instance, by means of logs).
      • Virus checkers must be installed on all microcomputers that maintain administrative information to protect the
        data from destruction or distortion.
      • Chairpersons/Department Heads must ensure that computer repairs are undertaken in a manner that protects the
        confidentiality of the data stored in the system. Whenever possible, the Jackson State University Computer Repair
        facilities must be used. If the equipment requires the use of outside repair facilities, the purchase contract for the
        work must include non-disclosure statements regarding information stored on the hard disk and within the
        system.
      • Networks within the department must be properly secured to prevent unauthorized access.

 

    • Provide resources to implement procedures
      • When non-electronic administrative information is no longer needed in the department, mechanisms that will
        ensure its proper disposal must be available. Confidential information must be shredded within the department or
        transported securely for shredding or burning at a proper facility.
      • Storage (temporary or permanent) of non-electronic forms of administrative information must safeguard against
        the information’s unauthorized viewing as well as loss due to accidents or acts of nature. The Chairperson/
        Department Head must provide for adequate storage facilities and locking devices to ensure this protection.
      • Sensitive or critical administrative information maintained locally on microcomputers must be kept within an
        electronic partition that requires a password to gain access. The chairperson/department head is responsible for
        ensuring that either funds are available for the purchase of software with this locking capability or that the
        information is not maintained on the hard disk.

 

    • Determine sensitivity of non-centralized data originating in the departmentThe chairperson/department head must define the level of confidentiality of data originated within that department based
      on existing state and federal laws and the potential impact of that information’s loss on the business functioning of the
      University. Using the “need to know” guideline, (s)he is responsible for determining the dissemination of the data and
      for educating its users in the proper care of administrative information. Data which the chairperson/department head
      classifies as “unrestricted” must fall within the guidelines for release set by the office of University Relations before it is
      disseminated beyond Jackson State.

Data Responsible Custodians

Definition

The Data Responsible Custodians constitute a body of knowledgeable users who function as trustees of the University’s
administrative information. For each centrally maintained administrative application, a director or manager of a functional
unit (department) is assigned the authority for making decisions related to the development, maintenance, operation and
access of the application and the data associated with that business function.

The Data Responsible Custodians are
responsible for establishing guidelines for the management and protection of this data and for making recommendations to
improve the availability of this University resource. Each Data Responsible Custodian is responsible for a subset of
administrative information which (s)he protects in the following ways:

    • Maintain detailed knowledge of the data within their trust The Data Responsible Custodian is expected to be the person most familiar with the business functions to which the data
      applies, the structure and functioning of the database management system(s) in which the data resides, and the methods
      available for accessing the data. The Data Responsible Custodian must be thoroughly familiar with the data itself,
      including valid values and data transformations, and also be able to assist with an analysis of the impact of field changes
      and with applying data retention laws and practices.
    • Manage activity related to the business informationThe Data Responsible Custodian evaluates, approves, and prioritizes requests for changes to the business system(s) for
      which (s)he is responsible. In addition, (s)he will communicate to the Administrative Computing Committee any major
      changes in business practices which would seriously impact the system’s ability to continue to provide necessary service.In conjunction with his/her counterparts and staff of Information Technology, the Data Responsible Custodians develop
      recommendations for the Administrative Computing Committee regarding policies and procedures to manage business
      information. This group also coordinates planning activity related to the business needs of the various functional areas.Data Responsible Custodians, with the recommendations of Computing and Information staff, assist the Administrative
      Computing Committee with the development of long range administrative computing goals and with the translation of
      these goals into schedules for application replacement or major overhaul along with recommendations for specialized
      hardware to support these changes.
    • Develop guidelines for requesting access Using their familiarity with the data elements, the Data Responsible Custodians translate job responsibilities into access
      capabilities to assist supervisors in developing guidelines for employees’ access to data. These guidelines must reflect
      any state or federal laws governing the dissemination of the information in their trust.
    • Review requests for access to administrative information All requests for access to the data entrusted to a Data Responsible Custodian, both on-line and through batch, will be
      reviewed and (1) approved, (2) modified or (3) denied in keeping with the established guidelines and general security
      practices. Data Responsible Custodians (or their delegates) will assign access based on the specific data which is
      required for an employee to do his/her job.
    • Define the sensitivity of the data Each Data Responsible Custodian is responsible for identifying data elements or combinations of data elements within
      his/her trust that must be handled with a high level of protection and designated as “confidential” either because of state
      or federal laws governing the data or because it is determined by the DRA that it is in the University’s best interest to
      afford the information special protection. All other data elements will be assumed to be classified as “sensitive” unless
      specifically designated as “public” by the Data Responsible Custodian. This classification will be used to define the
      proper handling of information in an employee’s use.
    • Develop guidelines for proper handling of administrative information The Data Responsible Custodians will develop and maintain guidelines regarding the creation, viewing, modification,
      storage, transmittal and disposal of administrative information based on the level of sensitivity of the data. Where state
      or federal laws dictate the special handling of certain data, the Data Responsible Custodian entrusted with the
      information will ensure that the exceptions are included in the guidelines.
    • Review usage informationFor those systems for which information on system usage is available, the Data Responsible Custodian is responsible for
      reviewing usage reports promptly to detect potential misuse of access, identify employees who may need additional
      training in the use of the data, extract usage trends, and observe any abnormalities that may indicate data or access
      problems. The Data Responsible Custodian works with the Information Security Officer to clarify and correct any
      problems noted.
    • Assist in developing standardized security practicesThe Data Responsible Custodians assist the Information Security Officer in developing consistent security practices
      throughout the University and educating employees in these practices. These practices will be documented in the
      security manual and reviewed periodically by the Data Responsible Custodians to ensure that they are appropriate in
      light of changes in the technology and direction of the University.
    • Assist with business resumption planningThe Data Responsible Custodians, in conjunction with Information Technology staff, are responsible for developing and
      maintaining plans which would allow the business functions of the University to continue in the event of an interruption
      of service. These plans include not only the ability to recover centrally maintained software applications but also
      business functions that are resident within the business unit itself.

Administrative Computing Committee

Definition

The term “Administrative Computing Committee”(ADCC) refers to a group of senior officers who determine the direction
of and, ultimately, the policies associated with administrative computing. These officers include the President, the Vice
President for Information Technology and the Vice President for Finance or their designated representatives.

Responsibilities:

The Administrative Computing Committee has responsibility for ensuring the protection of Jackson State’s administrative
information, establishing policy and philosophies for information and data security, and assigning responsibilities to
various University employees to assist the Committee in these matters. Their responsibilities with respect to information
and security are:

    • Review and evaluate plans for administrative information systemsThe Administrative Computing Committee has the responsibility for the execution of all policies related to the
      management of business information. The ADCC, with the assistance of Data Responsible Custodians and Information
      Technology staff, will develop long range plans for administrative computing systems and set priorities to reflect the
      goals of the University. The ADCC will review, evaluate, and approve specific maintenance or replacement plans for
      administrative systems in keeping with the computing needs of the University and the availability of fiscal resources. It
      is also the responsibility of the ADCC to review and evaluate the progress of these plans.
    • Review and approve policiesThe Administrative Computing Committee is responsible for reviewing and approving the Information Policy and the
      Security Policy to ensure that these policies complement and adhere to the business philosophies of Jackson State. Any
      modifications to these policies must also be reviewed and approved by this committee.
    • Review security controlsThe Administrative Computing Committee reviews philosophies and general plans which control security and monitor
      use. This group oversees the protection of administrative information while maintaining the individual rights of
      employees, and sets priorities for security plans in relation to current and anticipated resources.
    • Provide the means to implement the policiesIn order for the policies to be effective, they need to be integrated into the work environment. The Administrative
      Computing Committee, through various procedures, facilitates the implementation of these policies. The committee is
      responsible for identifying sources of funding to implement policies and procedures as necessary.
    • Enforce policiesIn the event of a serious security breach, members of the Administrative Computing Committee will review reports and
      evidence (including the convening of a hearing if necessary) to determine culpability, define the exposure of the
      University from the breach, consider steps to decrease the exposure of the University from the breach, minimize the
      potential for a similar breach to occur in the future, and if appropriate, determine what disciplinary action will be taken
      toward the individual(s) involved.
    • Clarify and interpret the policiesQuestions related to the scope or implementation of the policies may be referred to the Administrative Computing
      Committee for resolution. Although the Data Responsible Custodians and the Information Security Officer are the
      primary contacts for these types of questions, members of the Administrative Computing Committee may be asked to
      review procedures as they relate to the business philosophies of the institution.
    • Ensure that policies remains currentAs technologies and practices evolve at Jackson State, the Administrative Computing Committee is responsible for
      ensuring that policies adequately protect the University. When policies need to be revised to meet changes, the
      Administrative Computing Committee will assign this responsibility to appropriate University staff.

Internal Auditors

Definition

“Internal auditor” is used in this manual to refer to the University Auditor and other members of the Internal Audit staff. It
is not applicable to auditors who are not employees of Jackson State. The internal auditors provide an objective and
independent perspective to the University on the security of its information resources.

Responsibilities:

In accordance with the University Auditor’s charter, Jackson State’s internal auditors are authorized inquiry-only access to
all administrative information and systems, and are responsible for assisting supervisors in the effective discharge of their
duties. In addition to being subject to information security policies applicable to other Jackson State employees, Jackson
State’s professionally certified internal auditors must adhere to auditing standards and ethics codes established by applicable
certifying groups. In exercising their duties relating to information security, internal auditors:

    • Evaluate compliance with information security policy and procedures within University departments during operational
      and administrative audits.
    • Evaluate the effectiveness of security procedures and other internal controls to limit access to administrative information
      appropriately, and identify and recommend improvements for areas of vulnerability.
    • Review audit trails provided by the application security systems to assess if activity is adequately documented to allow
      for errors or improprieties to be identified, traced to their source, and corrected.
    • Assist management in the investigation of suspected incidents of security breach or improper activity.
    • Provide advice on internal controls relevant to new systems being developed or being considered for purchase.

Computing Services and IT Staff

Responsibilities:

Computing Services and Information Technology (IT) staffs have the expertise and the responsibility to protect
administrative information residing on the University’s mainframe, network, and local servers and must use this expertise in
a responsible manner to ensure the integrity of the data and the availability of the information. Because of their greater
opportunity to access administrative information, IT staff and Computing Services staff have the following additional
responsibilities.

    • Adhere to the department’s non-disclosure agreementEvery employee in IT and Computing Services must read and sign a non- disclosure statement as a condition of
      employment. Staff must follow the restrictions placed upon them by the agreement in addition to the policy on
      information security.
    • Maintain data and programs within established standardsAll data set names must conform to the naming conventions adopted by IT or Computing Services. Staff will not rename
      or create a data set with a name contrary to the standards to circumvent the security protecting these resources.Programs will be developed or modified following standards established by the department. Also, standardized
      mechanisms of documenting changes will be observed.
    • Provide security for computer systemsComputing staff are responsible for following departmental procedures in regard to the physical protection of equipment
      in Jackson State’s computer system. This includes (but is not limited to) mainframes, microcomputers, workstations,
      servers, printers, external storage devices, modems and any other hardware components as well as the physical network
      that joins these machines. Where physical access is restricted by security devices, staff will not share their entry “key” or
      circumvent the security system. Visitors to a secure area where computer equipment is housed must be escorted by a
      departmental staff person who assumes, along with the visitor, responsibility for the physical and logical integrity of the
      machines during that period.As part of the safeguard of computer systems, regular backups will be produced to permit reconstruction of the system in
      the event of file or equipment damage. These backups will be stored at a different location from the systems equipment
      and off campus for critical business systems.System software will be applied/modified following the procedures defined by the vendor for the equipment on which it
      resides. Any “bugs” will be corrected as quickly as possible by the systems staff and, if appropriate, users will be advised
      of the potential inaccuracies which the error could cause.

      Administrative databases will be managed following acceptable standards including the review of available space to
      ensure that sufficient area exists, the inclusion of data value checks in data entry programs, the activation of usage
      reporting mechanisms, and the regular production and review of usage reports.

    • Assist with the development of long range plansInformation Technology staff will assist the Data Responsible Custodians in the development of recommendations to the
      Administrative Computing Committee of long range administrative computing goals. They will also assist with the
      translation of these goals into schedules for application replacement or major overhaul as well as recommendations for
      specialized hardware to support these changes.
    • Training and consulting with departmental computing liaisonsDepartmental Network Administrators, Departmental Computing Coordinators, Administrative Information
      Coordinators and Data Responsible Custodians serve as liaisons between their departments and centralized computing
      services. IT and Computing Services provide special training to these staff to maintain their level of competence as
      technologies change. In addition, IT and Computing Services staff support computing liaisons’ efforts within their
      departments by responding to their questions and problems.
    • Assist with development of business resumption plansInformation Technology staff, in conjunction with Data Responsible Custodians, will develop and maintain plans which
      would restore services to centrally managed hardware and application software systems in the event of an interruption of
      service. The plan will include information to assist in determining the sequence for restoring critical business
      applications.

Information Security Officer

Responsibilities

The Information Security Officer is responsible for establishing and monitoring procedures to ensure that Jackson State’s
administrative information is secure from unauthorized access, protected from inaccurate modification, and available to
authorized users in a timely manner to enable them to perform their work. Included in these responsibilities is the necessity
to be technically fluent with the various security systems used to protect data and to compensate, by the use of procedures,
for any shortcomings of these systems. Specifically the responsibilities include the following:

  • Develop and maintain effective security proceduresThe Information Security Officer is responsible for developing, in conjunction with the Data Responsible Custodians,
    procedures to implement the data security policies of the University. An important part of this task is to review all access
    reports and logs. The Information Security Officer will periodically make a system-wide review of access provided to
    users to ensure that the access is consistent with established guidelines for the system and that the guidelines provide the
    necessary access.As new or revised systems are introduced, the Information Security Officer works with the appropriate Data Responsible
    Custodian(s) to review and advise in the development of procedures to protect the information and to document the
    access. These procedures must include mechanisms for:

    • compensating for the inadequacies of the security system
    • reporting on the activity of the system
    • providing users access to the data
    • disseminating information to users on the appropriate handling of the data.
    • destroying non-electronic versions of the information

For existing systems, the Information Security Officer, in conjunction with the Data Responsible Custodian(s) and the
appropriate development team, reviews current procedures to ascertain that they provide an adequate level of protection
and, as needed, makes recommendations to bring them into compliance with accepted standards of security.

If a breach occurs in a security system, the Information Security Officer will review the guidelines and procedures of the
system and, if necessary, recommend any changes to better protect the University’s data.

For systems that are delivered without a complete set mechanisms for activity reporting, the Information Security Officer
will work with the appropriate development team to define the data to be retained and the manner of reporting.

    • Test and document administrative security systems Using standard testing procedures, the Information Security Officer is responsible for determining the scope of security
      provided by the various subsystems used at Jackson State to protect administrative information and to document these
      systems. Included in this documentation are any restrictions, anomalies, shortcomings, and exposures.
    • Consult on internal security issuesThe Information Security Officer is responsible for advising the Data Responsible Custodians, internal auditors, and
      senior management in regard to the technical functioning of the security subsystems of administrative systems.(S)he also consults with developers, systems support staff and users to ensure that adequate security features are
      included in new or modified administrative system software.
    • Prepare and maintain general security policies and guidelinesThe Information Security Officer is responsible for producing and maintaining the University’s data security policies
      subject to review and approval by the Data Responsible Custodians, the Administrative Computing Committee, and
      senior management at the University. Supporting documentation for these policies is developed by the Information
      Security Officer in conjunction with the Data Responsible Custodians and, as technologies and policies evolve, their
      contents are updated by the Information Security Officer.The Information Security Officer assists the Data Responsible Custodians in developing and maintaining guidelines for
      the proper handling and use of the administrative information in their domain. (S)he assists in disseminating these
      guidelines to the departments that use the data. The Information Security Officer can also assist
      Chairpersons/Department Heads in developing departmental procedures to implement the general guidelines established
      by the Data Responsible Custodians.
    • Provide assistance with security trainingThe Information Security Officer is responsible for providing information for general security awareness training as well
      as specific education on the University’s security policies and the security manual. (S)he may also assist the
      chairperson/department head in preparing training materials for his/her staff on departmental security procedures. It is
      the responsibility of the Information Security Officer to assist in interpreting the policies with regard to specific
      situations that arise and to assist in educating users to be able to make decisions consistent with these policies.
    • Review the data access repositoryIn order to determine the total access each user has to administrative data, the Information Security Officer is responsible
      for periodically reviewing the repository of information containing the privileges for each user across administrative
      systems. This review must ensure that users have the access they need to perform their work and that their overall access
      is in compliance with general guidelines of security.

Access ID Managers

Responsibilities

Access ID managers are Jackson State employees whose duties include the creation, deletion, or modification of access IDs
or the maintenance of tables of access IDs which control the ability to view or update administrative information. Because
of the scope of this capability, additional responsibilities are assigned to access ID managers as follows:

  • Maintain complete documentation for all changesBefore any access ID or table is modified, written documentation must be completed that includes the original signatures
    of the access ID owner, his/her supervisor, and the appropriate Data Responsible Custodian(s). In special circumstances,
    electronic mail is permitted in lieu of a signed form; these exceptions will be reviewed and documented prior to
    implementation. Access ID managers are responsible for maintaining all forms of change documentation for audit purposes.Especially in cases where the Data Responsible Custodian also functions as the access ID manager, any changes to
    access IDs must be reviewed by the ISO prior to implementation.
  • Implement access defined by the Data Responsible CustodiansAccess ID managers must accurately transfer the access defined by the Data Responsible Custodians into the access ID
    definition. If access definition is vague or inconsistent, the access ID manager will return the request to the appropriate
    Data Responsible Custodian for clarification.
  • Suspend access when employees terminate or transferUsing information provided by the Human Resources office, access ID managers will delete IDs of employees who have
    separated from the University and will lock or delete the IDs of employees who transfer to other departments within
    Jackson State. When special arrangements have been made for an employee to have access beyond his/her last official
    day in the department, access ID managers will set an expiration date on the access ID (if the security permits) or will
    maintain a “tickler” file to remind them to delete the access ID at the end of the extension period.

System Changes

    • Production SystemAll changes that are proposed for the production environment must be approved by senior level management. Any
      individual or group who will be affected by these changes must be notified in writing prior to the changes being made.
      Changes must be made in the test environment and verified before they are placed into production. Application system
      changes must be approved by that system’s custodian and a member of the computer center’s staff before they are made.
      Once approved, these changes must be installed in the test environment and thoroughly tested by the computer center
      staff and the end user community before being placed into production.
    • Data CommunicationsProposed changes to the university’s network configuration must be approved by the computer center’s management
      before being made. All changes must be first made in the test environment initially, where the changes must be tested
      and verified as being correct, by the person requesting the change, and members of the IT staff. New VTAM definitions
      must be created for the modification, and changes must not be made to the production VTAMLST member. After new
      definitions are tested and verified they may be placed into production. At this point the old definitions must be archived.

 


Appendix A – Definition of Terms

Access ID Manager:
Access ID Manager is an employee whose duties include the creation, deletion, or modification of access IDs or
the maintenance of tables of access IDs which control access to administrative information.
Administrative Computing Committee
The term “Administrative Computing Committee” refers to a group of senior officers who determine the direction
of and the policies associated with administrative computing. These officers include the President, the Vice
President for Information Technology and the Vice President for Finance or their designated representatives.
Administrative Information Coordinator:
The Administrative Information Coordinator is responsible for the timely and accurate processing of information
needed to run the University. The Coordinator represents his/her department in matters related to the
administrative production environment by meeting regularly throughout the year with administrative support staff
in IT.
Chairperson/Department Head:
The term “chairperson/department head” denotes the director of an administrative, academic or research unit
within the University. This person has full fiscal responsibility for the department including the preparation of a
budget and monitoring of spending. A chairperson/department head reports directly to a senior administrator.
Confidential data:
information that requires a high level of protection due to the risk and magnitude of loss or harm that could result
from disclosure, alteration or destruction of the data. This includes information whose improper use or disclosure
could adversely affect the ability of the University to accomplish its mission as well as records about individuals
requiring protection under the Family Educational Rights and Privacy Act of 1974 (FERPA) and data not
releasable under the Freedom of Information Act.
Data Responsible Custodian:
The Data Responsible Custodians constitute a body of knowledgeable users who function as trustees of the
University’s administrative information. For each centrally maintained administrative application, a director or
manager of a functional unit (department) is assigned the authority for making decisions related to the
development, maintenance, operation and access of the application and the data associated with that business
function.
Department Computing Coordinator:
The Department Computing Coordinator is a faculty, staff or graduate student assigned by a department to
provide individualized computer support in the department environment.
Departmental Network Administrator:
The Departmental Network Administrator is responsible for supporting the networking environment in his/her
department. Responsibilities include installing applications on a departmental server and providing first-level
support and trouble-shooting on network related questions.
Employee:
The term “employee” is used for the purpose of this statement to incorporate not only people paid by the
University for their work but also those who perform some service for Jackson State and are granted access to
administrative information. The term as used here does not, in and of itself, confer any special status or
relationship with the University and is not intended to confer employee status. In addition to regular staff and
faculty, the term employee includes temporary staff, student employees, consultants, and adjunct, emeritus, and
visiting faculty.
Internal Auditor:
The term “internal auditor” is used to refer to the University Auditor and other members of the Internal Audit
professional staff.
Information Security Officer:
The Information Security Officer is the person responsible for establishing and monitoring procedures to ensure
that Jackson State’s administrative information is secure from unauthorized access, protected from inaccurate
modification, and available to authorized users in a timely manner to enable them to perform their work.
Public data:
information that can be made generally available both within and beyond the University.
Security:
Information is secure only when its integrity can be maintained, its availability ensured, its confidentiality
preserved, and its access controlled.
Sensitive data:
information that requires some level of protection because its unauthorized disclosure, alteration, or destruction
will cause perceivable damage to the University.
Supervisor:
The term “supervisor” not only incorporates people whose job function is defined to include supervision of staff
but also applies to people who informally direct the work of others.

Appendix B – Alternate Classifications of Data

The classifications schemes below provide alternative views to the classifications used for data security. The three
dimensions – function, scope and purpose – catagorize data along a continua in a form that will encourage its scalableness in
a standard, consistent and accurate way. The goal of these classification schemes is to ensure the independence of data from
organizational structure and software application.

Functional Areas:

Functional area is defined as the primary University purpose served by the data. As such, it does not necessarily follow
organizational lines of authority. Due to extensive integration across functional units, functional classification may be
discretionary. Therefore a functional unit may be given authority for data that is shared by many other organizational units.
The functional area classifications are:

Student Data
Student data supports all phases of a student’s relationship with the University from application through alumni
status, except as noted elsewhere. This includes (but is not restricted to) demographic data, academic records,
disciplinary and medical records, course information, admissions data, financial and non-financial student data,
and development information.
Financial Data
Financial data supports the management of fiscal resources of the University and includes accounting, budgeting,
accounts payable, accounts receivable, loans, investments, capital assets, and payroll information.
Human Resources Data
Human resource data supports the management of employee resources of the University, including all types of
information related to employees as defined previously. This data includes employee demographics, retirement
and EEO data, vita, employee evaluations, promotion and disciplinary data.
Business Affairs Data
Business affairs data supports the auxiliary and related enterprises of the University such as retail sales, central
supplies, graphic services, and telecommunications.
Facilities Data
Facilities data support the facilities and services resource of the University including space planning data;
construction, maintenance and operational data, reservations and physical descriptive information.
Material Data
Material data provides information for all aspects of equipment, furniture, and expendable materials resources
(e.g. inventory and purchasing information).
External Relations Data
External relations data supports activities which interface between the University and the rest of the community.
This includes ticketing, publications, and public information.

 

Scope:

The scope of data is defined as the breadth of its impact on the University’s mission or the range of its reach within the
University. The following categories define the scope of data:

University wide
This data provides support to and meets the needs of essentially all units of the University. Examples of this type
of data include many of the elements supporting financial management, payroll, personnel management, and
capital equipment inventory.
Inter-departmental
This data provides support to and meets the needs of more than one University unit. This information, while less
important for the operation of the entire University, are still critical to a broad cross-section of the school. Such
data elements as those supporting admittance of students, student records, financial aid, and loans are examples of
this type of data.
Intra-departmental
This data provides support for a single functional unit or department or is relatively narrow in terms of the impact
on the University. Despite its limited range, it is considered essential to the business function it supports.
Independent
This data is limited to a single user or a few individuals within a department who perform similar tasks.

Purpose:

The purpose of the data is defined as the role played by the data element in serving the University. This classification
implies a hierarchy with operational at the lowest level, management at the middle, and strategic at the highest. While
described as individual entities, in practice, much data falls across several categories and where that occurs, it has been
classified at the higher level.

Operational
This type of data element is the basis of record-at-a time, transaction driven applications. This category refers to
the raw, elementary data elements from which synthesis and analysis can occur.
Management
This type of data is the summary and control information often derived from the operational data. It is used to
make decisions regarding the University’s routine operations and, in general, is predictable and foreseeable.
Strategic
This type of data provides the basis for strategic planning and decision support. Often the complexion and nature
of this data is not predictable until the planning process is initiated or a problem formulated. Modeling, data
concatenation, and advanced data analysis techniques are used to produce this type of data.