The protection of the private information of Augsburg community members is of critical importance to the IT Department.  The three components below describe in broad terms how the institution is protecting that private information.  In addition, this program ensures compliance with Title IV financial aid requirements for protecting student financial aid information.

Augsburg is taking three main approaches

1. Defining
2. Protecting
3. Educating

Defining

Through a data classification policy Augsburg has defined three types of data and how such data should be handled.  These definitions provide a common language to describe the information used by departments in various ways.  Those three types are

1. Public Data.  This is information that is available to the general public.  Examples include press releases, campus maps, and other information on public websites.
2. Regulated Data. This is information that is protected or controlled by statutes, regulations, institutional polices or contractual language. Examples include student record information (protected by FERPA), credit card numbers (regulated by PCI-DSS), or financial records.
3. Confidential Data. This is information that must be guarded due to proprietary, ethical or privacy considerations.  Examples include Alumni information, donor information, or research data.

Protecting

Servers found on campus which are maintained by the IT Department have multiple layers of protection from being within a secure campus network.  With the growing use of cloud data storage we need to keep in mind that data that is considered regulated should not be kept in cloud storage, with the exception of FERPA data in Augsburg’s Google Drive.

• FERPA data may be stored in Augsburg’s Google Drive.
• Social Security Numbers and Credit Card Numbers should never be stored in cloud storage.

Utilizing multi-factor authentication with Duo, user accounts have an added layer of protection.

Educating

Faculty and staff are the best defense against preventing a loss of data. They are also the most frequent targets through email phishing scams. People are no longer trying to break into organizations. They are trying to trick people into handing over their keys (i.e. their password). To learn more about phishing, please read these two IT blog posts on the subject:

• What Is Phishing?
• When At First You Succeed, Try and Try Again.

To ensure all faculty and staff are aware of effective practices Augsburg has subscribed to Data Security training from the SANS Institute (powered by the Litmos platform).  Training faculty and staff ensures we remain compliant with the Title IV financial aid requirements for protecting student information.  Training shall be sent to employees twice a year with a phishing simulation follow-up.

Program Coordinator

This information security program is coordinated by Scott Krajewski, CIO, krajewsk@augsburg.edu.

Revision History

Revision	Change	Date
1.0	Original Version	8/24/2017
1.1	Annual review	1/17/2023