Responsibilities for Data Security

Information for security presentations

All WMU employees should attend and/or view the information security presentation, including full-time and part-time faculty, graduate assistants, staff, and student employees. Administrators are responsible to ensure that data of their department is kept secure according to the policies referenced below.

Best practices for information security

• Best practices apply to both electronic and paper records.
• Restricted/confidential information must be stored on departmental or University owned network servers that are backed up regularly. Secured servers can be accessed from both on and off campus through VPN.
• Restricted/confidential information stored on mobile computing devices, both University and personally owned, must be encrypted.
• All WMU and personally owned computers, which connect to WMU's network, must have anti-virus software where definition files are current and routinely updated in order to prevent damage or compromise to applications, data, files, and/or hardware.
• When conducting University business electronically via email, the WMU email system is the required means to maintain secure communications for message content.
• If you are using an IMAP email client (MacMail, Outlook, Thunderbird) which stores your messages locally, you must encrypt the hard drive on your device to assure that email data can not be breached.
• Email services, whether WMU email or other email systems, should not be used for document retention/storage. Use department provided secure shared file storage for retaining any and all University data. Contact your department IT professional for information on how to take advantage of the secured file storage.
• Use caution when opening email attachments for file types such as .ZIP or .EXE which are known to load malicious software that could compromise your system and data. DO NOT open attachments in an email message if you do not recognize the sender or if you were not expecting a message with such attachments.
• Faculty are required to store all current grades in the e-learning system and not on laptops or other mobile devices. Files containing grades from prior semesters should be encrypted and/or stored on University provided secure file servers.
• Faculty should have students turn in course work and access it through the e-learning system. If there is a need to keep electronic copies they should be encrypted and/or stored on secure servers.
• iClicker data that is collected during class sessions should be stored on encrypted devices or secure file servers.
• NEVER give Bronco NetID/password combination to anyone. The information technology Help Desk will never ask you for your password via an email message or over the phone.
• NEVER accept someone else’s Bronco NetID/password combination. Knowing someone else’s password may make you a person of interest in the event of a security incident.
• Do not use the same password for all systems, especially for encrypted files. The WMU password guidelines provide details on how to establish strong passwords.
• Delete old data, especially information that includes social security numbers. Paper copies should be shredded.
• Delete/redact individually identifiable information from all records when possible, including research files.
• Delete "temporary" files on your computer. These include file attachments opened in email and download files. If these files contain restricted/confidential information, they should be immediately removed or encrypted.
• Keep personal data separate from University data. Follow the same encryption standards for personal data.
• If you have access to protected health information, know and follow the special policies that apply.

Selective summary of key policies

• Restricted/confidential information is defined as individually identifiable information about students, faculty, staff, alumni, vendors, or others that WMU is required to keep confidential by law, policy, or contract. Examples include:
• Social security numbers and credit card numbers, stored electronically or on paper. Credit card numbers are subject to PCI rules.
• Research data that identifies people.
• Cognos downloads of student data or PeopleSoft staff data.
• All grade information tied to a student including individual assignment grades and final course grades.
• Student work, such as drafts of papers or thesis chapters.
• Restricted/confidential information should never be stored on a mobile computing device - personal or University owned - such as a laptop, portable hard drive, smartphone, USB key, DVD, or CD unless it is encrypted.
  
• Restricted/confidential information should be retained only as long as needed, especially information about current majors/minors or other student information. See records management and the University Record Retention Guide.
• When sending computing items to surplus sales, please be aware that hard drives must be securely wiped or destroyed (see University policy). Departments are responsible for cleaning all data including operating systems from computers and electronic equipment (i.e. copiers, fax machines, etc.) prior to being sent to surplus sales. However, surplus sales can facilitate the destruction of hard drives. Please refer to their site for additional information.

What happens if data are lost

• Notify the local police (off-campus) and WMU police (269) 387-5555 if a device is missing or stolen. Notify information technology at oit-security@wmich.edu. If it is a personally-owned device that contains University data follow these same procedures.
• Notify your college or department IT staff or LAN manager and/or the Help Desk (269) 387-4357, option 1 if your data becomes corrupted or inaccessible. 
• Having your data encrypted means if your device is lost, the data are less likely to be at risk.
• Information technology will follow the WMU information security incident response plan.
• Direct incident costs will be billed to the department responsible for the loss.

Know the University’s Policies on Information Security

• Office of Information Technology rules, guidelines and procedures

The most relevant policies are:

• Cloud computing
• Computing resources acceptable use policy
• Copyright and ethics
• Data classification
• Data wiping
• Ethical treatment of information resources
• Information security incident response
• Lost or stolen devices
• Mobile computing devices
• Network and Internet policies
• Password guidelines and policy
• Remote access

Other relevant policies:

• Confidential information policy for employees
• Health information policies
• Research policies

Questions?

• Contact your college or department LAN manager.
• Call the IT Help Desk at (269) 387-4357, option 1.
• Send email to oit-security@wmich.edu.

Document action

Updated: March 2017