The protection of the private information of Luther Seminary community members is of critical importance to the Office of Technology (OT). The three components below describe in broad terms how the institution is protecting that private information. In addition, this program ensures compliance with Title IV financial aid requirements for protecting student financial aid information.
Luther Seminary is taking three main approaches
- Defining
- Protecting
- Educating
Defining
Through a data classification policy Luther Seminary defines three types of data and how such data should be handled. These definitions provide a common language to describe the information used by departments in various ways. Those three types are
- Public Data. This is information that is available to the general public. Examples include press releases, campus maps, and other information on public websites.
- Regulated Data. This is information that is protected or controlled by statutes, regulations, institutional polices or contractual language. Examples include student record information (protected by FERPA), credit card numbers (regulated by PCI-DSS), or financial records.
- Confidential Data. This is information that must be guarded due to proprietary, ethical or privacy considerations. Examples include Alumni information, donor information, or research data.
Protecting
Servers found on campus which are maintained by OT have multiple layers of protection from being within a secure campus network. With the growing use of cloud data storage we need to keep in mind that data that is considered regulated should not be kept in cloud storage, with the exception of FERPA data in Luther Seminary’s Google Drive.
- FERPA data may be stored in Luther Seminary’s Google Drive.
- Social Security Numbers and Credit Card Numbers should never be stored in cloud storage or transmitted in email.
Additional activities relating to GLBA and FTC Safeguards compliance are maintained on internal documentation.
Utilizing multi-factor authentication with Duo, user accounts have an added layer of protection.
Educating
Faculty and staff are the best defense against preventing a loss of data. They are also the most frequent targets through email phishing scams. People are no longer trying to break into organizations. They are trying to trick people into handing over their keys (i.e. their password). To learn more about phishing and cybersecurity, please read these previous blog posts:
- What Is Phishing?
- When At First You Succeed, Try and Try Again.
- Cybersecurity month, week 1 : phishing
- Cybersecurity month, week 2, online safety tips
- Cybersecurity month, week 4, preventing identity theft
Working Remotely
Working remotely introduces more flexibility but also opens us to more risk being further from our colleagues. The need to verify unusual requests directly with the person via phone or video conferencing is increased.
Here are some general tips sheets for remote work information security from security experts.
- Social Engineering Red Flags – what to watch out for in phishing emails and other scams
- Tips for working from home – not all apply to our systems but most are helpful
Training
To ensure all faculty and staff are aware of effective practices Luther Seminary has subscribed to Data Security training from Curricula. Training faculty and staff ensures we remain compliant with the Title IV financial aid requirements for protecting student information. Training shall be sent to employees in twice a calendar year along with follow-up phishing simulations. Employees can login here.
Program Coordinator
This information security program is coordinated by Scott Krajewski, CIO, skrajewski001@luthersem.edu.
Updated: 12/27/2022