Category: Fiscal & Administrative Policies, Personnel                                                                

Title: Information Security Plan

Table of Contents

Table of Contents

PURPOSE AND SCOPE

AUTHORITY AND RESPONSIBILITY

POLICY AND PROCEDURES

Identification and Assessment of Risks to Customer Information

Data Classification

Design and Implementation of Safeguards Program

Employee Management and Training

Physical Security

Information Systems

Selection of Appropriate Service Providers

General Security Considerations

End-User Devices (Workstations, Laptops, Tablets, Mobile Devices, etc)

Best Practices for Endpoint Health and Protection:

Anti-Virus

Digital Information Data Backup

Software Licenses

Server

Passwords

Destruction and Disposal of Information and Devices

Employee Training and Management

Sensitive Data Protection

Release of NMI Data to Third Parties

Privacy Statement

Family Educational Rights and Privacy Act (FERPA) Notification of Rights

Incident Reporting

Incident Response

Individual Procedures

Student ID Cards

Student Financial Information

Application & Enrollment Documents

Student Academic Records

Disciplinary Action Records

Confidentiality Statement

Violations

IMPLEMENTATION

CONTINUING EVALUATION AND ADJUSTMENT

PURPOSE AND SCOPE

This Information Security Plan describes how the National Midwifery Institute (NMI) safeguards to protect data, information, and resources. These safeguards are provided to:

• Make reasonable efforts to ensure the security and confidentiality of covered data, information, and resources;
• protect against anticipated threats or hazards to the security or integrity of such information; and
• protect against unauthorized access to or use of covered data, information, and resources that could result in substantial harm or inconvenience to any customer.

This Information Security Plan also provides for mechanisms to:

• Identify and assess the risks that may threaten covered data, information, and resources maintained by the school;
• manage and control these risks;
• implement and review the plan; and
• adjust the plan to reflect changes in technology, the sensitivity of covered data, information and resources, and internal or external threats to information security.

AUTHORITY AND RESPONSIBILITY

The Director of Operations & Administration is the coordinator of this plan with significant input from the Executive Director. These individuals are responsible for assessing the risks associated with unauthorized transfers of covered data, information, and resources. They are also responsible for implementing procedures to minimize those risks to the school and/or conducting audits of this plan on a periodic basis.

POLICY AND PROCEDURES

Identification and Assessment of Risks to Customer Information

NMI recognizes that it has both internal and external risks. These risks include, but are not limited to:

• Unauthorized access of covered data, information, and resources by someone other than the owner of the covered data, information, and resources;
• compromised system security as a result of system access by an unauthorized person;
• interception of data during transmission;
• loss of data integrity;
• physical loss of data in a disaster;
• errors introduced into the system;
• corruption of data or systems;
• unauthorized access or distribution of covered data, information, and resources by employees, students, affiliates, or other constituencies;
• unauthorized requests for covered data, information, and resources;
• unauthorized access through hardcopy files or reports; and
• unauthorized transfer of covered data, information, and resources through third parties.

NMI recognizes that this may not be a complete list of the risks associated with the protection of covered data, information, and resources. Since technology is not static, new risks are created regularly. Accordingly, NMI staff will monitor industry sources and advisory groups such as the Educause Security Institute, the Internet2 Security Working Group, and SANS for identification of new risks.

NMI believes current safeguards are reasonable and, in light of current risk assessments, are in line with common practices to provide security and confidentiality to covered data, information, and resources maintained by the school. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information. However, NMI cannot guarantee the unequivocal security of covered data, information, and resources given the evolving and ever-changing state of IT environments and threats thereto.

Data Classification

There are varying levels or classifications of data stored at and by NMI. Table 1 below describes these classes.

Table 1: Classes of Data at NMI

Design and Implementation of Safeguards Program

Employee Management and Training

References for any new employee of NMI are checked. Additionally, criminal background checks are conducted on all employees of the school working with sensitive data.

During employee orientation, each new employee that regularly works with covered data, information, and resources will receive proper training on the importance of confidentiality of student records, student financial information, and other types of covered data, information, and resources. Each new employee must complete FERPA 201: Data Sharing under FERPA training.

Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, and how to properly dispose of documents that contain covered data, information, and resources.

Each employee is responsible for maintaining covered data, information, and resources and is instructed to take steps to protect the information from destruction, loss, or damage due to environmental hazards, such as fire and water damage or technical failures. Further, the  Acceptable  Use  Policy,  which  is  provided  to  all  employees,  states   that  a  violation  of  security  policies  may  result  in  separation  of  employment  and/or  legal   action.  

Physical Security

NMI does not have a physical office and keeps all records online. Files have been scanned and saved into Google Drive, and paper documents have been shredded.

When NMI staff are working in their home offices or other locations, confidential information is kept out of sight from non-authorized personnel. We have utilized security settings within our Google for Education account (drive for file storage, gmail for email, etc) that require all employees to login every 4 hours, whether they are active or not. This reduces the risk of sensitive information being compromised.

Information Systems

Access to covered data, information, and resources via the school’s database is limited to those employees who have a business reason to know such information. Each employee is assigned a set of unique credentials. Databases containing personal covered data, information, and resources including, but not limited to, accounts, balances, and transactional information are available only to NMI employees in appropriate positions.

NMI will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data, information, and resources are secure and to safeguard the integrity of records in storage and transmission. Authentication is required of users before they can access school protected data.

When reasonable, encryption technology will be utilized for both storage and transmission. All covered data, information, and resources will be maintained on NMI’s Google Workspace for Education Shared Drive.

Management of Systems Failures and Compromises

NMI has developed written plans and procedures to detect actual or attempted attacks on NMI systems and has Incidence Response plans in place which outline procedures for responding to an actual or attempted unauthorized access to covered data, information, and resources. Incident Response and Reporting procedures are detailed later in this document.

Selection of Appropriate Service Providers

Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be required to provide resources that the institution determines it cannot provide on its own. The school’s academic and administrative departments periodically review and exercise due diligence in safeguarding the access to non-public information.

In the process of choosing a service provider that will maintain or regularly access covered data, information, and resources, the evaluation process shall include the ability of the service provider to safeguard confidential financial information. Contracts with service providers may include the following provisions:

• An explicit acknowledgement that the contract allows the contract partner access to confidential information;
• a specific definition or description of the confidential information being provided;
• a stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
• an assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information;
• a provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
• an agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles the University to terminate the contract without penalty; and
• a provision ensuring that the contract's confidentiality requirements shall survive any termination agreement.

General Security Considerations

End-User Devices (Workstations, Laptops, Tablets, Mobile Devices, etc)

1. Employees are responsible for the security and integrity of NMI information accessed from their end-user devices, which includes controlling physical and network access to the equipment.
2. Employees cannot store NMI data or working documents on personally owned Workstation/Laptop. If NMI data is downloaded it must be promptly deleted or moved to the employees device. Saving and storing NMI data on a personally owned device is strictly prohibited.
3. Devices accessing NMI data and information systems must be password protected.
4. Storage of sensitive or personal covered data on mobile devices is strictly prohibited. Users may access their accounts on personal devices however may not download and save records to their personal mobile device.
5. Employees may not run or otherwise configure software or hardware that may allow access by unauthorized users.
6. Employees must not access NMI-owned end-user devices that have not been provided to them for their work without the express permission of the Director of Operations & Administration.
7. Employees accessing NMI services and systems with their own personal devices must adhere to all NMI policies.

Best Practices for Endpoint Health and Protection:

• Do not store personal identifiable information on the device

• Use only NMI’s Google Workspace for Education Shared Drive

• Use whole disk encryption on the device (including any attached media)

• Use FileVault/Jamf Pro for Macintosh Devices

• Ensure software is up-to-date according to manufacturer’s recommendations

• Apple Software Updates
• Printer firmware updates

• Assign users privilege access
• Enable firewall
• Use antivirus/antimalware software with centralized management and monitoring
• Data sanitization on disposal(computers & printers with storage)

• Physical destruction of storage device
• Secure wipe of storage device

Anti-Virus

1. All NMI workstations/laptops must have anti-virus software installed.
2. Individuals using their own personal devices for NMI work must have anti-virus software installed.
3. The anti-virus software and the virus definitions must be kept up-to-date.
4. Virus-infected computers may be removed from use until they are verified as virus-free.
5. The Director of Operations & Administration is responsible for creating procedures that ensure anti-virus software is in place, operating correctly, and computers are virus-free.

Digital Information Data Backup

Workstations/Laptops

Employees cannot store NMI data or working documents on personally owned Workstation/Laptop. Otherwise, those devices must meet the data backup requirements listed below. Only the Director of Operations & Administration’s desktop device stores NMI data and must conform to the following best practice procedure:

• All data, operating systems and utility files must be adequately and systematically backed up. (ensure this includes all patches, fixes, and updates).
• Backup should be incremental and performed each day.

Student Database

NMI’s Student Database is run by Knack and app data and structure are backed up regularly on a daily basis. For more information on Knack’s backup procedures read Knack’s Security & Infrastructure backup policy.

Financial Data

Quickbooks online automatically backs up data with the same level of security used by banks and financial institutions. Data is saved to two hard drives and backups are performed every night.

Clinical Tracking App

The Clinical Tracking App data and structure are backed up through a third-party service agreement with Fifth Estate twice a month.

Software Licenses

1. Virtually all commercially developed software is copyrighted; and the users may use it only according to the terms of the license the University obtains.
2. Duplicating such software with the intent to redistribute or installing multiple instances of such software without authorization is prohibited.
3. All users are legally liable to the license issuer or copyright holder.
4. Placing unlicensed or illegally obtained software, music, movies, or documents on University computers is strictly prohibited.

Server

NMI used Google Workspace for Education Shared Drives for data storage and encryption service. The Director of Operations & Administration and Co-Executive Directors are assigned as administrators of the Workspace, and are able to assign access privileges to other users.

All NMI files must be securely stored on NMI’s Google Shared Drive.

Passwords

1. All NMI passwords will be stored in each employee's Lastpass account. Lastpass offers password sharing to help employees securely and conveniently store and share logins with others in and outside the organization.
2. Passwords are designed to prevent unauthorized access to information. Employees are responsible for safeguarding passwords along with other authentication mechanisms (such as user names, PINs, etc.) by adding passwords to Lastpass. Employees are accountable for negligent disclosure of passwords.
3. Passwords should be a minimum of 8 characters long and constructed of a combination of lowercase, uppercase, numbers and special characters.
4. NMI requires mandatory password reset every 90 days for Gmail passwords and any bank/financial passwords. Passwords cannot be the same as a previous password.
5. Passwords should not be stored in electronic form – in computer files or on portable devices such as USB memory keys unless strongly encrypted.
6. Passwords should not be stored in browser caches or other “autocomplete” types of features available in browsers. Employees can download the Lastpass Chrome add-on for encrypted autocomplete features.
7. Passwords must not be inserted into email messages or texted.
8. NMI accounts or passwords should not be shared with individuals outside the organization unless specified (such as outside Bookkeeper) and permission has been granted. All passwords are to be treated as sensitive, confidential information.

Destruction and Disposal of Information and Devices

1. Confidential information must be disposed of in such a manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Physical documents must be shredded.
2. When donating, selling, transferring, sending to surplus, or disposing of computers or removable media, care must be taken to ensure that confidential data is rendered unreadable. Any restricted information that is stored must be thoroughly destroyed. In general, it is insufficient to "delete" the information, as it may remain on the medium. The data should be properly removed from the drive either by software that meets U.S. Department of Defense specifications or the drive may be physically or destroyed.

Employee Training and Management

1. Employees who have access to NMI’s database and cloud based server must sign an agreement to follow NMI’s confidentiality and security standards.
2. Employees and affiliate users who have access to systems or data that NMI considers to be of a sensitive nature will be enrolled in NMI’s cyber security training training which is an interactive online training program regarding the handling of sensitive data and applicable laws and/or policies. Failure to complete these training sessions will result in the revocation of access to the data or application.
3. Each department is responsible for ensuring its employees are trained to take steps to maintain security, confidentiality, and integrity of personal information, such as:

1. securing rooms and cabinets where records are kept;
2. using strong passwords and not posting, sharing, or releasing passwords;
3. recognizing any fraudulent attempt to obtain student information and reporting it to appropriate department or law enforcement agencies; and
4. reviewing all NMI Policies.

Sensitive Data Protection

Special care and awareness are required with regard to “sensitive data.” Sensitive data are any data that the unwarranted and/or unauthorized disclosure of such would have an adverse effect on the institution or individuals to which it pertains. Unauthorized disclosure or mishandling of sensitive data can be a violation of federal and state law and the institution and its employees can be held personally liable for damages or remediation costs.

Data related to identity theft such as social security number (SSN), credit card numbers, bank account information, driver’s license, name, address, birthdate, passwords, Personal Identification Numbers (PINs), and ID pictures are of particular concern as all or most of this information is collected in the course of school business. Other types of data such as medical information, mailing lists, scholarship information and financial information are examples of data that could require confidential handling or restricted access.

These examples are not exhaustive or all inclusive. It is the responsibility of NMI employees handling any school data to understand what data are sensitive and confidential and to adhere to the following guidelines and any applicable regulations.

1. SSNs may not be stored on systems that are not controlled by NMI. On all other systems, a unique identifier should be used.
2. Sensitive data should be stored in as few places as possible.
3. Sensitive data should never be posted to a website, even for short periods of time. Individuals responsible for maintaining website content must be particularly cognizant and vigilant regarding this matter.
4. Inventory and identify the sensitive data under your control.
5. Purge or delete unused sensitive data in a timely manner to minimize risk.
6. Sensitive data may only exist on systems within the NMI Egnyte Server. It may not be stored on local workstations or on mobile, external, and/or removable storage devices including smartphones, tablets, or any other device
7. Employees handling sensitive data must read and understand all NMI policies and applicable governmental regulations.
8. Transmission of sensitive data must be encrypted using current encryption standards
9. Do not send, receive, or store any sensitive data using email.
10. Under no circumstances should credit card numbers be collected and stored on standalone devices, digital media, or paper media. Processing credit card numbers should be done via secure methods that authorize or deny the transaction in real time but do not retain or store the credit card number. Collecting credit card numbers via phone calls, websites, or email and retaining such numbers on paper or in electronic files for periodic processing is bad practice and insecure.
11. Report any breaches, compromises, or unauthorized/unexplained access of sensitive data immediately to the Director of Operations & Administration or Executive Director.

Release of NMI Data to Third Parties

Third parties may not be permitted access to NMI data or provided NMI data for any reason, unless such entities have agreed in writing to restrict the use of such data to the specific and intended purpose and duration authorized by NMI. Any NMI staff releasing data to a non-NMI third-party entity is responsible for how the data is used (misused). Release of sensitive and confidential data (beyond FERPA-allowed "directory information") is prohibited.

Privacy Statement

1. The National Midwifery Institute (NMI) endeavors to ensure that its treatment and uses of "Personal Information" are in full compliance with all related federal and state statutes and regulations
2. NMI commits to take reasonable precautions to maintain privacy and security of students' and employees' personal information. NMI cannot guarantee that these efforts will always be successful; therefore, users must assume the risk of a breach of school privacy and security systems.
3. NMI does not intend to sell, or otherwise disclose for commercial purposes, outside the scope of ordinary school functions, students' and employees' name, mailing address, telephone number, e-mail address, or other information. While the school makes reasonable efforts to protect information provided to us, we cannot guarantee that this information will remain secure and are not responsible for any loss or theft.
4. Personally identifiable information is defined as data or other information which is tied to, or which otherwise identifies, an individual or provides information about an individual in a way that is reasonably likely to enable identification of a specific person and make personal information known about them.
5. Personal information includes, but is not limited to, information regarding a person's social security number, driver's license, marital status, financial information, credit card numbers, bank accounts, parental status, gender, race, religion, political affiliation, personal assets, medical conditions, medical records, and personnel or student records.
6. Some data items are considered directory information and will be released to the public unless a request is filed to prevent disclosure of the information, except for any other reason than official school business. Employees and students who request confidentiality of that information should contact the Director of Operations & Administration within the first five days of the quarter.
7. NMI assumes that failure on the part of any student or employee to specifically request the withholding of categories of information indicates individual approval for disclosure.
8. Personal information may only be released or provided to others as follows:

1. To employees and/or officers of the school on an authorized need-to-know basis;
2. only to those individuals who are authorized to use such information as part of their official school duties; and
3. with the following requirements:

1. they keep that information confidential and use it only for, and to the extent required by NMI business purposes that they are authorized to perform; and
2.  they do not further disclose or provide that information to others.

9. A student's record may be released in compliance with a court order or subpoena. The school’s Legal Counsel will make a reasonable effort to notify the student in advance of compliance unless special circumstances exist in which such notification interferes with the purpose of the request.
10. Student information may be released for health and emergency reasons.
11. The scope of individuals covered by this policy includes all individuals on whom the school, or any part of the school, or any employee, student, volunteer or contractor etc. of the school, has or maintains personal information. This includes students, employees, donors, patients, alumni, referring physicians, research subjects, individuals identified in research files, volunteers and others.
12. NMI is bound by the Family Educational Rights and Privacy Act (FERPA) regarding the release of student education records, and in the event of a conflict with school policies, FERPA will govern. The Notification of Rights is printed in the Student Handbook, the school website Policy and Procedures page, and is available by contacting the Director of Operations & Administration.

Family Educational Rights and Privacy Act (FERPA) Notification of Rights

The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to their education records, including:

1. The right to inspect and review the student's education records within 45 days of the day the school receives a request for access. Students should submit to the registrar, dean, head of the academic department, or other appropriate official, a written request that identifies the record(s) they wish to inspect. The Director of Operations & Administration will make arrangements for access and notify the student of the time and place where the records may be inspected. If the records are not maintained by the Director of Operations & Administration to whom the request was submitted, that official shall advise the student of the correct official to whom the request should be addressed.
2. The right to request that inaccurate or misleading information in the student’s record be amended. Students may ask the school to amend a record that they believe is inaccurate or misleading. They should write the school official responsible for the record, clearly identify the part of the record they want changed, and specify why it is inaccurate or misleading. If the school decides not to amend the record as requested by the student, the University will notify the student of the decision and advise the student of his or her right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the student when notified of the right to a hearing.
3. The right to consent to disclosures of personally identifiable information contained in the student's education records, except to the extent that FERPA authorizes disclosure without consent, including:

1. Disclosure without the student's consent is permissible to school officials with legitimate educational interests. A school official is a person employed by NMI in an administrative, supervisory, academic, research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the school has contracted (such as an attorney, auditor, or collection agent); or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.
2. FERPA allows the institution to routinely release information defined as "directory information." The following student information is included in the definition: the student's name, address, e-mail address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, enrollment status (including full-time, part-time, not enrolled, withdrawn and date of withdrawal), degree and awards received, and the most recent previous education agency or institution attended by the student. When a student wants any part of the directory information to remain confidential, an official request form must be completed in the Office of the Registrar within the first five days of class of each school term.

4. The right to file a complaint with the U.S. Department of Education concerning alleged failures by Western Kentucky University to comply with the requirements of FERPA. The name and address of the Office that administers FERPA is: Family Policy Compliance Office U.S. Department of Education 400 Maryland Avenue, S.W. Washington, DC 20202-5920

Questions pertaining to the Family Educational Rights and Privacy Act may be directed to the Director of Operations & Administration, 802-322-4300, nmioffice@nationalmidwiferyinstitute.com.

Incident Reporting

NMI employees must immediately report the following to their supervisors, unless a conflict exists:

• Any actual or suspected security incident that involves unauthorized access to electronic systems owned or operated by NMI;
• malicious alteration or destruction of data, information, or communications;
• unauthorized interception or monitoring of communications;
• any deliberate and unauthorized destruction or damage of IT resources; and
• unauthorized disclosure or modification of electronic institutional or personal information.

Incidents will be treated as confidential unless there is a need to release specific information.

Incident Response

The Executive Director is the primary point of contact for responding to and investigating incidents related to misuse or abuse of the National Midwifery Institute’s Information Technology resources. This includes computer and network security breaches and unauthorized disclosure or modification of electronic institutional or personal information.

Upon discovery of a security breach, provide initial notification of the breach to:

1. The Executive Director
2. the affected system's owner (administrative responsibility for the system);
3. the Director of Operations & Administration (technical support responsibility for the system);

1. After initial notification, they will provide information updates as appropriate throughout the incident response process.
2. NMI employees involved in the incident or the incident’s response and investigation should refer all media and other public inquiries to Public Affairs or General Counsel.
3.  Create a log of all actions taken and maintain this log consistently throughout the response process.
4. Secure the affected area(s). Electronic evidence can be easily destroyed, resulting in the inability to determine if confidential information has been compromised or to provide evidence for future prosecution. Identify potential evidence, both conventional (physical) and electronic, and determine if perishable evidence exists. For example, do not alter the condition of any electronic device by either turning it on, off, or rebooting it until it is determined that it is safe to do so. Inventory and evaluate the scene.
5. Assess the need for forensic information, such as that gathered from packet traces and system monitoring utilities, which can aid in understanding the nature and scope of the incident and provide evidence for any potential criminal investigation. During this process, consider both the potential value of forensic information vs. the immediate need to protect and restore University resources and services. Document the decision process. f. Collect and save any forensic information identified in the previous two steps. This may include video records, access logs, system logs, network traces, IP addresses, MAC addresses, data backups, system images, or affected computer hardware. g. Regain control of the compromised system. This may include network disconnection, process termination, system shutdown, or other action as indicated to prevent further compromise of protected information. h. Analyze the intrusion. Document the nature of the intrusion and its impact on information and process integrity. Determine if unauthorized individuals may have acquired restricted information. Attempt to determine the identity of those whose data may have been acquired. Estimate the potential cost (in time, money, and resources) of the intrusion to the University.
6. Correct any identifiable system or application vulnerabilities that allowed the intrusion to occur. j. Verify system and data integrity.
7. Restore service once the integrity of the system and/or information has been verified. l. The incident response team shall create an incident report with all relevant information. The report should include:

• Date and time the incident occurred;
• description of incident;
• detailed list of system(s) and data which were compromised;
• identifiable risks to other systems or information;
• corrective actions taken to prevent future occurrences;
• estimated costs of incident and any corrective actions; and
• identity of those responsible for the incident (if available).

The Executive Director, with input from the Owners and other appropriate individuals, shall determine if disciplinary action should be taken, criminal charges filed against those involved, and which individuals should be notified. NMI will act in accordance with the Vermont’s Security Breach Notice Act, KRS 9 V.S.A. § 2435.

Individual Procedures

Student ID Cards

The student information stored on NMI’s Quick Id Center account is kept in two locations, the student file in Egnyte and the NMI database. Both of these areas are password protected to prevent unauthorized entry.

Student Financial Information

Confidential information is any information pertaining to the students’ tuition and admin fees. This includes payment plan agreements, ACH authorization forms, and other financial documents as well as any information pertaining to a students’ scholarship aid award, grades, and any professional judgment documents that are collected. Only the Executive Director, Director of Operations & Administration, and Bookkeeper have access to financial information.

Active Students - Beginning January 2019

In January 2019, NMI began the process of migrating all financial data to Quickbooks for active students. The Director of Operations & Administration and Bookkeeper have access to Quickbooks and authorize access to individuals on an as-needed basis. Said individuals must log on with credentials assigned to them for their sole use. Hard copy information is scanned and uploaded to the students file in the NMI cloud server. Hard copies of data are no longer stored. Documents are shredded once they have been scanned and saved.

Historical accounts

For students who attended NMI prior to January 2019, paper records have been scanned and uploaded to the individuals folder in the Shared Google Drive. Prior to receiving access to the server, each employee is required to sign an agreement to comply with federal law and school policy regarding the protection of and correct use of information related to students and records privacy.

Application & Enrollment Documents

The NMI office obtains and collects a variety of different information for prospective school students through a variety of stages and in different formats. The types of data that are collected include, but are not limited to:

1. Inquiry Stage:

• General inquiries from prospective students.

2. Applicant Stage:

• Applications from prospective students;
• advanced placement examination information;
• immigration documentation of prospective international students; and
• high school and college transcripts of prospective students.

3. Admission Stage:

• Applications from re-admit students.

Student Academic Records

NMI maintains a variety of student academic records that are in electronic format. NMI employees are trained to protect the privacy of students’ records and are well versed in the Family Educational Rights and Privacy Act (FERPA), the federal law that protects the privacy of educational records and defines proper release of that information.

Electronic records are maintained in NMI’s student database, and changes to those records are made only by authorized personnel. Access to the student database is via a password, and each employee must be trained in the proper use of the system before access to the system is granted.

Work papers and other documents containing private information are shredded following their use. The office is locked during non-business hours.

All student records are covered under the Family Educational Rights and Privacy Act of 1974 (FERPA) and those guidelines establish release of student information. In addition to FERPA regulations, NMI has the following policies and procedures in practice to protect information:

1. Electronic data - All data must be saved in NMI’s Google Shared Drive. Post January 2019 no paper documents shall be kept.
2. Records of students who withdraw from the program are held for seven years. If the student does not matriculate, the records are destroyed after seven years. All information that is to be disposed of that contains student information is shredded within the office.

All personnel are required to read and abide by office procedures on student record information including FERPA regulations. Training agendas include a component on information security.

Disciplinary Action Records

Records related to disciplinary actions are maintained in both electronic format and hard copy. Specific storage and security measures are in place as follows:

• Records related to disciplinary matters are stored in a specific folder in NMI’s Google Shared Drive. Any historical records that have not been scanned are stored in the main office area and are kept in locked file cabinets.
• An electronic file is created summarizing pertinent information related to disciplinary matters.
• This folder is maintained on NMI’s secure cloud based server and only those individuals with authorized access to the folder may access the information.

Confidentiality Statement

NMI adheres to the following confidentiality statement:

• NMI will ensure that confidentiality is maintained with respect to all privileged communications and to educational and professional records considered confidential. They inform all parties of the nature and/or limits of confidentiality. Members share information only in accordance with institutional policies and relevant statutes, when given informed consent, or when required to prevent personal harm to themselves or others.
• Staff members shall treat confidential information appropriately.
• Inform students of the nature and/or limits of confidentiality. They will share information about the students only in accordance with institutional policies and applicable laws, when given their permission, or when required to prevent personal harm to themselves or others.
• Use records and electronically stored information only to accomplish legitimate, institutional purposes and to benefit students.

NMI staff adhere to the following statements related to Technology:

• Technology resources used in administration and operations are regularly evaluated for determining whether current and projected needs and opportunities are met.
• Staff have access to adequate technology resources in the performance of their job responsibilities.
• Technology resources are used to create and sustain cost reduction and efficiency improvement measures initiated by professional staff.
• Technology resources are properly maintained and serviced.

Violations

Any violation of the rules, regulations, policies, and procedures in this Information Security Plan may lead to suspension of access to Information Technology resources, with the possibility of revocation of privileges, or other action as provided by disciplinary provisions applicable to faculty, staff, or students.

Confirmed or suspected violations of local, state or federal laws will be turned over to appropriate individuals.

IMPLEMENTATION

This policy and procedure is provided to all staff upon hire. Additionally, staff sign a Policy Acknowledgement form noting they have read and agree to uphold this policy.

CONTINUING EVALUATION AND ADJUSTMENT

This Information Security Plan will be subject to periodic review and adjustment. Continued administration of the development, implementation, and maintenance of the plan will be the responsibility of the Director of Operations & Administration who will assign specific responsibility for implementation and administration as appropriate.

The Director of Operations & Administration, in consultation with the Executive Director, will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.