Troy University recognizes that the Web is an important electronic publication medium that facilitates its mission. It is in the interest of the University that all Web sites are maintained in a consistent manner so that they provide high quality information about the University’s educational offerings, mission, programs and events to the community, prospective students, and the general public. The Web sites serve as a gateway to college services, teaching and learning resources.
This policy sets minimal standards that are meant to ensure that information published electronically is visually appealing, well-written and follows the same high standards as other forms of published information.
The World Wide Web is one of the primary ways in which TROY presents itself and communicates to various audiences. Therefore, it is essential that Web sites of the University present an image that is unified, of a high quality and favorably represents the University. The TROY Web Guide is intended to serve in this regard as a valuable resource for those who contribute in any way to the Web presence of Troy University.
Please direct any questions or comments to members of the Web Team whose names are located on the last page of this Web Guide.
Review of Policy
TROY recognizes that electronic publication technology is evolving rapidly and this policy is expected to evolve along with it. The policy will be reviewed as needed by the Web Team and the Associate Vice Chancellor for Marketing and Communication. This policy does not address all servers, such as Spectrum or Prism servers, or faculty Web pages.
Site Life Cycle
Information on Web pages should be updated as regularly as necessary, whether that is daily, weekly, monthly, quarterly, etc. The date the page was last updated should be indicated somewhere on the page. If a page does not need to be updated more than once a year, the “this page is updated” should be changed at least every six months to let visitors know that the information is relatively accurate. Every office is encouraged to update or refresh the content and design of their pages twice a year, preferably every fall and spring or more frequently if needed.
As new templates are developed, they will be available on the Troy University Web site.
Graphic design is the first and last part of the site observed by online visitors. Effectively designed Web sites grab viewer attention and offer clear, consistent navigation. The Web team will provide templates to help design sites that are consistent with the look and feel of the University’s homepage and interior pages. Templates may be viewed on the Troy University Web site.
For recommended style standards, refer to the TROY Style and Graphic Standards Manual. For Web-related words, keep in mind the following: homepage is one word, Web is uppercase when it stands alone; lowercase when combined with another word (e.g. Web site; World Wide Web; webmaster), download and upload are spelled as one word and online is one word, no hyphen.
Use of University Marks and Branding
TROY logos and word marks may be used on official University Web sites such as University departments, approved student groups and schools, as long as the logos are used correctly. For correct logo usage, consult the TROY Style and Graphic Standards Manual (Marketing).
A clear, easy navigation through every page of the TROY Web site is a necessity. A site and its pages should not be a maze where visitors must guess their next move or try the “Back” button to get out. Every page should, at a minimum, include (a) a link to the TROY homepage and (b) the homepage footer menu bar. Pages should also include a link to the appropriate department/division/school/etc. from where the page originates. URL links should be tested routinely to ensure that they are still correct.
The TROY templates include navigation to frequently used sites within TROY and quick links to the University’s interior pages.
Troy University requires Web pages to look consistent, including certain common design elements. To simplify this process, University-approved templates are available for use on the Troy University Web site.
World Wide Web Guidelines
This policy governs documents (Web pages) appearing on the World Wide Web from Troy University servers. Both official and unofficial University Web sites, as defined below, must comply with all copyright laws of the United States, all other applicable local, state and federal laws and applicable policies, rules and guidelines of Troy University, including those defined herein. The dominant theme of any Web site, whether an official or unofficial University Web site, must not appeal to prurient interest to the average person applying contemporary community standards. This policy will be periodically revised in response to pertinent legal and/or technological issues in consultation with the appropriate entities. Any questions, comments or suggestions concerning this policy should be addressed to the Troy University Web Team.
801.8.2 Official University Web Sites
Official University Web sites are defined as Web sites or Web pages created by Troy University entities including, but not limited to, its colleges, schools, departments and administrative offices stating they represent TROY.
All official University Web sites must be approved by the Web coordinator who has administrative oversight over the area represented by the Web site or by the TROY Web team. The associate vice chancellor for marketing and communication will be the final approving authority for all official Web sites.
All official University Web sites must adhere to the minimum standards described below. These minimum standards are presented in conjunction with associated recommendations in this Web Guide.
Display clear identification of Troy University on the top-level pages of each Web site. The preferred means of identification is to display a Troy University word mark. The official TROY templates are required for University offices.
Display a clearly labeled link on each Web page to the TROY homepage (https://www.troy.edu).
Display clearly labeled ownership information on each Web page in the form of a contact e-mail address, which may be supplemented by a contact name and/or telephone number. In unusual cases, a contact name and telephone number may be substituted for a contact e-mail address.
Display a clearly labeled disclaimer (example: http://www.troy.edu/disclaimer): “Although the authors of this Web site have made every reasonable effort to be factually accurate, no responsibility is assumed for editorial or clerical errors or error occasioned by honest mistake. All information contained on this Web site is subject to change by the appropriate officials of Troy University without prior notice. Material on this Web site does not serve as a contract between TROY and any other party.”
The appropriate administrative unit(s) that publishes information on an official University Web site is fully responsible for factually accurate content and currency of information. Web sites that contain out-of-date information may be requested by the Web team or a member of that team to make necessary corrections. Web sites failing to comply following such requests may be unlinked from the University page until the necessary corrections have been made.
All official University Web sites must present information using the highest editorial standards (spelling, punctuation, grammar, style, etc.). Web sites that contain editorial errors may be requested to make the necessary corrections by any member of the Web Team. Web sites failing to comply following such requests may be unlinked from the University page until the necessary corrections have been made.
Any official University Web site desiring to conduct commercial activity, including receipt of online credit card payments, must take appropriate steps to ensure secured transactions. These type transactions must be approved by the Vice Chancellor for Finance prior to placing this type of information or capability on the University Web site.
Links to commercial entities must be related to the University’s mission and must not imply endorsement by the University.
All names used to represent the University must be official names recognized by Troy University, e.g., “Troy University,” “TROY,” “TROY-Dothan campus,” etc. Except when referring to Troy University athletics, the use of Trojans” is discouraged.
801.8.3 Unofficial University Web Sites
Unofficial University Web sites are defined as Web sites or Web pages created and maintained by anyone other than Troy University campuses, Web coordinators or site masters.
All unofficial University Web sites must carry the following disclaimer: “The views, opinions and conclusions expressed in this page are those of the author or organization and not necessarily those of Troy University or its officers and trustees. The content of this page has not been reviewed or approved by Troy University and the author or organization is solely responsible for its content.”
Troy University will not undertake to pre-approve or review the content of unofficial University Web sites. However, any pages discovered in violation of this policy are subject to immediate removal from Troy University Web servers.
Unofficial University Web sites may not be used for commercial purposes or for personal financial gain or benefit. Troy University is not responsible for any liability resulting from any such activities prior to their discovery and appropriate remedy.
801.9.1 Web Team
The Web team will be coordinated by the Information Technology (IT) department of the university. Its responsibilities are assisting with the development of templates, approving templates and making them available to departments in the realm of the Web. Members of the Web Team will be responsible for assisting content providers and site masters and in monitoring the various sites to ensure the accuracy and timeliness of the published information. In addition, the Web team will seek the advice of document and design experts when necessary.
801.10 Content Providers
Administrative departments, academic units, individual faculty and staff, and student and college organizations may contribute content to the various Web sites. Content providers, in effect, own the content of a given page and are responsible for accuracy. Content providers should have firsthand knowledge of a particular page’s content. Though they need not have specialized Web publishing knowledge, familiarity with Web-writing guidelines is very useful because text online is read differently than printed text and thus needs to be written differently. All pages should include the content provider’s e-mail address on the bottom of the page, along with the date that the page was last updated so that interested readers can get in touch with the content expert.
Other things content providers should remember in the design of Web sites include the following:
- In the construction of your pages, avoid
- sexist and/or racist material
- offensive language
- defamatory, abusive or harassing material
- pornographic material
- commercial advertising
Do nothing that might lead users of the TROY Web site into making improper use of
for example, providing links to:
- archives that may contain pornographic material
- sites that distribute illegal software
- bulletin boards that contain dubious material
801.11 Site Master
Every site must be owned and maintained by a staff or faculty member—not a student or external company. Using an external vendor to create, and in some instances to help maintain a site, is acceptable; however, at least one faculty or staff member from the responsible office must own and be accountable for the site, including having a basic knowledge of how to update, remove or change information on the site. Student interns may help create or update sites; however, a student cannot be the owner of the site and cannot be the only person in the responsible office who knows how to update and manipulate the site.
Ownership by staff or faculty is essential in order to maintain continuity of a Web site. Student workers are a marvelous resource, but when the student leaves, the Web site still needs to be maintained, updated and even redesigned at some point in time. Without ownership by staff or faculty, material on the Web can easily become outdated. Outdated and inaccurate information on a Web site is often worse than no information at all.
The individual Web coordinators for each site will oversee and maintain the registry of site owners. The information gathered for the registry is used to not only delete old or non-maintained sites, but also to quickly identify who is responsible for each existing University site. Each owner of a newly created site must register with the Web coordinator for his/her particular campus or site. This can be done online on the Troy University Web site.
801.13 Departmental vs. Central Control
Every office, organization and school is responsible for the look and content presented on its site, as well as keeping the sited updated, fresh and consistent with the overall look of the Troy University homepage and interior pages. The Web team has overall oversight not only of the University’s homepage and interior pages, but also of all pages on the TROY Web site.
801.14 Shutting Down a Site
Every office, organization and school is responsible for the look and content of their site. When there are egregious errors or problems with a site, the Web team will contact the person responsible for the page and discuss ways to fix the problem. If the problem persists or if it is an emergency situation that requires immediate attention, the Web team maintains the right and responsibility to shut down a site either on a temporary or permanent basis.
801.15 External Vendors
Working with an external Web design vendor is an acceptable solution when developing a University Web site or page.
Unless there are extenuating circumstances, the following policies should be understood and shared when working with external vendors.
All code and images belong to Troy University. The created Web site must reside on an approved Web server.
801.16 Requested Changes in Web Area Structure
Requested changes to the structure of existing Web areas, such as moving existing areas to new locations, removing existing areas or redirecting areas, will need to be approved by the Web coordinator at the campus where the changes are requested and by any other department heads whose departments may be affected by the requested changes.
801.17 Correct HTML
All tags should conform to the guidelines and recommendations given by the World Wide Web Consortium.
The Consortium also offers a validation service for your pages. So if you wish to test them, just type your URL into the appropriate box.
801.18 Checking for Errors
Always check your pages carefully, particularly if you have been using a word processor that translates text into html. When the text is translated, these programs often insert alien characters, such as accents and random letters, or shrink the text to an unreadable size. Such word processors include Microsoft Excel, SPSS Data Analysis Software, Microsoft Word and Corel WordPerfect, etc.
Troy University uses information technology to help students, faculty, and staff accomplish their goals. Information technology also helps the Troy University reach its objectives. This worldwide reliance upon diverse technologies means increased responsibilities and opportunities for everyone throughout the University. The timely and appropriate use of these information technologies will help each person succeed.
Troy University’s information technology (computing, information technology, radio and television, telephone, and network resources) is provided to faculty, staff and students for the purposes of study, research, service, and related academic and administrative activities. University information technology facilities are valuable resources and must be used in a responsible manner. These resources are shared among many people. Each person should use technology resources in a manner that allows others to also use information technology.
Use of the Troy University information technology is a privilege, not a right. This includes use of computer labs. All users of Troy University’s information technology resources must agree to use the facilities legally, ethically, and in keeping with their intended purpose.
Troy University IT Resources must be used in accordance with applicable licenses and contracts, and according to their intended use in support of Troy University’s mission.
All users must comply with federal, state, and local laws, as well as Troy University policies, when using Troy University IT Resources.
The following sections define the acceptable uses of Troy University IT Resources. Any conflict between these policies and the legitimate business of Troy University can be resolved through the policy exception request process as defined with the Policy Exception Policy.
802.2.1 Employees and Student Employees
With the exception of incidental personal use, as defined below, Troy University IT Resources must be used only to conduct the legitimate business of Troy University (e.g., scholarly activity, academic instruction, research, learning, business operations).
Personal devices are not allowed on Troy University Administrative networks; personal devices are allowed on public WiFi networks.
Incidental personal use of Troy University IT Resources by Troy University employees is permitted if the personal use does not interfere with the execution of job duties, does not incur cost on behalf of Troy University, and is not unacceptable as defined in the Unacceptable Use section below.
Troy University students may use the ResNet, Gaming networks for recreational and personal purposes to the extent that such use is not unacceptable as defined in the Unacceptable Use section below and does not adversely affect network service performance for other users engaged in academic, research, or official business activities.
802.3 Unacceptable Use
Troy University employees, including students acting as employees, are prohibited from the following actions when using Troy University IT Resources:
- Unauthorized use of IT Resources for commercial purposes or personal gain
- Transmitting commercial or personal advertisements, solicitations, or promotions
All users are prohibited from using Troy University IT resources in a manner which results in a violation of law or policy or potentially adversely affects network service performance.
Examples of Unacceptable Use include, but are not limited to, the following:
- Activity that violates federal, state, or local law
- Activity that violates any Troy University or Board of Trustee policy
- Activities that lead to the destruction or damage of equipment, software, or data belonging to others or Troy University
- Circumventing information security controls of Troy University IT Resources
- Releasing malware
- Intentionally installing malicious software
- Impeding or disrupting the legitimate computing activities of others
- Unauthorized use of accounts, access codes, passwords, or identification numbers
- Unauthorized use of systems and networks
- Unauthorized monitoring of communications
This list is not complete or exhaustive. It provides examples of prohibited actions. Any user in doubt about the acceptable use of Troy University IT Resources should contact Cyber Security for further clarification and assistance.
All Troy University IT resource users are covered by this policy.
802.5 Policy Terms
Troy University IT Resources
Troy University owned computers, networks, devices, storage, applications, or other IT equipment. “Troy University owned” is defined as equipment purchased with either Institute funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).
Violations of this policy may result in loss of Troy University system and network usage privileges, and/or disciplinary action (up to and including termination or expulsion) as outlined in applicable Troy University policies.
If a user suspects that they are a victim of a violation of this policy, then the violation may be reported directly to the Troy University Cyber Security team by sending an email to firstname.lastname@example.org per the Incident Reporting procedures found in the Cyber Security Policy.
It is improper to take actions that will interfere with or alter the integrity of the University’s information technology systems. Such actions include unauthorized use of accounts, impersonation of other individuals, unauthorized access to or any attempt to alter, share or distribute restricted databases, attempts to capture or crack passwords, attempts to break encryption protocols, compromising privacy; destruction or alterations of data or programs belonging to other users, experiments to demonstrate computer facility vulnerabilities, and attempts to steal or destroy software on campus computing facilities or computer hardware. These types of actions are improper and can result in a loss of the right to use information technology resources.
Computer accounts and passwords should be protected against unauthorized use. Accounts and passwords should never be shared with anyone. Each computer user has the specific responsibility to protect his/her password. Anyone suspecting his/her password may be compromised should immediately report this to an administrator of the computer facility. This helps protect the integrity of Troy’s information technology systems.
Changing another person’s password without authorization is considered a form of harassment and is improper behavior.
Users must not browse, access, copy, share, distribute, or change private or administrative files without authorization. Users must not change public files without authorization. Users must not attempt to modify the computer systems or software in any unauthorized manner.
The use of invasive software, such as worms, “crackers,” and viruses is unethical, improper, and illegal. No computer user should use his/her knowledge of a computer system to destroy or alter accounts, files, software, or hardware to obtain extra resources or to deprive others of information technology resources.
Users are responsible for damages caused by infected software they introduce into the system.
Hardware, software, network equipment, manuals, supplies and other information technology related equipment, must not be removed from their established site(s) without proper authorization. Abuse or misuse of any computer hardware, software, or other campus related technology including networking resources is illegal and/or unethical behavior.
The office of Information Technology is responsible for the coordination and implementation of all information technology security policies and procedures. Troy University endeavors to provide first-class electronic resources to its academic and administrative communities. To maintain stable, reliable electronic infrastructures, Troy University has outlined the following guidelines concerning the use of all University electronic resources.Users should not use the University’s electronic resources in a manner subject to criminal or civil liability.
All software must be accompanied by a valid software license.
University electronic resources may not be employed for private gain. Alabama Code 36-25-5 (a) and 36-25-27 (a) specifically prohibits personal gain through the use of public resources.
All electronic data are considered private and protected. Misuse or manipulation of electronic data is subject to criminal and civil actions.
Use of electronic resources in a careless, destructive, defamatory or illegal manner is prohibited.
The University reserves the right to limit or stop any electronic activity not in accordance with University policy or state and federal statutes.
This policy covers all data produced, collected or used by Troy University, its employees, student workers, consultants or agents during the course of University business.
The purpose of this policy is to identify the different types of data, to provide guidelines and examples for each type of data, and to establish the default classification for data.
Data Classification Types
All data covered by the Scope of this policy will be classified as TROY Protected data, TROY Sensitive data, or TROY Public data.
804.1.3.1 TROY Protected Data
TROY Protected data is any data that contains personally identifiable information concerning any individual and is regulated by local, state, or Federal privacy regulations, or by any voluntary industry standards or best practices concerning protection of personally identifiable information that TROY chooses to follow.
These regulations may include, but are not limited to:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI-DSS)
- Examples of some of the types of data that are regulated are listed in the appendix.
804.1.3.2 TROY Sensitive Data
TROY Sensitive data is any data that is not classified as TROY Protected data, but which is information that TROY would not distribute to the general public. This classification is made by the department originating the data. Examples of the types of data included are: budgets, salary and raise information, TROY/TWE ID, EMAIL ID and possible properties for TROY to purchase.
804.1.3.3 TROY Public Data
TROY Public data is any data that TROY is comfortable distributing to the general public. For department-specific data, this classification comes from the department. If data is created jointly by more than one department, the involved departments should jointly classify the data. If they are unable to come to a consensus, then the data must be classified as TROY Sensitive Data. For University-wide data, this classification can only come from the Office of the Chancellor, the Office of Registration and Records, the Division of Academic Affairs, or Institutional Research. Examples of the types of data included are: department faculty lists, department addresses, press releases, and the TROY web sites. Any TROY data that does not contain personally identifiable information concerning any individual, and that is not TROY Protected data or TROY Sensitive data, must be classified as TROY Public data.
804.1.3.4 Default Classification of Data
Any data that contains personally identifiable information concerning any individual or that is covered by local, state, or Federal regulations, or by any voluntary industry standards concerning protection of personally identifiable information that TROY chooses to follow, is automatically classified as TROY Protected Data. All other data is classified as TROY Sensitive Data by default. Online resources will be available to assist individuals in properly classifying data.
804.1.4 Questions About This Policy
If you have questions about this policy, please contact the Information Security team email@example.com.
TROY Protected Data Listed below are examples of types of personally identifiable information that are generally protected by local, state, or Federal privacy regulations. These examples are not an exhaustive list of all possible types of information that are protected by local, state, or Federal privacy regulations.
- Social security numbers
- Credit card and debit card numbers
- Bank account numbers and routing information
- Driver’s license numbers and state identification card numbers
- Student education records
- Business Office: Student account files and Perkins loan information
- Departments and Colleges: Academic advising records, admission files, including ACT, SAT and TOEFL scores, and high school and college transcripts and other scholastic records
- Financial Assistance: Financial assistance application files, student federal work-study information, scholarships and Stafford loan information
- Intercollegiate Athletics: Injury reports, scholarship contacts, performance records, height and weight information
- Registration and Records: Permanent record of academic performance (grades, transcript, including supporting documents), course schedules
- Residence Life: Residential life and housing services files
- Student Life: Student activity files, student disciplinary files, multi-cultural programs and services files, and intramural sports files
- Student Services: Career planning files, including placement information and employers' files, international programs and services files
- Undergraduate Admission and other admission offices: Admission files on prospective students
- University Library: Circulation records
- Personal health records
- Patient information: addresses, dates, telephone/fax numbers, social security numbers, medical records numbers, patient account numbers, insurance plan numbers, vehicle information, license numbers, medical equipment numbers, photographs, fingerprints, e-mail and Internet addresses Note: Personal health records stored in education records are subject to FERPA and are excluded from HIPAA.
804.1.6 Additional Information About Referenced Regulations
FERPA is a Federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA provides students with the right to inspect and review certain education records maintained by the school and to request corrections if the records are inaccurate or misleading. It requires that schools obtain written permission before releasing information from a student’s education record. It also allows schools to publish certain “directory” information about students, unless the student has requested that the school not do so.
- Directory Information upon student request
- Student’s name and email address
- Dates of attendance
- Major and minor fields of study, degree desired, classification (freshman, sophomore, junior, senior) and full-time or part-time status
- Participation in officially recognized activities
- Degrees and awards received (i.e. Dean’s List, Who’s Who, etc.)
The penalty for failing to comply with FERPA may result in the loss of all federal funding, including grants and financial aid.
GLBA protects consumers’ personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected.
The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.
Additional GLBA information can be found on the Federal Trade Commission Web site.
HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations for the use and disclosure of PHI, including a patient’s health status, provision of health care, medical records or payment history.
Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and a one year to a ten year prison term, depending on the circumstances. These fines are for the individual, not the institution.
Additional HIPPA information can be found on the HHS.gov Web site.
Payment Card Industry Data Security Standards (PCI-DSS)
PCI DSS is an industry standard which protects credit card customer account data. It requires specific control objectives be met by any organization that accepts credit cards for payment. These control objectives include secure network, server, and desktop standards, as well as procedures to ensure that credit card data is properly protected during the transaction.
Failing to comply with PCI DSS can result in significant fines. Credit card providers can fine merchants up to $500,000 per compromise when the merchant was not compliant at the time of the compromise. Merchants may also be banned from accepting certain types of credit cards. Additional information can be found on the PCI Website.
Additional US State Laws
If you work for TROY inside the United States but outside of Alabama or the United States, please send an email containing the state in which you work to firstname.lastname@example.org. The Information Security team will respond to you with any data privacy laws that also apply to you.
June 4, 2009: Initial Policy (TROY IT Best practices)
August 2, 2016: Policy Updated for review
September 7, 2016: Policy submitted for adoption
This policy covers all computers, electronic devices, and media capable of storing electronic data that house TROY Protected data or TROY Sensitive data as defined by the Data Classification Policy. This policy also covers the circumstances under which encryption must be used when data is being transferred.
The purpose of this policy is to establish the types of devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software used for encryption.
804.2.3.1 Devices and Media Requiring Encryption
Encryption is required for all laptops, workstations, and portable drives that may be used to store or access TROY Protected data. Encryption is recommended for all laptops, workstations, and portable drives that may be used to store or access TROY Sensitive data. IT will provide, install, configure, and support encryption where it is needed. Departments who have a laptop, workstation, or portable drive that needs to be encrypted should contact the IT Information Security team at email@example.com.
804.2.3.2 Electronic Data Transfers
Any transfer of unencrypted TROY Protected data or TROY Sensitive data must take place via an encrypted channel. Encrypted TROY Protected data or TROY Sensitive data may be transmitted via encrypted or unencrypted channels. All email communications that involve email addresses outside of TROY use an unencrypted channel, and therefore require that messages containing Troy Protected data or TROY Sensitive data be encrypted. Approved methods of encrypting electronic data transfers are listed in the appendix. If the encryption method includes a password, that password must be transferred through an alternative method, such as calling the individual and leaving the password on their voice mail. Email messages containing encrypted data may never include the password in the same message as the encrypted data. Individuals who are unsure if they are correctly encrypting electronic data transfers should contact the IT Information Security team at firstname.lastname@example.org.
804.2.3.3 Physical Transfer of Electronic Data
Any time TROY Protected data or TROY Sensitive data is placed on a medium such as a CD, DVD, or portable drive to facilitate a physical transfer, either entirely within TROY or between TROY and a 3rd party, that data must be encrypted. Archiving TROY Protected data or TROY Sensitive data to a physical medium is not recommended, but is permitted if the data is encrypted. All archiving should be done electronically, so that it is stored in a controlled data center and backed up by IT.
IT will install software that is capable of encrypting the entire hard drive on all identified TROY computers and electronic devices subject to this Policy. Users who require encryption software should contact IT to arrange installation of encryption software.
804.2.4 Questions About This Policy
If you have questions about this policy, please contact the Information Security team at email@example.com.
804.2.5 Policy Adherence
Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Handbook, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Examples of portable drives:
- Flash drives
- Thumb drives
- Memory sticks
- USB hard drives
IT will make the following approved encryption methods available for electronic data transfers
- Transport Layer Security (TLS1.1 TLS1.2)
- SSH File Transport Protocol (SFTP)
- Connecting via an IT-approved Virtual Private Network (VPN)
- Referenced Policies
August 9, 2009: Initial Policy (IT Best practices)
August 2, 2016: Updated
September 7, 2016: Submitted for adoption
All users of University-owned computers will abide by copyright laws and licensing agreements. No software should be loaded on any University computer in violation of licenses or laws. Copyrighted software must be used only in accordance with its license or purchase agreement. Users do not have the right to reprint, use unauthorized copies of software, or make or attempt to make unauthorized copies of software.
In addition to federal and state laws prohibiting the theft of software, Troy University prohibits copyright licensing infractions from or on any component of the University’s information technology systems. Troy University will not be liable for copyright or licensing infringements by any student, faculty or staff member.
Troy University respects every individual’s right to privacy in the electronic forum and prohibits use of University computers, including personally owned computers linked via University telecommunications equipment to other systems, from violating such rights. Attempts to read another person’s electronic mail, access another’s files, access electronic records containing information concerning another person, or use of another person’s password are examples of violations of privacy rights.
There are important University concerns that place some legitimate restrictions on the privacy of programs, data files and electronic mail on the University’s information technology systems. Instructors may monitor class accounts of students in their courses. Authorized technical personnel may access accounts for the purpose of maintaining computers or network systems. Authorized technical personnel may also monitor accounts and network activity to detect violations of this policy.
Computer accounts should be used for their assigned purposes. For example, an account assigned to a student for a specific course should be used for work related to that course.
All computer and network users engaged in activities not directly connected to study, research, or University-related services should willingly yield their computer terminals to others ready to use University computers and networks for their University-related work.
Excessive use of paper, making electronic mass mailings, and using University owned computers and network resources for personal monetary gain are some examples of abuses of Troy information technology facilities.
Certain types of communications are expressly forbidden on Troy’s computer systems and networks. This includes the random mailing of messages, the sending of obscene, pornographic, harassing, nuisance, abusive, or threatening material, and the use of the facilities for commercial or political purposes.
University-owned public access computers will not be used for games unless specifically authorized by a faculty member for educational purposes.
The University may take disciplinary and/or legal action against any individual who violates any information technology usage policy. Violations of Troy University’s information technology usage policy are treated like any other violation of the Standards of Conduct as outlined in the Oracle, Troy’s student handbook, and applicable faculty and staff handbooks. Violators may also be billed for illegal use of the computer systems. Any changes caused by misuse may lead to the violator being temporally or permanently suspended from Troy Technology facilities. Those violating statutory requirements may be prosecuted.
Troy University hereby expressly and explicitly disclaims any liability and/or responsibility for violations of this policy.
Departments or units wishing to implement a new technology process (including applications software) or new technology infrastructure (equipment and/or networks) must submit a proposal to the Chief Technology Officer(CTO) for review and approval. The CTO’s director committee will review the requests. The committee shall be composed of the Chief Technology Officer and the major unit directors for Information Technology. This process is designed to ensure continuity and compatibility of technology equipment and software used by the University. All technology infrastructure and multi-user software are to be vetted through the Chief Technology Officer (CTO). The Chief Technology Officer should issue procedures for implementing this policy. Any disputes arising from decisions issued by the CTO will be mediated by the Senior Vice Chancellor for Financial Affairs and Online Education.
Approved: Cabinet, August 8, 2007
Updated: 13 May 2019
OPR: SVC, Administration
811.1.1 Chief Information Security Officer
The Chief Information Security Officer is responsible for creating and maintaining a cyber security program and leading the Troy University Cybersecurity team. The purpose of the cyber security program is to maintain the confidentiality, integrity, and availability of Troy University IT Resources and Troy University data. In addition, the Chief Information Security Officer, or a designee, is responsible for leading the investigation of and response to cyber security incidents. The response to any incident will be developed in collaboration with the data steward, Troy University Marketing and Communication, Legal Affairs, and other campus offices as appropriate.
Troy University IT Resource users (IT Resource users include both students and employees) are responsible for protecting the security of all data and IT Resources to which they have access. This includes implementing appropriate security measures on personally owned devices which access Troy University IT Resources. In addition, users are required to keep their accounts and passwords secure in compliance with the Troy University Password Policy.
Troy University employees may grant IT Resource guest access to third parties (e.g., visiting scholars), after consultation with Troy University IT. Any Troy University employee who grants guest access to IT Resources is responsible for the actions of their guest users.
Troy University recognizes the value of research in the areas of computer and network security. During the course of their endeavors, researchers may have a need to work with malicious software and with systems that do not adhere to the security standards as prescribed by the Chief Information Security Officer. Researchers are responsible for their actions and must take all necessary precautions to ensure that their research will not affect other Troy University IT Resources or users. In addition, researchers are responsible for making all appropriate notifications to those that may be affected by their research. Troy University IT provides an Academic Computing Network for such activities; unless otherwise approved, these efforts should take place on the Academic Computing Network.
811.1.4 Network Management
The Office of Information Technology (OIT) is responsible for planning, implementing, and managing the Troy University network, including wireless connections.
The following network appliances cannot be implemented at Troy University without prior written approval by OIT or a Unit’s IT lead:
- Wireless access points
- Voice over IP (VOIP) infrastructure devices
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
- Virtual Private Networking (VPN)
- Consumer grade network technologies
- Other networking appliances that may not be included in this list
Units or individuals who install any of the technologies listed above are responsible for capturing network traffic logs and storing them for a minimum of 365 days or an appropriate amount as negotiated with the OIT network team.
Network traffic logs should include the following information:
- Source MAC address
- Source and destination IP address
- Physical interface (where applicable)
- Date and time
- User account where available (e.g. VPN logs)
811.1.5 System Administration
Every Troy University owned IT Resource (including virtual resources such as virtual machines and cloud based services) must have a designated system administrator. The Troy University expectation is that every Troy University owned IT Resource will be professionally managed by the unit technical support team unless prevailing regulations dictate otherwise.
The system administrator is responsible for proper maintenance of the machine, even if the system administrator is not a member of the unit technical support team. This responsibility must be acknowledged and documented. In addition, the machine must be accessible to the unit technical support team for incident management purposes unless legal restrictions will not allow such access.
Negligent management of a Troy University owned IT Resource resulting in unauthorized user access or a data breach may result in the loss of system administration privileges.
System administration responsibilities for all Troy University owned IT Resources, including those that are self-administered, include the following:
- Complying with all applicable Troy University IT policies and procedures
- Performing an annual cyber security self-assessment for the set of IT Resources administered
- Working with the unit technical support team to establish the following:Installing and running endpoint security/management agents that have been approved by Troy University Cyber Security (a link to a list of these is provided on the IT website)
- Establishing an appropriate backup strategy and performing regular system backups
- Regularly updating the operating system and other applications installed on the machine
- Using, where possible and practical, central Troy University IT services for system login and account management (e.g. Active Directory)
All Troy University IT resource users and all Troy University IT resources are covered by this policy.
Laptop computers, desktop computers, workstations, group access workstations, mobile devices, USB drives, personal network attached storage.
Troy University IT Resources
Troy University owned Computers, Networks, Devices, Storage, Applications, or other IT equipment. “Troy University owned” is defined as equipment purchased with either Troy University funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).
811.4.1 Incident Reporting
If a Troy University IT Resource user suspects that a security incident has occurred or will occur, they should report the suspicion immediately to the system administrator or unit technical lead. Users may also report the suspected security incident directly to the Troy University Cybersecurity team by sending an email to firstname.lastname@example.org.
System administrators and unit technical leads who have identified any of the following security events should report the suspected security event to the Troy University Cybersecurity team:
- Any occurrence of a compromised user account
- Any breach or exposure of Category 3 sensitive data (see Data Access Policy)
- Any occurrence of a server infected with malware
- Three or more simultaneous occurrences of endpoints infected with malware
- Any other instance of malware or suspected intrusion that seems abnormal
Violations of this policy may result in loss of Troy University system and network usage privileges, and/or disciplinary action, up to and including termination or expulsion as outlined in applicable Troy University policies.
Troy University provides information technology resources to faculty members, staff and students for the purpose of furthering Troy University’s mission and conducting Troy University business. While personal use of such systems is permitted, as per the Information Technology Acceptable Usage policy, personal communications and files transmitted over or stored on Troy University systems are subject to the same regulations as business communications.
Troy University is committed to respecting the privacy expectations of its employees and students; however, consistent with this policy, electronic information that is transmitted over or stored in Troy University systems and networks is subject to being audited, inspected and disclosed to fulfill administrative or legal obligations which may include, but are not limited to, the following:
- is necessary to comply with legal requirements or process (e.g., Alabama Open Records Act or subpoena);
- may yield information necessary for the investigation of a suspected violation of law or regulations, or of a suspected infraction of Troy University or Board of Trustee policy;
- is needed to maintain the security of Troy University computing systems and networks;
- is needed for system administrators to diagnose and correct problems with system software or hardware;
- may yield information needed to deal with an emergency;
- is needed for the ordinary business of Troy University to proceed, (e.g., access to data associated with an employee who has been terminated/separated or is pending termination/separation, is deceased, is on extended sick leave, or is otherwise unavailable);
- is necessary to comply with a written request from the Senior Vice-Chancellor for Student Affairs, or designee, on behalf of the parents, guardian, or personal representative of the estate of a deceased student; or
- is for research authorized by Troy University under a data use agreement that precludes the disclosure of personally identifiable information.
This policy governs access to the files and communications transmitted on or stored in Troy University’s IT Resources.
Any individual whose personal files and communications exist on a Troy University IT Resource by virtue of unauthorized access will have no expectation of privacy.
Information Technology Resources (IT Resources)
Computers, Networks, Devices, Storage, or other IT equipment
812.4.1 Application, System, and Network Login Banner
Where possible, all Troy University applications and systems (excluding endpoints and mobile devices) must display the following login banner to all users prior to authentication of user credentials:
This information technology resource is the property of Troy University and is available for authorized use only, in accordance with Institute IT policies. Any and all files on this system are subject to being audited, inspected and disclosed to authorized system administrators and/or law enforcement personnel to fulfill administrative and/or legal obligations. By using this system, I acknowledge these terms.
812.4.3 Requests for Access
All requests for access to information that is transmitted over or stored on Troy University systems and networks should be directed to the CTO or designee. The determination of whether access to information is necessary to fulfill administrative or legal obligations is made by the CTO or designee, and may not be made at the departmental or unit level.
- Business Continuity
Refer to Security Standards and Procedures for detailed procedures.
- Deceased Students
Refer to Security Standards and Procedures for detailed procedures.
Refer to Security Standards and Procedures for detailed procedures.
- Legal Requirements
Refer to Security Standards and Procedures for detailed procedures.
Refer to Security Standards and Procedures for detailed procedures.
- System Integrity
Refer to Security Standards and Procedures for detailed procedures.
- Violation of Law or Policy
Refer to Security Standards and Procedures for detailed procedures.
Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable Troy University disciplinary procedures, as well as personal civil and/or criminal liability.
Reason For Policy
This Information Security Plan ("Plan") describes safeguards implemented by Troy University to protect covered data and information in compliance with the FTC's Safeguards Rule promulgated under the Gramm Leach Bliley Act (GLBA). These safeguards are provided to:
- Ensure the security and confidentiality of covered data and information;
- Protect against anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.
- This Information Security Program also identifies mechanisms to:
- Identify and assess the risks that may threaten covered data and information maintained by Troy University;
- Develop written policies and procedures to manage and control these risks;
- Implement and review the program; and
- Adjust the program to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.
GLBA mandates that Troy University appoint an Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.
813.2.1 Information Security Program Coordinator(s)
The Chief Technology and Security Officer and Vice-Chancellor of Finance and Business Affairs have been appointed as the coordinators of this Program at Troy University. They are responsible for assessing the risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to Troy University. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that all departments comply with the requirements of the security policies and practices delineated in this program.
813.2.2 Identification and Assessment of Risks to Customer Information
Troy University recognizes that it is exposed to both internal and external risks, including but not limited to:
- Unauthorized access of covered data and information by someone other than the owner of the covered data and information
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of covered data and information by employees
- Unauthorized requests for covered data and information
- Unauthorized access through hardcopy files or reports
- Unauthorized transfer of covered data and information through third parties
Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, Troy University Cyber Security will actively participate and monitor appropriate cybersecurity advisory groups for identification of risks.
Current safeguards implemented, monitored and maintained by Troy University Cyber Security are reasonable, and in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information maintained by Troy University. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.
813.2.3 Employee Management and Training
References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g. Cashiers Office, Financial Aid) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts should help minimize risk and safeguard covered data and information.
813.2.4 Physical Security
Troy University has addressed the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to Troy University employees with an appropriate business need for such information.
Furthermore, each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.
813.2.5 Information Systems
Access to covered data and information via Troy University’s computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. Troy University has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to Troy University’s information systems. These policies and procedures, listed in Section 3 below, are available upon request from the Chief Security Officer.
Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, Troy University has discontinued the use of social security numbers as student identifiers in favor of the Troy ID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.
813.2.6 Management of System Failures
Troy University Cyber Security has developed written plans and procedures to detect any actual or attempted attacks on Troy University systems and has an Incident Response Plan which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information. This document is available upon request from the Chief Security Officer.
813.2.7 Oversight of Service Providers
GLBA requires Troy University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Security Program Coordinator(s) will identify service providers who have or will have access to covered data, and will work with the Office of Legal Affairs and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of covered data.
813.2.8 Continuing Evaluation and Adjustment
This Information Security Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Program Coordinator(s), who will assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Program Coordinator(s), in consultation with the Office of Legal Affairs, will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.
Covered data and information
Covered data information for the purpose of this program includes student financial information (defined below) that is protected under the GLBA. In addition to this coverage, which is required under federal law, Troy University chooses as a matter of policy to include in this definition any and all sensitive data, including credit card information and checking/banking account information received in the course of business by Troy University, whether or not such information is covered by GLBA. Covered data and information includes both paper and electronic records.
Pretext calling occurs when an individual attempts to improperly obtain personal information of Troy University customers so as to be able to commit identity theft. It is accomplished by contacting Troy University, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit (sometimes referred to as Social Engineering), convincing an employee of Troy University to release customer-identifying information.
Student financial information
Student financial information is that information that Troy University has obtained from a student or customer in the process of offering a financial product or service, or such information provided to Troy University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.
813.4.1 Related Policies, Standards and Guidelines
Troy University has adopted comprehensive policies, standards, and guidelines relating to information security, which are incorporated by reference into this Information Security Program. They include:
- Cyber Security Policy
- Unit-Level Network Usage Policies
- Data Access Policy (including Sensitive Data & Server Registration)
- Credit Card Processing Policy
Data Protection Safeguards
Upon approval, this policy shall be published on the Troy University website. The following offices and individuals shall be notified via email and/or in writing upon approval of the program and upon any subsequent revisions or amendments made to the original document:
- Senior Vice-Chancellors
- Department Heads
- Unit-level business officers
- Internal Auditing
FTC: Final Rule--Standards for Safeguarding Customer Information (16 CFR Part 314)
FTC: Final Rule--Privacy of Consumer Financial Information (16 CFR Part 313)
FTC Guidance: Financial Institutions and Customer Data--Complying with the Safeguards Rule
NACUA Cyber Security Resources Page
NACUBO GLB Act Resources Page
814.1.1 The approval process for all credit card processing activities
The Senior Vice Chancellor of Financial Affairs or delegate must approve all credit card processing activities at the Troy University prior to entering into any contracts or purchasing equipment. This requirement applies regardless of the transaction method used (e.g. online processing at Troy University, outsourced to a third party, or swipe terminals).
All technology implementation associated with the credit card processing must be in accordance with the Credit Card Processing Procedures and approved by the Chief Technology Officer prior to entering into any contracts or purchasing equipment.
All credit card numbers must be handled in accordance with the Data Access Policy requirements for category 4 data. Please contact OIT Information Security for assistance with interpretation and implementation. However, instances of P-card numbers or corporate cards where 4 or fewer numbers are functionally present may be handled as category 3 data. Any conflicts between the requirements of the Data Access Policy and the Credit Card Processing Procedures will be resolved in favor of the Credit Card Processing Procedures.
814.1.2 Units approved for credit card processing activities must maintaining the following standards
Provide appropriate training to all employees handling systems with credit card numbers including both personnel within the unit handling the credit card transactions and appropriate personnel in the Office of Information Technology.
Create, maintain and test annually business continuity/disaster recovery plans and system compromise response plans.
All outsourcing agreements must meet the standards set forth in the Credit Card Processing Procedures.
All servers storing or processing credit card numbers will be housed with the Office of Information Technology. All servers and POS Terminals will be administered in accordance with the requirements of the Credit Card Processing Procedures.
Credit card numbers will be retained for a maximum of 90 days. The only exception is transactions for future events, which may be retained up to 180 days from the transaction date. All media used for credit card numbers must be destroyed when retired from this use. All hardcopy must be shredded by at least a cross-cut shredder prior to disposal.
Access to credit card numbers must be restricted to the minimum number of people possible. No employee may have access to credit card numbers until he or she has attended the Credit Card Processing Policy Training and has tendered written acknowledgement of receipt of a copy of this policy, the Credit Card Processing Procedures and other appropriate policies (e.g., Data Access Policy, Service Certification Process and Procedure, and unit level security policy). After completion of these requirements, the unit head may issue, in writing, authorization for the employee's access. No employee will have access to credit card numbers without such written authorization.
Each unit responsible for credit card processing must complete audits quarterly on all systems storing or processing credit card numbers to ensure compliance with this policy and the associated procedures. The Office of Information Technology will participate in these audits. Annual audits must be performed by Office of Information Technology Information Security to confirm the results of the quarterly audits.
All computers handling, processing, or storing credit card numbers must be registered in accordance with the revised Computer and Network Usage Policy.
All academic units, administrative units, organizations, and employees of the Troy University or that use systems or networks supported Troy University must abide by this policy.
This policy specifically addresses all credit card processing by the Troy University. All POS terminals handling credit card numbers (in full or truncated) and all servers receiving, storing, or transmitting credit card numbers (in full or truncated) are subject to this policy. An exemption is provided for P-card numbers provided the credit card number are functionally truncated to four digits or less.
The computer hosting the application that the general end-user or the point-of-sale (POS) terminal connects
Category III Data Sensitive
This information is considered private and should be guarded from disclosure; However, public disclosure of this information due to a system compromise generally does not result in financial fraud or violation of State and/or Federal law. Examples include intellectual property information, private directory listings, and contract negotiations.
Category IV Data Highly Sensitive
Any disclosure of this information, intentional or otherwise, may contribute to financial fraud and/or violate State and/or Federal law. Examples include Social Security numbers, credit card numbers, financial institution account numbers, and employee and student health records.
Cardholder Information Security Program (CISP)
The formal data protection program mandated by Visa
Card Verification Value 2 (CVV2)
An additional verification code used in transaction processing
Credit Card Number
Any part or all of the unique number identifying the account for a financial transaction
The computer storing the sales and/or credit card numbers
Any internet-enabled financial transaction application, whether a buying application or selling application
Any employee (as defined by the Employee Handbook) faculty, student employee, or contractor employed by a third party and providing services to the Troy University
Scrambling data in a recoverable format
A network device or host-based software implementation designed to restrict network access to a computer
Scrambling data in an unrecoverable but verifiable format
The computer storing the sales and/or credit card numbers
Any internet-enabled financial transaction application, whether a buying application or selling application
Any employee (as defined by the Employee Handbook) faculty, student employee, or contractor employed by a third party and providing services to the Troy University
Scrambling data in a recoverable format
A network device or host-based software implementation designed to restrict network access to a computer
Intrusion Detection System (IDs)
A network monitoring device for recognition of attempts to compromise monitored systems
The International Standards Organization document defining computer security standards. The credit card vendors may have based their policies on this standard.
Point-of-Sale (POS) computer terminals either running as standalone systems or connecting to a server either at the Troy University or remotely off site
Purchase Cards (P-Cards)
Credit cards obtained by Troy University through a customer agreement with a bank for procurement purposes.
Site Data Protection Program (SDP)
The formal data protection program mandated by MasterCard
POS credit card terminals
Authentication requiring two different methods confirming identity typically based on something the user has (e.g. a card, a key, a fingerprint) and something the user knows (e.g. a password)
The design, development, implementation and management of the front-end of the eCommerce application
814.4.1 Executive Summary
These procedures are required in direct support of the Troy University Credit Card Processing Policy and were included in the original approval of the policy. This document sets forth the technical details and procedural requirements for implementing credit card processing at the Troy University or outsourcing that processing to a third party. The procedures' scope, revisions, exceptions, and compliance are noted in the Credit Card Processing Policy.
The procedures are separated into the following general areas of interest:
814.4.2 Computer system security requirements
All computers handling credit card numbers must have the following in place:
- A host-based firewall technology preventing connections from all ports except a specific subset (e.g. 443 for secure web transactions, IP restricted port 22 for system administration).
- All firewall rules must be documented and modifications approved in keeping with the Service Certification Process.
- All Microsoft Windows computers must run anti-virus software.
- File integrity monitoring to an external system for critical system and application files for inappropriate/unauthorized modifications. Reviews for potential changes must occur daily.
- System logging or auditing to an external server for all critical operating system modifications (e.g. all logins, unauthorized file access attempts) and maintain the log for at least 6 months
- A single function (e.g. application or database) is implemented per server.
- Security patches must be tested and, if possible, applied within one week of vendor release. All patches must be applied or documentation explaining the implementation problem within 30 days.
- A change log must be maintained for all servers.
- Passwords must be at least 8 characters long and require complex passwords (inclusion of a number or special character), expire after 90 days or less, not reuse the last 4 passwords, and stored in an encrypted or hashed format.
- All accounts must be disabled after 30 days of inactivity and, if not re-enabled and actively used, removed after an additional 60 days. The only exception is emergency accounts used for system recovery and not used regularly.
- All system patches must be applied to a new computer before connecting to the network. All default account names and default passwords must be changed before connecting to the network.
- All computer security configurations and services/daemons must be reviewed before connecting to the network
- Perform vulnerability testing on associated computers every 30 days with penetration testing at least annually.
- Only allow computer access by uniquely assigned and auditable IDs.
814.4.3 Connectivity security requirements
All computers handling credit card numbers must have the following provisions in place for network and modem connectivity:
- A network-based firewall preventing inappropriate/unauthorized access from outside the academic/business unit or specific authorized computers.
- An intrusion detection system monitoring for unauthorized access attempts.
- 24/7 monitoring for network-based firewall and IDs systems for potential penetrations and 24/7 on-call expertise for potential security incidents.
- Two-factor authentication for routers servicing all computers connecting to, handling, processing, or storing credit card numbers.
- Specific authorization for modem connections. All modem connection must be outbound only.
- All data transfers and administrative access must be in an encrypted format (e.g. SSL, SSH, IPSEC).
814.4.4 Credit card number storage requirements
Credit card numbers must be protected by encryption, hashing, or truncation. No complete credit card numbers will be stored on computers owned by the Troy University in an unprotected manner. Standard encryption algorithms must use at least 128bit key. Minimum key lengths will be increased as computing processing power improves. Minimum key lengths for new encryption technologies must be provided with these guidelines prior to implementation. Keys must be in a single accessible location with back-ups. Keys must be changed every 90 days and old keys must be deleted/destroyed after an additional 30 days.
The following additional requirements apply to computers storing credit card numbers and network connectivity beyond those noted in "Computer System Requirements" and "Connectivity Security Requirements":
- Accounts must lock-out after six or fewer invalid login attempts and require manual re-enabling.
- Sessions must time-out after 15 minutes.
- All accesses to credit card numbers must be logged.
- All root access activities must be logged to an external server.
- The system must not be openly accessible from any public network.
- The computer's IP address must not be available outside the local subnet.
- A dedicated firewall must be in place specifically for computers storing credit card numbers to preventing any public access to protected systems. Access is only permitted by exception by both IP and port.
- Credit card numbers must not be stored in multiple locations with the exception of backups.
- CVV2 information must not be stored beyond the transaction authorization point.
- Two-factor authentication is recommended.
814.4.5 Physical security requirements
All servers storing credit card numbers must have the following provisions in place:
- The servers must be in the Network Operations Center (NOC) for the Office of Information Technology. Servers placed in a separate locked room within the NOC or within locked racks. Video surveillance must be maintained on the servers. All access to servers by anyone except employees specifically approved for access to the credit card numbers must be escorted continuously.
- The NOC must log all room access (maintained for at least 90 days), maintain video surveillance of room ingress and egress, and provide identification for easily distinguishing employees, visitors, and inappropriate access. Visitors must be issued a NOC ID that must be returned or issued a temporary ID and continuously escorted.
- All backup media must be secured on site, off site, and in transit. All transportation must be handled by approved Institute employees or bonded couriers.
814.4.6 Outsource requirements
Any unit may select to outsource their credit card transaction processing. This option transfers the risk to the outsourced service. Approval for credit card transaction processing must follow the standard approval process.
Contracts must address these elements:
- Compliance with all appropriate credit card company security requirements.
- Service level agreements.
- Defining data retention and destruction requirements.
814.4.7 Review process of credit card transaction processing request
- Document the business need for accepting credit card transactions in a new unit or location.
- Meet with Financial Services for justification and approval of business case.
- Meet with Information Security to evaluate options and costs for implementation (using existing facilities, implementing separate facilities, or outsourcing transaction processing).
- Meet with the CTO or designee for the Office of Information Technology for technical approval of implementation.
- Meet with Troy University Legal Affairs to ensure all contracts meet federal, state, and contractual requirements.
Upon approval, this policy shall be published on the Troy University Office of Information Technology website under policies and will be the Business Office web site.
The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:
- Senior Vice-Chancellors
- Internal Auditing
814.4.9 Revisions and Exceptions
This policy may be revised only by signature by the Chancellor of Troy University.
The Senior Vice-Chancellor of Finance and the CTO may grant exceptions to this policy or revise the Credit Card Processing Procedures document by mutual agreement.
Failure to comply with this policy and the associated required procedures by employees will be deemed a violation of Institute policy and subject to personnel action up to and including termination as noted in the Employee Handbook and/or the Faculty Handbook. Technology that does not comply with this policy and the associated required procedures is subject to disconnection of network services or confiscation of equipment pending review and approval of processes, procedures, and/or equipment.
Reason for Policy
Troy University developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's (FTC) Red Flags Rule. The Red Flags Rule implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. After consideration of the size and complexity of Troy University's operations and account systems, and the nature and scope of Troy University's activities, Troy University determined that this Program was appropriate.
815.2.1 Requirements of the Red Flags Rule
Under the Red Flags Rule, Troy University is required to establish an Identity Theft Prevention Program. The program must contain reasonable policies and procedures to:
- Identify relevant Red Flags for new and existing covered accounts, and incorporate those Red Flags into the Program;
- Detect Red Flags that have been incorporated into the Program;
- Respond appropriately to any Red Flags that are detected in order to help prevent and mitigate Identity Theft; and
- Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of Troy University from Identity Theft.
Responsibility for developing, implementing, and updating this Program lies with an Identity Theft Committee (Committee) for Troy University. The Committee is headed by the CTO who is the Program Administrator. Troy University's CTO, the representative of Legal Affairs and Risk Management, and such other individuals as may be appointed by the Chancellor of Troy University comprise the remainder of the committee membership. The Program Administrator is responsible for ensuring appropriate training of Troy staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the Program.
815.2.3 Staff Training and Reports
Troy staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the steps to be taken when a Red Flag is detected. Troy employees are expected to notify the Program Administrator once they become aware of an incident of Identity Theft or of Troy University's failure to comply with this Program.
At least annually, or sooner if requested by the Program Administrator, Troy staff responsible for development, implementation, and administration of the Program shall report to the Program Administrator on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management's response, and recommendations for changes to the Program.
815.2.4 Service Provider Arrangements
In the event Troy University engages a service provider to perform an activity in connection with one or more Covered Accounts, Troy University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft:
- Require, by contract, that service providers have such policies and procedures in place; and
- Require, by contract, that service providers review Troy University's Program and report any Red Flags to the Program Administrator or Troy University employee with primary oversight of the service provider relationship.
815.2.5 Non-disclosure of Specific Practices
For the effectiveness of the Identity Theft Prevention Program, knowledge about specific Red Flag identification, detection, mitigation, and prevention practices may need to be limited to the Committee who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other Troy employees or the public. The Program Administrator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential manner.
815.2.6 Program Updates
The Committee will periodically review and update the Program to reflect changes in risks to students and the soundness of Troy University from Identity Theft. In doing so, the Committee will consider Troy University's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in Troy University's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Committee will update the Program.
All employees, students, affiliates, contractors, consultants, vendors, or other consumers of Covered Accounts data, and all Troy data (electronic, paper or otherwise) that could be leveraged to conduct identity theft from Covered Accounts are covered by this policy.
All student accounts or loans that are administered by Troy University, including tuition payment plans, federal and school loans involving multiple payments, and campus payment cards.
Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer's Internet Protocol address, or routing code.
A fraud committed or attempted using the identifying information of another person without authority.
The individual designated with primary responsibility for oversight of the Identity Theft Prevention Program.
A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
815.5.1 Program Administrator
This policy confirms the need for an Information Security organization, which is responsible for ensuring Troy compliance with this policy, and maintaining this policy as business processes, technology, and methods of identity protection improve. The Program Administrator monitors the activities of and works with the Data Stewards on the development and implementation of campus unit level Identity Theft Prevention Programs
815.5.2 Identity Theft Committee
The Identity Theft Committee is responsible for confirming incidents of identity theft and determining the appropriate course of action when incidents occur. Additionally, the committee is responsible for supporting the Program Administrator in ensuring the ongoing success of the Identity Theft Prevention Program.
815.5.3 Data Stewards
Data Stewards are responsible for developing and implementing Identity Theft Prevention within their purview. Data Stewards report to the Program Administrator on their activities in implementing unit level Identity Theft Programs.
Individuals covered by the scope of this policy are expected to: a) respect the confidentiality and privacy of individuals whose records they access; b) observe any restrictions that apply to sensitive data; and c) abide by applicable laws, policies, procedures, and guidelines with respect to access, use, or disclosure of information.
Individuals who become aware of potential Identity Theft are expected to report such an incident per the procedures defined by the Identity Theft Prevention Program Administrator. The Program Administrator will report violations to the appropriate Faculty and/or Employment body. Violations of this policy may result in loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Troy University disciplinary procedures, as well as personal civil and/or criminal liability.
This Policy describes the requirements for appropriate and approved use of externally hosted Troy University Systems and/or Data.
The effective date of this Policy is May 14, 2019.
External hosting of Systems and/or Data can be categorized as the following models:
- Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.
- Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.
- Infrastructure as a Service (IaaS) is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it.
For the purpose of this document, the term cloud computing services is used to encompass SaaS, PaaS, and IaaS.
For external hosted Systems and/or Data, each System Owner shall ensure that the Systems protections described in Technology Policy Section 800 and on the Troy IT Best Practices guides are implemented as well as compliance with requirements in the Technology Policy, Section 800, data classification and encryption.
If Sensitive Data and/or Confidential Data are stored on cloud computing services, the relevant contracts must be approved by the University’s Procurement Services and such System’s protections must be assessed by the Information Security Office prior to implementation and reassessed on a periodic basis thereafter, as determined by the level of risk. Currently, vendors are requested to submit HECVAT documentation prior to contract signing.
In addition to other University policies, the following requirements which must be followed in the use of cloud computing services:
816.3.1 Pre-requisite Requirements
- Consult with appropriate data owners, process owners, stakeholders, and subject matter experts during the evaluation process. Also, consult with the Legal Office or the Information Security Office for guidance.
- Contractual requirements:
- Both the University and vendor must declare the type of Data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the Data owned by each party. The parties also must clearly define Data that must be protected.
- The contract must specifically state what Data the University owns. It must also classify the type of Data shared in the contract according to the University’s Data Classification policy requirements. Departments must exercise caution when sharing Sensitive or Confidential Data (as defined by Troy’s Data Classification Policy) within a cloud computing service.
- The contract must specify how the vendor can use University Data. Vendors cannot use
University Data in any way that violates the law or University policies.
- Ensure a Service Level Agreement (SLA) with the vendor exists that requires:
- Clear definition of services;
- Agreed upon service levels;
- Performance measurement;
- Problem management;
- Customer duties;
- Disaster recovery;
- Termination of agreement;
- Protection of sensitive information and intellectual property; and
- Definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.
- Cloud computing services should not be engaged without developing an exit strategy for disengaging from the vendor and/or service while integrating the service into normal internal business practices and/or business continuity and disaster recovery plans. The University must determine how Data would be recovered from the vendor.
- A proper risk assessment must be conducted by the Information Security Office prior to any third party hosting or cloud computing service arrangement.
816.3.2 Intellectual property and copyright materials
- Troy University marks, images, and symbols are owned by the University and may not be used or reproduced without the permission of the Office of Communications.
- Review Copyright Policy and understand the appropriate use of intellectual property including copyrights, trademarks, and patents.
816.3.3 Privacy and data security
- Information that the University has classified as “Sensitive Data”, "Confidential Data”, “Internal Data”, or “Public Data” may be used only in accordance with the policy related to the classification of information which may be found in the Data Classification Policy.
- Personally Identifiable Information (PII) may only be used in compliance with information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, FERPA, the Alabama Information Security Breach and Notification Act, similar state laws and PCI-DSS.
- Student information may only be used in compliance with FERPA guidelines.
- Protected Health Information (PHI) may only be used in compliance with HIPAA requirements.
- Export Controlled Information may only be used in compliance with U.S. export control regulations (ITAR, EAR).
816.3.4 Data availability and records retention
- Ensure that all academic, administrative, or research related data are retained according to the records retention requirements.
- Back-up data regularly to ensure that records are available when needed, as many providers assume no responsibility for data-recovery of content.
816.3.5 Supplemental Requirements
The requirements lists set forth in this Policy are not comprehensive and supplemental controls may be required by the University to enhance security as necessary.
This Policy describes the management of all Troy University data.
The effective date of this Policy is May 14, 2019. Last update June 29, 2022.
TROY University is committed to providing a widely-available campus computing environment consistent with the institution’s mission of teaching, research and service. Equal to this commitment is the responsibility of the organization to ensure the integrity of TROY University data and to encourage and enforce confidential, legal and ethical standards of management and use of these data. An important aspect of this responsibility is TROY University’s continuing compliance with all applicable federal and state laws governing disclosure of information in these databases.
All data captured using TROY University assets are resources of TROY University. This
policy applies to data critical to the administration of TROY University. TROY University
is the Data Owner of data which may reside in different database systems, on different
machines and in printed form. Data in aggregate may be thought of as forming a logical
database.. This terminology does not imply that these data now or in the future should
reside in a single physical database. It recognizes that regardless of where the data
reside, there are some general principles of data management that should be applied
in order to maintain the confidentiality, integrity and availability of TROY University’s
information resources. In addition, legal and ethical standards of use apply to all
data available to TROY University computer users. These data include, but are not
limited to, information in report form (printed or electronic); data stored on TROY
University systems, local area networks and individual workstations; and transportable
storage media and cloud, externally-hosted solutions.
TROY University considers violation of any of these general policies and standards to be a serious offense and reserves the right to copy and examine any files or information resident on TROY University computer systems allegedly related to inappropriate use. Violators are subject to disciplinary action as prescribed in the appropriate TROY University staff or faculty handbook. Offenders may also be subject to prosecution under applicable federal state and local statutes.
Complete data governance policy and data management framework is available at https://it.troy.edu.