Governor's State University
Apply Now

Information and Systems Access Policy (Policy 80)

Approved By:

President Elaine P. Maimon

Issued:

Revised:

Last Reviewed:

Related Policies:

Policy Owner / Contact Person:

Information Technology Services

Additional References:

Policy Categories:

Information Technology Policies

  1. Purpose

    The Director - Applications Development in the Information Technology Services Department is responsible for the administration of access to data and the Colleague@ Enterprise Resource Planning system. An important part of this duty is ensure that only persons duly authorized have access, and to ensure that access is removed when it is no longer needed. 

    Best practices in Information Technology dictate that access should be guided by set policies and established procedures to ensure consistent enforcement and proper management of University resources.

  2. Definitions
    1. Employee: A person employed by Governors State University (GovState) in any capacity (faculty, staff, student worker) for any period of time (part-time, full-time, contract). Employees are responsible for requesting access and notifying changes in roles and separation from GovState to their supervisor. 
    2. Supervisor: Person in charge of a University unit or department with the role of approving user access requests, and notifying GovState about employee separations and role changes in their units. 
    3. Human Resources Department: Department in charge of managing human resource relations and processes. The role of the Human Resources (HR) Department is to notify the Information Technology Services (ITS) department when an employee separates or changes positions. 
    4. Data Custodians: Persons responsible for key functional units of the institution. The role of the data custodian or their designee is to approve/reject access requests to their respective functional modules. Data Custodians are authorized approvers who are typically unit heads whereupon a full list of Data Custodians can be found on the "Information Systems Access Procedures" on the portal. 
    5. CORE Data Custodian: Individual responsible for common core part of the system as defined in the "Information Systems Access Procedure" on the myGSU portal. 
    6. Information Technology Services Department: The Information Technology Services (ITS) Department is the functional unit of the institution that manages systems access and is in charge of processing access requests submitted by users, approved by supervisors, and endorsed by data custodians. ITS also terminates access upon notification from HR about a role change or a separation. 
    7. FERPA: Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. 
    8. IPA: FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) is an Illinois state law seeking to control the collection and use of Social Security Numbers by state and local government agencies. 
    9. System: Colleague® Enterprise Resource Planning system and associated edge applications provide by Ellucian@ (www.ellucian.com). 
    10. Access: The ability for a person to retrieve or edit. data from the Colleague@ Enterprise Resource Planning system, using the System's provided user interfaces, third-party interfaces, or by any other means.
  3. Policy

    1. User Access Authorization

      ITS has procedures in place to enforce the adherence and compliance with FERPA regulations. Any person requiring access to any GSU system that can contain Education Records or Personally Identifiable Information as outlined by FERPA is required to: 

      1. Undergo training covering FERPA rights, responsibilities and regulations. 
      2. Provide proof that training was completed. 
      3. Submit a written authorization form, signed and approved by their unit/department head for the minimum specific access needed to perform their duties. 

      Once all approvals and a (physical) signed form exist, ITS processes the access form and the original requester is notified. Any access requests in addition to existing access must be requested by the user, approved by their unit/department head and by the respective data custodian(s). Access changes due to position or duty changes require a new FERPA authorization request. ITS documents and archives all FERPA requests in a secured, access controlled location.

    2. User Access Removal

      ITS receives electronic notifications from HR regarding employees who are separating from GovState in accordance to the "Information Systems Access Procedure" on the myGSU portal.

      Once ITS receives notification, it processes the removal of access rights to all GovState systems by the date specified in the separation email. If there are exceptions for extended access or additional time needed, HR will need to notify the Associate Vice President (AVP) of ITS via email so that accommodations are made accordingly.

      ITS may temporarily remove access if there is evidence that an account has been compromised and/or it is being used by an unauthorized person (not the user). User access may also be removed through regular employee access audits conducted by ITS and verified by HR.

    3. Employee Termination Access Audit

      ITS performs periodic reviews of users that have access to University systems and records to determine if the employee remains in the role/position that was authorized by their access request form. HR is notified of any exceptions whereupon HR will make corrective actions.

    4. Compliance with Illinois Identify Protection Act (IPA - 5 ILCS 179

      ITS has controls in place to restrict who can view or edit Social Security Numbers (SSN). These controls prevent viewing of any (SSN) information by anyone other than those who need the information for the performance of their duties. Authorized use of SSN includes, but are not limited to, administration of Federal Financial Aid programs, management of financial transactions and collections activities by the Financial Services Office, and management of employee and student benefits by Human Resources and the Department of Public Safety. Other users include, but are not limited to, use of SSNs for criminal background checks as performed by authorized parties with appropriate consent, and use by local, state and federal law enforcement agencies in specific cases where a warrant or subpoena is present. 

      ITS removes SSNs from all user screens, and blocks or masks their display through internal security processes in Colleague and on reports. Access to SSN information must be requested by the user, approved by the department head, and then approved by the CORE Data Custodian prior to granting access. Access to this information is limited to those who require it to perform their duties and may be revoked when duties or positions change, or at any time by the department head or the CORE Data Custodian.

      The SSN is intentionally excluded from the Operational Data Stores Web Intelligence (WEBI), the database utilized by end users to generate reports and data extracts. If SSN information is needed to submit information to third parties the users must provide their initial file along with a written request to ITS which includes unit head approval, to have the SSN information appended to the file along with justification for the request. 

      Reports and data extracts which include SSN information and are created by ITS are made in writing, with unit head approval, which include specifications provided by the receiving party. The results are placed in password protected and encrypted files on a secured location which has limited access for the requestor and ITS. 

      In compliance with IPA, GovState does not utilize SSNs for identification, access, or authentication; nor does it display this number in any publication, document or transmit it through unsecured means. All social security information is transmitted utilizing industry standard strong encryption.

    5. Compliance with FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) Provisions 

      ITS complies with FERPA regulations by enforcing strict documented controls over who can access Academic Records and Personally Identifiable Information (PII). Access is only granted to those individuals who complete the established authorization process, and is revoked once the person changes duties or leaves the institution. 

      The Colleague system tracks and controls who can log into the system, what they can access, and if they can modify any information. This access is controlled by security access classes defined to reflect roles of University employees. Data custodians can grant/deny access to information corresponding to their areas and manage membership to their respective security classes. ITS only adds/removes security classes assigned to users in accordance to properly authorized requests. 

      ITS only shares established directory information with third-party vendors acting on behalf of GovState (contractors) for use in third-party services to students, such as myOneCard (CardSmith) and only to provide services to students.

      ITS also provides notification to all users accessing Colleague about the compliance requirements for FERPA by means of a pop-up message that must be acknowledged prior to accessing the system. 

      New hires undergo orientation by ITS staff about FERPA requirements, procedures and about the process required to request access to FERPA protected information.