Utah State University: Protecting Student Data And Privacy

The University of Utah takes student information security very seriously and has a range of measures in place to protect its students' data. The Information Security Office (ISO) works to ensure the confidentiality, availability, and integrity of university information technology systems and data through appropriate security resources and best practices. The university has a strict password policy, requiring students to keep their uNIDs/usernames and passwords confidential, use unique logins and complex passwords, and store them securely. Students are also advised to enable multi-factor authentication and report any phishing attempts. The university also has clear guidelines regarding the disclosure of student information, with the Family Educational Rights and Privacy Act (FERPA) governing student records and forbidding the release of personally identifiable student educational records without written consent, except in specified situations.

The University of Utah classifies data into three categories: restricted, sensitive, and public

The University of Utah classifies its data into three categories: restricted, sensitive, and public. This is outlined in the university's Data Classification and Encryption Rule (4-004C). This rule, along with the others under Policy 4-004: University of Utah Information Security, is in place to protect university data and the personal information of its students, faculty, staff, affiliates, patients, and guests.

Restricted Data

Restricted data is the most sensitive category and includes personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, and donor and financial information. Restricted data must be protected as required by federal or state laws, regulations, and contractual obligations. It must be encrypted when transmitted outside the university and when stored on mobile devices.

Sensitive Data

Sensitive data has a moderate level of sensitivity and includes employee and student information (protected by the Family Educational Rights and Privacy Act), intellectual property, and contracts. The protection of sensitive data is required by a data steward, a university official responsible for the access and management of institutional data. While encryption is not mandatory, it is strongly recommended.

Public Data

Public data is the least sensitive category and includes information about programs and degrees, academic and resource centers, business contacts and hours, and maps. This information is available on the university's public-facing websites. Public data does not require encryption, although it is encouraged.

Additional Security Measures

The University of Utah also employs additional security measures to protect student information. For example, students are advised to use strong and frequently changed passwords and lock their screens when away from their devices. The university also provides resources to help students and instructors understand how to securely share and store student data, particularly when using new platforms for remote learning and teaching.

The Family Educational Rights and Privacy Act (FERPA) forbids the university from releasing personal identifiable student information without written consent

The Family Educational Rights and Privacy Act (FERPA) is a critical piece of legislation that governs the handling of student records and information at the University of Utah, with the primary purpose of safeguarding student privacy. FERPA imposes strict restrictions on the university's ability to disclose personal identifiable student information.

At its core, FERPA forbids the university from releasing any personal identifiable student educational records, files, or personal information contained within those records or files, without first obtaining the student's written consent. This prohibition ensures that students have control over their personal information and that the university cannot arbitrarily share their details.

However, it's important to note that FERPA does allow for certain exceptions to this rule. For instance, the university may disclose student information to school officials who have a legitimate educational interest in the records. This includes individuals employed by the university in administrative, academic, or support staff roles. Additionally, information may be shared with officials from another educational institution when a student seeks to enrol or is already enrolled there.

FERPA also permits the disclosure of student information to officials from the U.S. Department of Education, the Comptroller General, and state and local educational authorities, particularly in connection with specific state or federally supported education programs. Furthermore, student information may be released to organisations conducting studies on behalf of the university and to accrediting organisations carrying out their official functions.

In addition to these exceptions, there are other circumstances under which the university may access and disclose student information without consent. For example, if there is a health or safety emergency, or if disclosure is required by a state law that was adopted before FERPA (i.e., before November 19, 1974).

It's worth noting that while FERPA provides important privacy protections, students also have the right to inspect and review their educational records. The University of Utah has established procedures to grant student requests for access to their records within a reasonable timeframe, typically no more than 45 days.

To further protect student information, the university employs various IT security measures, such as data classification and encryption. Restricted data, which includes personally identifiable information, must be protected as required by federal and state laws. On the other hand, sensitive data, which includes student information, must be safeguarded by a data steward, who ensures compliance with relevant policies and confidentiality agreements.

The University of Utah also encourages students, faculty, and staff to take proactive steps to protect their accounts and personal information. This includes using strong passwords, enabling multi-factor authentication, and reporting any suspicious activity or phishing attempts.

In summary, the University of Utah takes student privacy seriously and is committed to complying with FERPA by keeping student information secure and only disclosing it under specific circumstances as outlined by the Act.

Students are advised to use strong, cryptic passwords with a minimum of 12 characters

Students at Utah State University are advised to use strong, cryptic passwords with a minimum of 12 characters to keep their information secure. This is because shorter passwords can be cracked much more quickly, with longer passwords offering significantly greater protection. The University recommends that passwords should be unique and complex, with a mixture of numbers, symbols, and upper and lower-case letters.

A password should be difficult to guess and not include personal information such as usernames, names of friends or family, or pet names. It should also not include addresses, birthdays, or hobbies. Essentially, anything that could be inferred from a person's social media or public presence should be avoided. A password manager can be used to securely store passwords across devices, and students are advised to use one rather than writing their passwords down or storing them in a browser.

The University also recommends that students use a unique password for every account, especially critical accounts such as banking. This is because if a password is cracked on one site, criminals will often try that password on other sites to gain access to more accounts. Students are also advised to update their passwords at least once a year, or more often if the account does not have two-factor authentication (2FA) enabled.

In addition to the above, students should also be vigilant for phishing attempts and other cyberattacks, which are becoming more common. Students should never share their uNID and password with anyone and should always use the Phish Alert button to report suspicious activity.

The University of Utah requires Duo Security to access university accounts and resources

The University of Utah takes a number of measures to keep student information secure. The University's Information Security Office (ISO) works to ensure the confidentiality, availability, and integrity of University of Utah information technology systems and data through appropriate security resources and best practices.

One key measure is the implementation of Duo Two-Factor Authentication (2FA). Duo 2FA is required to access university accounts and resources such as UMail, UBox, Campus Information Services (CIS), and Canvas. This provides an extra layer of security by requiring users to log in with a username/password combination, as well as a second method of verifying their identity, such as a mobile phone or tablet. This ensures that even if a criminal obtains a user's login credentials, the information is useless without access to the secondary device. Duo 2FA offers five methods of authentication, including Duo push notifications, one-time passcodes, security tokens, security keys, and Touch ID.

In addition to Duo 2FA, the University of Utah also has policies in place to protect student information. The Family Educational Rights and Privacy Act (FERPA) governs student records and forbids the university from releasing personally identifiable student educational records or files without the student's written consent, except in specified situations. The Act also gives students and former students the right to inspect and review their educational records.

The University also classifies data into three categories - restricted, sensitive, and public - according to its level of sensitivity and associated legal requirements. Restricted data, which includes personally identifiable information (PII) and protected health information (PHI), must be protected by federal and state laws and regulations. Sensitive data, which includes student information, must also be protected, while public data may be protected at the discretion of a data steward.

To further protect student information, the University of Utah recommends the following:

• Using strong, cryptic passwords that are unique for each account
• Avoiding writing down usernames and passwords
• Utilising password managers
• Regularly backing up data
• Using only approved platforms for restricted and sensitive data
• Using secure virtual private networks (VPNs) when accessing university resources remotely
• Being cautious when using public Wi-Fi and avoiding using public computers for school or work
• Using antivirus software and keeping devices up to date with security patches and updates
• Being vigilant against phishing attempts and other cyber scams

Students are expected to check their UMail accounts frequently to stay current with university-related communications

Students at Utah State University are each provided with a University Network ID (UNID) and a UMail account. This is the official means of communication between the university and its students, and students are expected to check their UMail accounts frequently to stay current with university-related communications.

UMail accounts are available to all registered and admitted students, and official university communications will be sent to these addresses. Students are expected to check their UMail regularly and ensure there is sufficient space in their accounts to allow for emails to be delivered. Students must also recognise that certain communications may be time-critical.

The university reserves the right to send official communications to students via email with the expectation that students will receive and read these emails promptly. Students are responsible for ensuring they can access official university communications, even if they forward their UMail to a personal account.

Students can forward their UMail to a private email address, but this is done at their own risk. The university is not responsible for any difficulties that may occur in the transmission or access of email forwarded to unofficial addresses, and this does not absolve students of their responsibility to know and comply with the content of official communications sent to their UMail addresses.

It is important to note that UMail should not be used for unlawful activities. Students should also be cautious about including sensitive data, such as grades, in email messages.

To protect their UMail accounts, students should follow password policies and IT security best practices. This includes keeping their UNIDs/usernames and passwords confidential, using unique logins and complex passwords, storing them securely, and changing them if they believe they have been compromised. Students are also encouraged to use multi-factor authentication for added security.

By following these guidelines, students can help ensure the security and privacy of their UMail accounts and protect their personal and educational information.

Frequently asked questions