3.4.11

3.4.11 – Educational Programs

The institution protects the security, confidentiality, and integrity of its student academic records and maintains special security measures to protect and back up data.

_X_ Compliance ___ Partial Compliance ___ Non-Compliance

Statement of Rationale for Judgment of Compliance ( Pat Black, Anson Godfrey)

Student academic record files are created, maintained, and updated primarily in the offices of Admissions, Financial Aid, Business Office, and Academic Services/Teacher Certification. Current student records are kept electronically in a Student Information System (SIS) that is physically located in Commerce, Texas on the campus of Texas A&M University-Commerce, a distance of approximately 120 miles. Connectivity to Commerce is provided by a microwave data transmission system.

Permanent record cards for students enrolled prior to 1983 are maintained in hard-copy format. When a student requests an official transcript, the hard copy records are entered into the SIS system.

Other offices that have access to SIS and/or generate limited confidential student records of their own are Deans, Faculty, Graduate Studies, Special Student Services, Institutional Effectiveness, and Institutional Advancement. In addition, faculty and staff are reminded of security issues through presentations and discussions during faculty and staff meetings.

Security of student academic records

On the local campus, security is maintained primarily by strictly limiting access to the student academic records.

Access to the Student Information System (SIS) by employees through the local area network computers is password protected and is granted only on a “need to know” basis.^1aInitial password acquisitions are both validated and assigned by the Registrar. The process requires that the employee file a formal request ^1b to their supervisor, with final approval granted by the following.²

SIS Admissions and Records - Director of Admissions and Registrar (Pat Black)

SIS Financial Aid - Director of Financial Aid (Marilyn Raney)

SIS Billing and Receivables – Business Manager/Bursar (Jo Ellen Sutton)

Access to student records via the web is also strictly regulated by the Registrar’s Office.

Faculty have access to student records via Web for Faculty.³ They must obtain an identification number and password to access the system, and are required to change their password to another six-digit number before utilizing the system. Web for Faculty training is available online.⁴

Students are granted access to only their personal academic records via Web for Students.⁵ Like Web for Faculty, access is regulated by the Registrar’s Office and students must have an identification number and password to access the web based system. The initial password is assigned when the student’s Application for Admissions is entered. Students are required to change their password to another six-digit number before they can utilize the system.

Access to physical records is regulated by processes in place within the various offices that maintain student record files. All physical student records are kept in a secure room in secure files with access only by authorized persons.

Data transmission via microwave to the university’s mainframe computer in Commerce is secured by a virtual private network utilizing Cisco network security equipment which creates authentication of users and encrypts data between the user and the database at Commerce. The SIS+ system in Commerce has the following security precautions according to Michael Cagle, system administrator.

The SIS+ system is located in a restricted area.
Access to the restricted area is limited to approximately 15 persons by a keypad/card reader door opening device that maintains logs of entry to the room.
The SIS+ system is behind an electronic firewall.
Connectivity to the SIS+ system from Texarkana is protected by a virtual private network (VPN) requiring another level of password protection to access the system. This method encrypts all data between Texarkana and the SIS+ system.
The SIS+ system is segmented from the rest of TAMU-Commerce’s network.
Passwords are required to be changed every 90 days. The system rejects the last 5 passwords used.
E-mail coming into and leaving TAMU-Commerce is scanned for viruses before being delivered to users mailboxes. The e-mail gateways automatically check for virus definition updates every four hours.
TAMU-Commerce regularly performs intrusion detection.

As noted earlier, other employees have access to student academic records, and generate confidential records in their respective departments. If the access is to the SIS system, the data is secured by the process addressed under the first bullet above. If confidential student records are generated within the department the table below summarizes how each of the departments secures the information.

Security of data in other departments that handle confidential student information

Office	SIS Access	SIS Input Capability?	Other Electronic data	Security for other electronic data	Security for Hard Copy
Academic Services/Teacher Certification	Yes	Yes	Yes	Password / lock computer	Limited access area / locked Files
Deans	Yes	Secretaries only, Course information only	Yes	Password / lock computer	Limited access area / locked Files
Faculty	Through Web for Faculty	Yes, but for grades only over a two-week period each semester.	Yes	Password / lock computer	Limited access area / locked files
Graduate Studies	Through Web for Faculty	Yes, as needed for graduate degree tracking	Yes	Password / lock computer	Limited access area / locked Files
Institutional Advancement	Yes	No	Yes	Blackbaud Computer Program / password	Limited access area / locked files
Student and Academic Support Services	Some offices do have access	Some offices do have input capacity	Yes	Password / lock computer	Limited access area / locked Files
Institutional Effectiveness	Yes	No	Yes	Password / Lock computer	Limited access area / locked files

Confidentiality of student academic records

Texas A&M University-Texarkana adheres to established guidelines protecting the right to privacy and confidentiality of student academic records based on the Family Educational Rights and Privacy Act (FERPA) regulations.¹ Before faculty or staff are given access to student records, they must complete FERPA Training,⁷ have a completed training form,⁸ and a signed FERPA Acceptance of Responsibility Form on file.⁹

Integrity of student academic records

Texas A&M University-Texarkana Technology and Distance Education Security Access Request Procedures describes the training necessary for access to certain student databases in an effort to maintain the integrity of the information.¹⁰When the university requests information from any party on a form, by state law, there is a standard disclaimer that should be attached to that request describing the student’s right to review and challenge the integrity of records.¹¹

Security measures to protect and back up data

All student academic data stored electronically is backed up on a regular basis.

Local backup is done by department.

o Admissions backs up their data, and electronic records on a weekly basis and stores the media off campus in a secure bank vault.

o Financial Aid backs up their data and electronic records three times a week onto CDs and two times onto floppy Disks and Zip disks. The CDs, floppies and Zip disks are stored in a fire-proof vault on campus.

o The Business Office records are backed-up when the main-frame is backed up in Commerce.

o For back-up and security processes of student records in other departments, see table above, “Security of data in other departments that handle confidential student information.”

SIS System-wide backup schedule (according to Michael Cagle, system administrator at TAMU-Commerce)

The SIS+ data is being backed up twice per day, before and after nightly production, and the back-ups are tested periodically.
The backed-up data is stored off-site at a dairy facility that is part of the A&M-Commerce campus properties.
The computer room has a battery back-up system that keeps all servers going during a power failure. The server hosting the SIS for A&M-Texarkana has redundant power and mirrored disks.
A&M-Texarkana’s SIS+ system is included in TAMU-Commerce’s disaster recovery plan, and said plan has been tested.

Organizational unit(s) responsible for this requirement: Primarily: Technology and Distance Education, Registrar/Admissions, Financial Aid, and Business Office. Secondarily: Deans, Faculty, Graduate Studies, Special Student Services, Institutional Effectiveness, and Institutional Advancement

Documentation

Source or Document Name	Web Address or Document Location	Date Website Accessed
^1a&b Texas A&M University-Texarkana Technology and Distance Education Security Access Request Procedures	Access Request Form > See “Procedures for Centralized Databases: FAMIS, SIS, USAS,” # 6 > See also, “General Information – Centralized Databases:,” paragraphs C, D, and E	5/9/05
² Security Access Request Form	Security Access Request Form > See Part III, Data Access, paragraph D, Data owners…	5/11/05
³ Web for Faculty	http://www.tamut.edu/web4students/index.html	5/11/05
⁴ Web for Faculty Tutorial	http://www.tamut.edu/admissions/web4faculty/web4faculty_files/frame.htm	5/11/05
⁵ Web for Students	http://www.tamut.edu/web4students/index.html	5/12/05
⁶A&M-Texarkana General Catalog 20042005	http://www.tamut.edu/admissions/0405catalog.pdf > Page 11, 25 “Directory Information” > Pages 25-26, “Student Records” and all sub-headings > Pages 16, “Web for Students” and “How to Use Web for Students”	5/12/05
⁷ Texas A&M University-Texarkana Security Access Request Form for Centralized Databases	Security Access Request Form > See Part III, Data Access, C: SIS: Documentation of Training (required)	5/12/05
⁸ Texas A&M University-Texarkana Technology Training Verification Form	http://www.tamut.edu/sacs/3-4-11_trainver.pdf	5/12/05
⁹ Texas A&M University-Texarkana Acceptance of Responsibility Family Educational Rights and Privacy Act	http://www.tamut.edu/sacs/hr5.pdf	5/12/05
¹⁰ Texas A&M University-Texarkana Technology and Distance Education Security Access Request Procedures	Access Request Form > See “Procedures for Centralized Databases: FAMIS, SIS, USAS,” # 6 > See also, “General Information – Centralized Databases:,” paragraphs A, C, D, and E	5/12/05
¹¹ Texas A&M University-Texarkana Technology and Distance Education Security Access Request Procedures	Access Request Form > See disclaimer at bottom of page. This is typical for forms requesting information from students or constituents.	5/12/05