The institution protects the security, confidentiality, and integrity of student records and maintains security measures to protect and back up data.

JUDGMENT: Compliant

STATEMENT OF RATIONALE FOR JUDGMENT OF COMPLIANCE

Southwest Texas Junior College (SWTJC) protects the security, confidentiality, and integrity of its student records and maintains security measures to protect and back up data through a system of integrated procedures.

All paper documents and files connected with student records at SWTJC are housed in a secure environment in all offices that process student records: Admissions & Registrar’s, Financial Aid, Business Office, Human Resources, Advising & Counseling, Vice President of Student Services, and Vice President of Academic Affairs, departmental, and faculty offices.  Records are stored in file cabinets with locks and/or in areas that are secured by doors that lock, and access to the records is limited to the employees authorized by the College to view and work with the files.  The Office of Admissions & Registrar maintains the security of the paper transcripts that were used prior to the use of electronic storage.  These transcripts are maintained in a secure area with limited access to personnel with appropriate credentials for viewing/accessing student records.  The area includes a vault that is secured with a combination lock.

SWTJC’s Information Technology Department maintains numerous precautionary measures to ensure the security of electronic records.  Various controls assure that system security is current and operating effectively.  Some examples are firewalls, virus protection, intrusion detection, and spy-ware blockers.  The integrity of computerized SWTJC student records is validated through daily backups of the student information system (Colleague) and our document management systems, Docuware and Fortis.  System audit trails record transactions in Colleague from processed data to the source of input. These audit trails allow SWTJC personnel to track changes or modifications to students records and to identify those making changes/modifications.  The Information Technology Department’s Procedures and Practices detail the processes in place if an incident occurs that impairs or disables the use of workstations, servers, or networks.  Backup tapes from the prior day are maintained at a different location on campus.  Employee access to student information is controlled and monitored through the assignment of user IDs and individual password codes.  Levels of access are determined by the individual’s role and position at the College. Access must be approved by the appropriate Vice President.

The confidentiality of student records at Southwest Texas Junior College is maintained according to the guidelines of the Family Educational Rights and Privacy Act (FERPA).  College policy concerning disclosure of student records and directory information is available in our College catalog, website, and in the Student Handbook.  Student directory information is available upon formal written request unless a student has restricted the release of such information in writing to the Admissions and Registrar’s office.  Student records are released only to the individual students to whom they belong.  Students may sign a release form granting authorization to release records to designated individuals or educational entities.  The issuance of a student’s academic records (transcripts) is protected by the use of security transcript paper and/or the delivery of electronic records to institutions capable of receiving electronic records via EDI, using Secure File Transport Protocol (SFTP).  Files that are sent using SFTP are encrypted and decrypted on the receiving side, creating a secure pathway.

To safeguard students’ privacy and to avoid identity theft, SWTJC assigns each student a unique identification number that can be used in place of their Social Security Number on any documents that identify the student. Students have access to their records via the web through the security of a user ID and password. Also student records accessed by employees in our Student Information System (Colleague) contain truncated social security numbers. Furthermore, a pop-up privacy code alert indicates a “secure everything” status.

SWTJC manages student records in accordance with the Retention Schedule for Records of Public Junior Colleges, as mandated by the Texas State Library.  SWTJC’s policies, regulations, procedures, and practices are in place to satisfy the requirements established to protect, secure, and preserve all students’ records.

Southwest Texas Junior College uses security metrics to regularly test website security to maintain our compliance with the payment card industry standard. Security Metrics is a payment card industry data security standard company. Security Metrics is a multi-national merchant data security and compliance company headquartered in Orem, Utah. The company is a payment card industry (PCI) data security standard (DSS) vendor, listed as a qualified security assessor (QSA), approved scanning vendor (ASV), P2PE QSA, PCI Forensic Investigator (PFI) and payment application qualified security assessor (PA-OSA) by the PCI security standards council. Security Metrics has working relationships with major payment processing companies and global acquiring banks such as Global Payments Inc, Sterling Payment Technologies, and First Merit Bank to provide PCI compliance and other security solution to their merchants. Security Metrics was officially named a QSA and ASV by the PCI council in 2006, and certified as a Security Assessor for our all four major card associations in the United States: Visa, Mastercard, American Express, and Discover.

From the world’s largest corporations to small internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customers payment card data secure. The size of your business will determine the specific compliance requirements that must be met. Note that enforcement of merchant compliance is managed by the individual payment brands and not by the council – the same is true for non-compliance penalties.

Evidence

SWTJC Website Admission & Registrar
SWTJC Colleague System Back Up Process
FERPA Guidelines
FERPA Consent
SWTJC FERPA Consent Form
Retention Schedule for Records of Public Junior Colleges