data security plan (dsp)
This Data Security Plan for Southeastern Esthetics Institute describes safeguards to protect data, information, and resources. These safeguards are provided to:
|
This Data Security Plan also provides for mechanisms to identify and assess the risks that may threaten covered data, information, and resources. Manage and control these risks; implement and review the plan; and adjust the plan to reflect changes in technology, the sensitivity of covered data, information and resources, and internal or external threats to information security. Focus for this document is on the System Network and information on that system located on premise for the Southeastern Esthetics Institute.
Information Security Contacts
|
Primary Contact
Brandon Sykes 803-556-2360 brandon@seestheticsinstitute.com Secondary Contact Courtney Sykes 803-629-0658 info@seestheticsinstitute.com |
CONFIDENTIAL Data Protection |
Special care and awareness are required regarding Confidential data. Confidential data is any data that the unwarranted and/or unauthorized disclosure of such would have an adverse effect on the institution or individuals to which it pertains. Unauthorized disclosure or mishandling of sensitive data can be a violation of federal and state law and the institution and its employees can be held personally liable for damages or remediation costs.
Data related to identity theft such as social security number (SSN), credit card numbers, bank account information, driver’s license, name, address, birthdate, passwords, Personal Identification Numbers (PINs), and ID pictures are of concern as all or most of this information is collected in the course of business. Other types of data such as medical information, tax returns, donor information, mailing lists, scholarship information, financial information, and bidding information are examples of data that could require confidential handling or restricted access. These examples are not exhaustive or all inclusive. It is the responsibility of Southeastern Esthetics Institute’s employees handling any Southeastern Esthetics Institute data to understand what data are sensitive and confidential and to adhere to the following guidelines and any applicable regulations. |
- Do not collect and/or store SSNs unless it is required by a federal or state agency and there is no other option in terms of unique identifier.
- Data should be stored in as few places as possible and duplicated only when necessary. Unless absolutely necessary, data should be stored on the system only.
- Avoid storing data on departmental servers or creating "silo" databases that duplicate data
- Never upload, post, or otherwise make available any kind of confidential data on a web server even for short periods of time. Individuals responsible for maintaining web site content must be particularly cognizant and vigilant regarding this matter.
- Inventory and identify the data under your control that is external to central administrative systems. Know where you have data and in what form (electronic, paper, etc.). Purge or delete data files in a timely manner to minimize risk.
- Do not store confidential data on or copy it to mobile, external systems, and/or removable storage devices. This may include smartphones, tablets, or any other device that could easily be lost, stolen or compromised. Southeastern Esthetics Institute also restricts the use of organization-controlled portable storage devices on external systems unless authorized by management.
- Do not store confidential data on or copy it to local workstations or network drives unless such data is not available on centralized systems.
- Know and understand your environment technically. Understand who has access to areas to which you send, receive, store, or transmit data.
- Transmission of any sensitive/confidential data should be encrypted. Websites should use HTTPS (TLS 1.2 or greater) encryption if they collect data. Unencrypted protocols should be abandoned in favor of their encrypted counterparts (i.e. abandon Telnet in favor of SSH or abandon FTP in favor of SFTP).
- Do not release Southeastern Esthetics Institute’s data of any kind to a 3rd party unless such entities have agreed in writing to restrict the use of such data to the specific and intended purposes authorized by Southeastern Esthetics Institute’s management enlisting the services of the 3rd party entity. Any Southeastern Esthetics Institute employee releasing data to a 3rd party entity is responsible for how the data is used (or misused). Release of highly sensitive and confidential data (beyond FERPA allowed "directory information") is prohibited.
- Do not send, receive, or store any sensitive data using email under any circumstances. Email is not secure.
- Report any breaches, compromises, or unauthorized/unexplained access of confidential data immediately to management.
Controlled Unclassified Information (CUI) - Those types of information for which laws, regulations, or governmentwide policies require or permit agencies to exercise safeguarding or dissemination controls.
Privacy Statement
- Southeastern Esthetics Institute endeavors to ensure that its treatment, custodial practices, and uses of "Personal Information" are in full compliance with all related federal and state statutes and regulations.
- Southeastern Esthetics Institute commits to take reasonable precautions to maintain privacy and security of students' and employees' personal information. Southeastern Esthetics Institute cannot guarantee that these efforts will always be successful; therefore, users must assume the risk of a breach of Southeastern Esthetics Institute’s privacy and security systems.
- Southeastern Esthetics Institute does not intend to sell, or otherwise disclose for commercial purposes, outside the scope of ordinary Southeastern Esthetics Institute functions, students' and employees' name, mailing address, telephone number, e-mail address, or other information. While Southeastern Esthetics Institute makes reasonable efforts to protect information provided to us, we cannot guarantee that this information will remain secure and are not responsible for any loss or theft.
- Personally Identifiable Information is defined as data or other information, which is tied to, or which otherwise identifies, an individual or provides information about an individual in a way that is reasonably likely to enable identification of a specific person and make personal information known about them.
- Personal information includes, but is not limited to, information regarding a person's social security number, driver's license, marital status, financial information, credit card numbers, bank accounts, parental status, gender, race, religion, political affiliation, personal assets, medical conditions, medical records, and personnel or student records.
- Some data items are considered directory information and will be released to the public unless a request is filed to prevent disclosure of the information, except for any other reason than official business. Employees who request confidentiality of that information should contact management; and students should contact their admissions contact.
- Southeastern Esthetics Institute strongly discourages the use or storage (electronic/paper) of SSNs in the course of daily academic or administrative business.
- Southeastern Esthetics Institute assumes that failure on the part of any student or employee to specifically request the withholding of categories of information indicates individual approval for disclosure.
- Southeastern Esthetics Institute is bound by the Family Educational Rights and Privacy Act (FERPA) regarding the release of student education records, and in the event of a conflict with Southeastern Esthetics Institute’s policies, FERPA will govern.
Family Educational Rights and Privacy Act (FERPA)
Notification of Rights
The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to their education records, including:
The right to file a complaint with the U.S. Department of Education concerning alleged failures by Southeastern Esthetics Institute to comply with the requirements of FERPA. The name and address of the Office that administers FERPA is:
Family Policy Compliance Office U.S. Department of Education
400 Maryland Avenue, S.W. Washington, DC 20202-5920
The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to their education records, including:
- The right to inspect and review the student's education records within 45 days of the day the Southeastern Esthetics Institute receives a request for access. Students should submit to the CEO and/or CAO a written request that identifies the record(s) they wish to inspect. Southeastern Esthetics Institute’s official will make arrangements for access and notify the student of the time and place where the records may be inspected. If the records are not maintained by Southeastern Esthetics Institute’s official to whom the request was submitted, that official shall advise the student of the correct official to whom the request should be addressed.
- The right to request that inaccurate or misleading information in the student’s record be amended. Students may ask Southeastern Esthetics Institute to amend a record that they believe is inaccurate or misleading. They should write the Southeastern Esthetics Institute’s official responsible for the record, clearly identify the part of the record they want changed and specify why it is inaccurate or misleading. If Southeastern Esthetics Institute decides not to amend the record as requested by the student, Southeastern Esthetics Institute will notify the student of the decision and advise the student of his or her right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the student when notified of the right to a hearing.
- The right to consent to disclosures of personally identifiable information contained in the student's education records, except to the extent that FERPA authorizes disclosure without consent, including:
- Disclosure without the student's consent is permissible to school officials with legitimate educational interests. A school official is a person employed by Southeastern Esthetics Institute in an administrative, supervisory, academic, research, or support staff position (including law enforcement unit personnel and health staff); a person or company with Southeastern Esthetics Institute has contracted (such as an attorney, auditor, or collection agent); a person serving on the Board of Regents; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.
- FERPA allows the institution to routinely release information defined as "directory information." The following student information is included in the definition: the student's name, address, e-mail address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, enrollment status (including full-time, part-time, not enrolled, withdrawn and date of withdrawal), degree and awards received, and the most recent previous education agency or institution attended by the student. When a student wants any part of the directory information to remain confidential, an official request form must be completed in the Office of the Registrar within the first five days of class of each school term.
The right to file a complaint with the U.S. Department of Education concerning alleged failures by Southeastern Esthetics Institute to comply with the requirements of FERPA. The name and address of the Office that administers FERPA is:
Family Policy Compliance Office U.S. Department of Education
400 Maryland Avenue, S.W. Washington, DC 20202-5920