Comprehensive Standards: Educational Programs # 11 (student data protected)
The institution protects the security, confidentiality, and integrity of its student academic records and maintains special security measures to protect and back up data.

Compliance
North Carolina State University is in compliance with this standard.

Explanation
The security, confidentiality, and integrity of NC State University’s student academic records are ensured through the efforts of Administrative Computing Services (ACS) and the Information Technology Division (ITD).     

Access to raw university data is password protected and requires multilevel approval.  The Automated Security Access Process provides access to the student information system, but requires approval by the employee’s department head, by their dean or vice chancellor, by ACS security, and by the university registrar.

Moreover, all employees who have access to student information are required to read and sign a Data Compliance Statement.  This statement informs the employee about the proper use and disclosure of academic information, and about the university’s compliance with the Family Educational Rights and Privacy Act (FERPA).

Further, the university uses audit processes to ensure the integrity of the data stored in the student information system.  The system itself maintains an audit of all substantive changes to any student record.  Each of these changes is reviewed to ensure that there is proper supporting documentation.  University policies, such as the Correction of Error in Grading Policy, define the documentation necessary to change student data.  Grade changes, for example, are validated daily by an employee other than the one responsible for making the change.  This procedure ensures that changes are made correctly and are supported by appropriate documentation. 

The Office of the State Auditor and the university’s Internal Audit Division approve and review these processes.

Similarly, the system support groups of ACS and ITD have processes in place to monitor system security and to create nightly backups of core computing systems.   These processes are consistent with industry standards and are likewise subject to periodic review by internal audits and by the state auditor. 

In addition, the university has used an outside vendor to test the system for potential vulnerabilities that may be exploitable through the Internet.

The university also ensures that student academic records are maintained inviolate in the event of disasters.  The university’s Disaster Recovery Oversight Committee is charged with creating a viable disaster recovery plan for dealing with the loss of centralized communication and computing.  The university has an ongoing process for the development and review of business continuity plans.   In the event of a disaster, these plans will be used to determine appropriate actions until normal procedures can be resumed. 

As part of this process, ACS conducts an annual test of disaster recovery procedures.  A key part of the test is the complete restoration of all centralized computing databases at a remote site.  Core administrative offices throughout the campus participate in the execution and evaluation of this testing procedure.  Similar to the processes used to monitor security and back up student records, these processes are also subject to review by internal audits and by the state auditor.

References

NC State University Home --> Accreditation Home --> Compliance Reports --> Programs # 11

N.C. State University
Last Modified: