Policy on Information Security
Campus Cafe is committed to delivering quality customer support to our client organizations. It is our intention to deliver superior services to you while also recognizing and adhering to strict information security guidelines outlined by the state and federal governments. Campus Cafe is committed to working in partnership with you to ensure that private information is secured and that we have a written policy that documents the steps that we have taken to ensure the availability of our services to you with minimal interruption.
Organizational commitment to privacy and security
Campus Cafe maintains a multi-disciplinary commitment to privacy and security, including roles responsible for the management and security of physical, network, application, authentication, and database assets. Systems that solicit or display personally- identifiable information are protected by access controls that require a user ID and password be entered before access is granted. Access to client connection lists and/or database information is secured utilizing Visual Source Safe ™ or similar technologies. For On-Premise customers, school based installers are only available to customers by written request and sent using encryption technologies such as a password protected website using SSL or an FTP site using Secure Shell (SSH) file transfer.
Internal Password Policy
SCAN adheres to a strict password policy for accessing our business computers and systems. All employees are required to login to their respective computer system each day and log out or lock the screen whenever the computer or server resource is left unattended. The passwords must be changed every 90 days and must be at least 8 characters with a mix of alpha and numeric characters. Passwords are not to be kept in any written form. Employees are not to share passwords amongst themselves or share passwords with external (3rd party) vendors or family members. Employees who violate this policy will be disciplined accordingly. Each member of the Campus Café team is granted full administrative privileges to all system computers and is subject to the appropriate use policy.
Appropriate Use Policy
All Campus Café employees are subject to appropriate use of all company assets including: personal and work computers, office equipment and servers, office telephones and personal cell phones when on company property. Any downloading of inappropriate material, file sharing that disrupts normal business operation, use of chat programs for not business related discussions are all subject to disciplinary action. Any use of the physical office space for non-business use will be subject to approval by the company CEO.
Physical Security and Proper Disposal of Non-Computer Based Sensitive Information
Campus Café offices are locked at all times when not in use by an authorized employee. All employees have full physical access to all office and server spaces. All paper records with sensitive information will be shredded after they are no longer needed or kept in a locked filing
cabinet when not in use. The office manager is charged with keeping access control over the locked spaces within the office and to keep a record of who has keys and collecting keys from terminated employees and/or contractors. Security for Cloud based customers is documented in the SLA (service level agreement).
Security of web-based transactions and Remote Access
SCAN transactions involving personal, confidential, or sensitive information are secured between your web browser and Campus Cafe’s web servers by SSL (Secure Sockets Layer protocol). The transfer or access to databases will take place utilizing modern encryption based technologies. It is SCAN’s policy that we will not download or provide for download or access any database from a client or 3rd party vendor website or FTP site unless the connection is secured utilizing SSL or other similar encryption based technology. All access to client systems must be through a secured Virtual Private Network (VPN) connection.
Personal information saved or received
SCAN occasionally will, as a normal part of doing business, keep private information about students, staff and administrators of our clients within databases provided by our clients. This is usually for the purposes of support and/or conversion of data. We are responsible for converting data at the request of our customers and it is often most efficient for us to store and convert this data locally. Information that can potentially be stored on our business servers could be:
– Your name and date of birth
– Social Security Number (limited uses only)
– School ID Number
– Country of residence
– Campus address and telephone number
– Home and cellular telephone number(s)
– Emergency contact information (name[s], phone number[s] and email address[es])
– Academic credentials
– Academic, leisure or other interests
Campus Cafe will destroy any database provided to us for the purposes of consulting or conversion services will be destroyed after the service has been provided and the customer agrees that the service will no longer require the use of the said database/s.
Use of the SCAN ID Number, Collection and Use of the Social Security Number (SSN)
The SCAN ID Number is used as the student identification number and is intended to replace the use of the Social Security Number for normal day to day transactions at our client institutions. The SSN number in the database is often used for integration with 3rd party systems, for example financial aid and payroll. Therefore, the SSN number must be used to join two databases together for the most reliable method of matching records for importing and exporting between systems.
For on-premise customers, It is the client’s responsibility to secure any excel spreadsheets, crystal reports (or other ODBC compliant reporting tools) or ODBC connections to their database that can access the SSN of students, staff and administrators of our client
institutions. We recommends that these files be secured on the client’s machine/s by utilizing some type of file encryption technology. It is also recommended that any ODBC connection to a database be encrypted using Secure Shell, Secure Sockets Layer, Point-to-Point Tunneling Protocol/Layer 2 Tunneling Protocol or IPSec. SCAN has the means to deny access to the SSN through our application security protocols; however, direct access to the SSN and other sensitive data is still accessible through an ODBC connection. We strongly advise that clients incorporate physical and administrative policies and network controls to mitigate this threat and to maintain compliance with government regulations.
While the SSN is no longer used as the student identification number, the SSN is required to be collected by clients as a normal part of business operations for:
– those who are employed by and/or paid by the client institution,
– individuals applying for or receiving financial aid at the client institution,
– all students
All collection, handling and use of the SSN by SCAN are governed by our SSN policy. All SSN’s in the possession of SCAN will be destroyed properly after any such data is no longer needed as part of our normal business operations.
How your personal information is used within Campus Cafe The primary use of data by Campus Cafe is to convert data from a legacy or 3rd party system to our product’s database platform, or to provide clients with some type of conversion or service that requires the acquisition of the school’s production database. Additionally, we are occasionally asked to analyze customer databases either locally or remotely for other types of development projects. SCAN does not ever share this data with 3rd party vendors for the use of marketing or advertising. SCAN will take all appropriate and necessary steps to ensure that the data accessed is used for the sole purpose of providing the service or services as contracted in our maintenance and support agreement or other contracts for consulting services or development for the client institution.
The primary use of data by Campus Cafe is to convert data from a legacy or 3rd party system to our product’s database platform, or to provide clients with some type of conversion or service that requires the acquisition of the school’s production database. Additionally, we are occasionally asked to analyze customer databases either locally or remotely for other types of development projects. SCAN does not ever share this data with 3rd party vendors for the use of marketing or advertising. SCAN will take all appropriate and necessary steps to ensure that the data accessed is used for the sole purpose of providing the service or services as contracted in our maintenance and support agreement or other contracts for consulting services or development for the client institution.
How your personal information is used outside SCAN (Third party distribution and disclosure of information)
To the extent necessary to deliver and improve services to you, we may share your personal information with others outside of our company, such as third party providers, vendors, and others acting on behalf of Campus Cafe. We do not sell personal information. We comply with lawful orders for production of records pursuant to law enforcement investigations, and in supplying information as may be required by local, state and Federal agencies.
Your private e-mail address
If you supply us with a work related or private e-mail address, we may share this address with persons and organizations outside our company who may be called on to assist in processing your inquiry or serving your needs.
If you send us e-mail, we may share your e-mail address and message content with other persons
and organizations outside our company who may be called on to assist in processing your inquiry or serving your needs.
Your Telephone Numbers
If you supply telephone numbers of any description, we may share these numbers with other persons and organizations outside our company who may be called on to assist in processing your inquiry or serving your needs.
Any and all contact information you provide, such as home telephone numbers, cellular numbers, and e-mail addresses, may be used to notify you of an emergency or crisis that may affect you, your organization or Campus Cafe.
Emergency Contact Information
Your emergency contact information may be used to notify your designated emergency contact(s) of an emergency or crisis that may affect you, your organization or Campus Cafe.
How to contact the organization
If you have a question about security information policy of SCAN, please contact us via phone or email. This information can be gathered from our public web address www.campuscafesoftware.com.