CHAPTER 8: EMPLOYMENT PRACTICES AND WORKPLACE EXPECTATIONS
 • Binders with student/associate information.
• Post-it notes, notepads, or desk calendars with any student/associate information or computer passwords.
• File boxes containing sensitive records that should be returned to designated file storage.
• Other similar proprietary or confidential information.
This policy applies to all work stations, even those behind locked doors.
Securing Workstations, Laptops, and Servers
All workstations, laptops, and servers should be locked when unattended. Users should lock their desktop prior to stepping away from their desk to secure their login session and prevent abuse and/or information theft. Post computers should be set by policy to lock automatically when not in use to ensure compliance with the locked desktop requirement. Following a meeting in a shared conference room, whiteboards should immediately be wiped clean of all sensitive information. This applies
to all information on whiteboards that is classified as restricted, proprietary, confidential, or internal.
It is the duty of every Post associate to protect sensitive data. If a Post associate suspects that sensitive data has been compromised, they should immediately report
the issue to any member of their supervisory team or Associate Experience.
STUDENT INFORMATION SECURITY
Post complies with all laws (i.e. Gramm-Leach-Bliley Act, Title IV of the Higher Education Act of 1965) that relate to the security, protection and control of student academic and financial aid systems, databases, processes, records (paper or digital), etc. Access to this type of information by unauthorized users is strictly prohibited. Such systems include all systems that collect, process, and distribute information – including Personally Identifiable Information (PII) – in support of applications for and receipt of Title IV student assistance.
Access to systems containing student personal information is limited to users requiring this information for legitimate business needs given role-based access controls. Users are identified and authenticated appropriately using unique usernames and passwords. Sharing of information access credentials is expressly forbidden.
Periodically Post evaluates and updates IT security measures at least annually. Post’s IT Department has
specific, detailed protocols in place that relate to administration of this policy, including the following:
• Encryption of laptops and removable media • Document/records storage or destruction
• Security Incident Reporting Procedure
• Security Incident Response Procedure
• Patching Procedure
• Access Termination Upon Departure Procedure
The preceding information is a summary of the Student Information Security Policy. If related questions, please contact the IT Department which has overall responsibility for administration and compliance with this policy.
PROTECTION OF PERSONAL INFORMATION
The University’s policy is to protect and safeguard the confidential nature of personal, non-public information that it may obtain concerning its associates, students, applicants, or other business associates. This information includes, for example, social security numbers, driver’s license numbers, state identification cards, banking account numbers, credit or debit numbers, passport numbers, alien registration numbers, and health insurance identification numbers (“Personal Information”).
The University will only disclose Personal Information
on a strict business need-to-know basis and to the extent required or permitted by law. The University will use commercially reasonable safeguards to prevent unauthorized access and disclosure of Personal Information. Although information security cannot be completely guaranteed, the University will maintain physical, electronic, and procedural safeguards to minimize the risk of unauthorized access or disclosure
of such information. Please refer to the University’s Privacy Policy for additional information.
The University will destroy, erase, shred, or make unreadable its business records that contain Personal Information prior to disposing such information. The University may dispose of Personal Information by contracting with an external vendor specializing in the business of disposing of records that contain confidential information.
Associates are prohibited from accessing, using, disclosing, or revealing Personal Information for
    POST UNIVERSITY ASSOCIATE ROADMAP HANDBOOK
53