Information Security Plan

Updated: 6/13/23; Reviewed 2/1/2022
Contact: Director of Information Technology

I. Introduction
The Office of Information Technology, in consultation with the Business Office and the Office of Student Financial Services has established this Information Security Plan.

II. Definitions
“Covered data” refers to any data classified as Level 1, Level 2, or Level 3 data pursuant to the College’s Data Classification and Handling Standards.

“Financial Information” refers to any information (i) a student or other third party provides in order to obtain a financial service from the institution, (ii) about a student or other third party resulting from any transaction with the College involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.

“Servicers” refers to all third parties who, in the ordinary course of College business, are provided accessed to covered data.

III. Plan Coordination
Security Coordinator (Responsible Authority)

  • The Security Plan Coordinator (“Coordinator”) will be responsible for implementing this Information Security Plan. The Coordinator may be the Director of Information Technology, who is also assigned as the Chief Information Security Officer (CISO), be designated by the Director of Information Technology/CISO, or designated by the Provost in absence of a director/CISO, and will work closely with the Director of Budget and Finance and Assistant Vice President of Student Financial Services and Director of Financial Aid.
  • The Coordinator will consult with, and maintain a list of, responsible offices with access to covered data.
  • The Coordinator will help ensure that risk assessments and monitoring, as set forth in this plan, are carried out for each responsible office or covered data and that controls are implemented for identified risks. The Coordinator may designate, as appropriate, responsible parties to carry out activities.

Training of Staff

  • Training for new staff will include an explanation of the purpose of the Information Security Plan and other information security and data privacy policies and protocols. Each staff member will acknowledge an understanding of their responsibilities within this plan, with record of said acknowledgement retained by the Office of Information Technology. (retained by their supervisor)
  • Existing staff will receive training of the purpose of the Information Security Plan and receive an annual reminder during the employee performance appraisal with their supervisor, as well as education on relevant policies and procedures that have been amended, including promotional programs and newsletters.
  • Student workers will undergo the same training as staff if employed by the Business Office and/or Student Financial Services. Each student must sign a confidentiality and responsibility statement that will be retained by the supervisor and Office of Information Technology.

IV. Risk Assessment
Through this plan, along with the work of the CISO, the Information Security Plan will help identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of protected data that could result in the unauthorized disclosure, misuse, or otherwise compromise personally protected information. Known threats and risk assessments include:

  • Unauthorized access to data through software applications
  • Unauthorized use of another user’s account and password
  • Unauthorized viewing of printed or computer displayed financial data
  • Improper storage of printed financial data
  • Unprotected documentation usable by intruders to access data
  • Improper destruction of printed material

Risk assessments will include, but not limited to, consideration of employee training and management; information systems, including network and software, information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.

The Coordinator will work with all relevant areas to carry out comprehensive risk assessments, including system-wide risks, as well as risks unique to each relevant responsible office with covered data. The Coordinator will help ensure that risk assessments are conducted at least annually, and more frequently where required. The Coordinator may identify a responsible party or employ other reasonable means to help identify risks to the security, confidentiality and integrity of covered data in each area of the College with covered data.

Copies of complete and current risk assessments for system-wide and responsible office risks at least annually with the Compliance Committee and Enterprise Risk Management Committee. Risk assessments already completed by the Coordinator and the Office of Information Technology are found in the appendix to this plan.

V. Safeguards and Monitoring
Employee Management and Training

  • As previously outlined under the responsibilities of the Coordinator, the Coordinator will help implement comprehensive policies, standards and guidelines for procedures for the security of private information, including covered data.
  • The Coordinator will identify categories of employees who have access to covered data and appropriate training and education is provided to said employees.
  • Job-specific training on maintaining security and confidentiality, requiring user-specific passwords and required password changes, limiting access to covered data for business need only, requiring signed releases for disclosure of covered data, establishing methods for prompt reporting of loss or theft of covered data, and other measures based upon identified risks.

Information Security

  • Electronic access to customer financial information is protected by usernames and passwords. The director from each administrative department is responsible for the safeguarding the departments unique data.
  • Use of strong passwords is required for access to administrative software system. Passwords are not to be shared by other users. Student workers requiring access to student financial information is provided their own account with appropriate privileges.
  • Access to student financial information on the network is limited to the Business Office and Student Financial Services with access rights granted by the Coordinator at the request of the director of the respective office.
  • Access to Cardinal Services area is limited to those employees and student workers in Business Office, Student Financial Services, Human Resources and the Registrar’s Office. Printed copies of student financial information are to be handled only by authorized personnel and kept in restricted areas and should not be left unattended on desks. Employees are encouraged to upload paper documents to the document management system with immediate disposal of the original document.
  • Current (less than one year) printed documents are kept in lockable file cabinets behind closed and locked door during non-business hours. Printed documents older than one year should be moved to locked storage on 3rd Floor Curry Hall or Lower Level Brown Hall or permanently disposed. Details of disposal requirements are in the Record Retention Policy.
  • Calls or requests for student financial information are referred to responsible individuals who have completed security plan training.
  • Users must log off or lock their computer terminals when they are away from their work area.
  • Safeguards for information processing, storage, transmission, retrieval and disposal are detailed in a Data Classification and Handling Policy.
  • Fraudulent attempts to obtain information will be reported to the Office of Information Technology.
  • Disciplinary measures, up to and including termination, may be imposed for breaches of this plan.

Managing System Failures
The College will maintain commercially reasonable systems to prevent, detect, and respond to attacks, intrusions, and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with vendors to obtain and install patches to software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents  and shredding paper copies; backing up data regularly and storing back up information off site, as well as other reasonable measures to protect the integrity and safety of information systems.

Monitoring and Testing
Monitoring systems will be implemented to help regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed, and to swiftly detect and correct breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include sampling, system checks, reports of access to systems, reviews of logs, audits, and any other reasonable measures adequate to verify that Information Security Plan’s controls, systems and procedures are working.

Reporting
The Coordinator will provide a report on the status of the information safeguards and monitoring implemented for covered data as described in Section VII.

Service Providers
In the course of business, the College may from time to time appropriately share covered data with third parties. Such activities may include collection activities, transmission of documents, destruction of documents or equipment, or other similar services. This Information Security Plan will help ensure that reasonable steps are taken to select and retain services providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards.

The Coordinator will identify service providers who are provided access to covered data by reasonable means. The Coordinator will work with the Chief Operating Officer, and other offices as appropriate, to make certain that service provider contracts contain appropriate terms to protect the security of covered data.

Roles and Responsibilities
Cabinet Members, Deans, Director, Department Heads and other Managers (“Managers”). The Managers responsible for supervising employees with access to covered data will designate a responsible contact to work with the Coordinator to assist in implementing this plan. The designated contact will help ensure that risk assessments are carried out for that department and that monitoring based upon those risks takes place. The designated responsible contact will report the status of the Information Security Plan for covered data accessible in that department to the Coordinator at least annually, and more frequently where appropriate. 

Employees with Access to Covered Data. Employees with access to covered data must abide by College policies and procedures governing covered data, as well as any additional practices or procedures established by their directors or Cabinet members.

Modifications
The Coordinator will update this Information Security Plan, including this and related documents, from time to time. The Coordinator will maintain a written security plan at all times and make the plan available to the College community and reviewed at least annually by the Compliance Committee.

 

References