I. Purpose
In order to continue to protect private information and
data, and to comply with new federal laws effective May
23, 2003, the University has adopted this Information Security
Program for certain highly critical and private financial
and related information. This security program applies to
customer financial information ("covered data")
the University receives in the course of business as required
by these new federal laws, as well as other confidential
financial information the University has voluntarily chosen
as a matter of policy to include within its scope. This
document describes many of the activities the University
currently undertakes, and will undertake, to maintain covered
data according to legal and University requirements. This
Information Security Program document is designed to provide
an outline of the safeguards that apply to this information.
The practices set forth in this document will be carried
out by and impact diverse areas of the University.
II. Definitions
"Covered data" means all information required
to be protected under the Gramm-Leach-Bliley Act ("GLB
Act"). "Covered data" also refers to financial
information that the University, as a matter of policy,
has included within the scope of this Information Security
Program. Covered data includes information obtained from
a student in the course of offering a financial product
or service, or such information provided to the University
from another institution. "Offering a financial product
or service" includes offering student loans, receiving
income tax information from a current or prospective student’s
parents as a part of a financial aid application, offering
credit or interest bearing loans, and other miscellaneous
financial services as defined in 12 CFR § 225.28. Examples
of student financial information relating to such products
or services are addresses, phone numbers, bank and credit
card account numbers, income and credit histories and social
security numbers. "Covered data" consists of both
paper and electronic records that are handled by the University
or its affiliates.
"Service Providers" refers to all third parties
who, in the ordinary course of University business, are
provided access to covered data. Service providers may include
businesses retained to transport and dispose of covered
data, collection agencies, and systems support providers,
for example.
III. Security Program Components
The GLB Act requires the University develop, implement
and maintain a comprehensive information security program
containing the administrative, technical and physical safeguards
that are appropriate based upon the University’s size,
complexity and the nature of its activities. This Information
Security Program has five components: (1) designating an
employee or office responsible for coordinating the program;
(2) conducting risk assessments to identify reasonably foreseeable
security and privacy risks; (3) ensuring that safeguards
are employed to control the risks identified and that the
effectiveness of these safeguards is regularly tested and
monitored; (4) overseeing service providers, and (5) maintaining
and adjusting this Information Security Program based upon
the results of testing and monitoring conducted as well
as changes in operations or operating systems.
IV. Security Program Manager
The Information Technology Security Manager ("Security
Manager”) is responsible for implementing this Information
Security Program. The Security Manager is housed in Information
Technology Services and works closely with the Controller,
the Registrar, Human Resources, and the Office of General Counsel.
The Center for Professional Development and Training, and
other offices and units to implement this program. The Security
Manager consults with responsible offices to identify units
and areas of the University with access to covered data.
The Security Manager will ensure that risk assessments and
monitoring are carried out for each unit or area that has
covered data and that appropriate controls are in place
for the identified risks. The Security Manager may require
units with substantial access to covered data to further
develop and implement comprehensive security plans specific
to those units and to provide copies of the plan documents.
The Security Manager may designate, as appropriate, responsible
parties in each area or unit to carry out activities necessary
to implement this Information Security Program.
The Security Manager will work with responsible parties
to ensure adequate training and education is developed and
delivered for all employees with access to covered data.
The Security Manager will, in consultation with other University
offices, verify that existing policies, standards and guidelines
that provide for the security of covered data are reviewed
and adequate. The Security Manager will make recommendations
for revisions to policy, or the development of new policy,
as appropriate.
The Security Manager will prepare an annual report on the
status of the Information Security Program and provide that
to the University’s Director of Information Technology
Services. The Security Manager will update this Information
Security Program, including this and related documents,
from time to time. The Security Manager will maintain a
written security plan containing the elements set forth
above and make the plan available to the University community.
V. Risk Assessment
The Information Security Program will identify reasonably
foreseeable external and internal risks to the security,
confidentiality, and integrity of covered data that could
result in the unauthorized disclosure, misuse, alteration,
destruction, or otherwise compromise such information, and
assess the sufficiency of any safeguards in place to control
these risks. Risk assessments will include consideration
of risks in each area that has access to covered information.
Risk assessments will include, but not be limited to, consideration
of employee training and management; information systems,
including network and software design, as well as information
processing, storage, transmission and disposal; and systems
for detecting, preventing, and responding to attacks, intrusions,
or other system failures.
The Security Manager will work with all relevant areas to
carry out comprehensive risk assessments. Risk assessments
will include system-wide risks, as well as risks unique
to each area with covered data. The Security Manager will
ensure that risk assessments are conducted at least annually,
and more frequently where required. The Security Manager
may identify a responsible party in each unit with access
to covered data to conduct the risk assessment considering
the factors set forth above, or employ other reasonable
means to identify risks to the security, confidentiality
and integrity of covered data in each area of the University
with covered data.
VI. Information Safeguards and Monitoring
The Information Security Program will verify that information
safeguards are designed and implemented to control the risks
identified in the risk assessments set forth above. The
Security Manager will ensure that reasonable safeguards
and monitoring are implemented and cover each unit that
has access to covered data. Such safeguards and monitoring
will include the following:
A. Employee Management and Training
Safeguards for security will include management and training
of those individuals with authorized access to covered data.
The University has adopted comprehensive policies, standards
and guidelines setting forth the procedures and recommendations
for preserving the security of private information, including
covered data. These are set forth in at the following website:
http://www.unf.edu/compserv/pol_proc/index.html
The Security Manager will, working with the Director of
the Center for Professional Development and Training and
other responsible offices and units, identify categories
of employees or others who have access to covered data.
The Security Manager will ensure that appropriate training
and education is provided to all employees who have access
to covered data. Such training will include education on
relevant polices and procedures and other safeguards in
place or developed to protect covered data. Training and
education may also include newsletters, promotions or other
programs to increase awareness of the importance preserving
the confidentiality and security of confidential data.
B. Information Systems
Information systems include network and software design,
as well as information processing, storage, transmission,
retrieval, and disposal.
Network and software systems will be reasonably designed
to limit the risk of unauthorized access to covered data.
This may include designing limitations to access, and maintaining
appropriate screening programs to detect computer hackers
and viruses and implementing security patches.
Safeguards for information processing, storage, transmission,
retrieval and disposal may include: requiring electronic
covered data be entered into a secure, password-protected
system; using secure connections to transmit data outside
the University; using secure servers; ensuring covered data
is not stored on transportable media (floppy drives, zip
drives, etc); permanently erasing covered data from computers,
diskettes, magnetic tapes, hard drives, or other electronic
media before re-selling, transferring, recycling, or disposing
of them; storing physical records in a secure area and limiting
access to that area; providing safeguards to protect covered
data and systems from physical hazards such as fire or water
damage; disposing of outdated records under a document disposal
policy; shredding confidential paper records before disposal;
maintaining an inventory of servers or computers with covered
data; and other reasonable measures to secure covered data
during its life cycle in the University’s possession
or control.
C. Managing System Failures
The University will maintain effective systems to prevent,
detect, and respond to attacks, intrusions and other system
failures. Such systems may include maintaining and implementing
current anti-virus software; checking with software vendors
and others to regularly obtain and installing patches to
correct software vulnerabilities; maintaining appropriate
filtering or firewall technologies; alerting those with
access to covered data of threats to security; imaging documents
and shredding paper copies; backing up data regularly and
storing back up information off site, as well as other reasonable
measures to protect the integrity and safety of information
systems.
D. Monitoring and Testing
Monitoring systems will be implemented to regularly test
and monitor the effectiveness of information security safeguards.
Monitoring will be conducted to reasonably ensure that safeguards
are being followed, and to swiftly detect and correct breakdowns
in security. The level of monitoring will be appropriate
based upon the potential impact and probability of the risks
identified, as well as the sensitivity of the information
provided. Monitoring may include sampling, system checks,
reports of access to systems, reviews of logs, audits, and
any other reasonable measures adequate to verify that Information
Security Program’s controls, systems and procedures
are working.
E. Reporting
The Security Manager will provide an annual report on the
status of the information safeguards and monitoring implemented
for covered data.
VII. Service Providers
In the course of business, the University may from time
to time appropriately share covered data with third parties.
Such activities may include collection activities, transmission
of documents, destruction of documents or equipment, or
other similar services. This Information Security Program
will ensure that reasonable steps are taken to select and
retain service providers that are capable of maintaining
appropriate safeguards for the customer information at issue
and requiring service providers by contract to implement
and maintain such safeguards.
The Security Manager, by survey or other reasonable means,
will identify service providers who are provided access
to covered data. The Security Manager will work with the
Office of General Counsel, and other offices as appropriate,
to make certain that service provider contracts contain
appropriate terms to protect the security of covered data.
VIII. Policies, Standards and Guidelines
The University has adopted comprehensive policies, standards,
and guidelines relating to information security. They are
incorporated by reference into this Information Security
Plan, and set forth at the following website: http://www.unf.edu/dept/its/polproc.
Return to SECURITY
|
