Information Security Plan 2016
Belmont University Information Security Plan
In order to protect critical information and data, and to comply with federal law, Belmont University adopts the following practices in the University information environment and institutional information security procedures. While these practices mostly affect Belmont’s Library and Information Technology Services (L&ITS), some of them will impact diverse areas of the University, including but not limited to Finance and Accounting, Registrar, University Advancement, Student Affairs, Admissions, and third party contractors, including food services. The goal of this document is to define the University's Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the program and to position the University for compliance with likely future privacy and security regulations.
II. Gramm Leach Bliley (GLB) Requirements
GLB mandates the University appoint an Information Security Plan Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.
III. Information Security Plan Coordinator
In order to comply with GLB, Belmont has designated the Director of Information Security as the plan coordinator reporting directly to the AVP/CIO of the University. This individual must work closely with the Offices of Finance and Accounting, Internal Audit, Administration and University Counsel, other staff in Library & Information Technology Services (L&ITS), as well as all relevant academic and administrative colleges and schools throughout the university.
The Director of Information Security coordinates with relevant offices of the University to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.
IV. Risk Assessment and Safeguards
A. The Director of Information Security must work with all relevant areas of the University to identify potential and actual risks to security and privacy of information. Each college or school head, or her designee, will conduct an annual data security review, with guidance from the coordinator. Vice Presidents will be asked to identify any employees in their respective areas that work with covered data and information. In addition, L&ITS will conduct a quarterly review of procedures, incidents, and responses, and will publish all relevant materials except in those cases where publication may likely lead to breaches of security or privacy. Publication of these materials is for the purpose of educating the University community on network security and privacy issues.
B. In order to protect the security and integrity of the university network and its data, L&ITS will develop and maintain a registry of all computers attached to the University network. This registry will include, where relevant, IP address or subnet, MAC address, physical location, operating system, intended use (server, personal computer, lab machine, dorm machine, etc.), the person, persons, or department primarily responsible for the machine, and whether the machine has or has special access to any confidential data covered by relevant external laws or regulations.
C. L&ITS assumes the responsibility of assuring that patches for operating systems or software environments are reasonably up to date, and will keep records of patching activity. L&ITS will review its procedures for patches to operating systems and software, and will keep current on potential threats to the network and its data. Risk assessments will be updated quarterly.
D. L&ITS bears primary responsibility for the identification of internal and external risk assessment, but all members of the University community are involved in risk assessment. L&ITS, working in conjunction with the relevant University offices, will conduct regular risk assessments, including but not limited to the categories listed by GLB.
E. L&ITS Administrative Technology (AT), working in cooperation with relevant University offices, will develop and maintain a data handbook, listing those persons or offices responsible for each covered data field in relevant software systems (financial, student administration, development, etc.). Administrative Technology (AT) and the relevant departments will conduct ongoing (at least biannual) audits of activity, and will report any significant questionable activities.
F. L&ITS Administrative Technology (AT) will work with the relevant offices (Finance and Accounting, Human Resources, the Registrar, University Advancement, and the Library, among others) to develop and maintain a registry of those members of the university community who have access to covered data and information. ACIT in cooperation with Human Resources and Finance and Accounting will work to keep this registry rigorously up to date.
G. L&ITS will assure the physical security of all servers and terminals which contain or have access to covered data and information. L&ITS will work with other relevant areas of the University to develop guidelines for physical security of any covered servers in locations outside the central server area. The University will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, and other procedures which may expose the university to risks.
H. Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA). The Director of Information Security will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are used, and in what instances students are being asked to provide a social security number. This assessment will cover University employees as well as subcontractors such as food services.
I. L&ITS will develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks.
J. It is recommended that relevant offices of the University decide whether more extensive background or reference checks or other forms of confirmation are prudent in the hiring process for certain new employees, for example employees handling confidential financial information.
K. L&ITS will develop written plans and procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.
L. The Director of Information Security will maintain and review the L&ITS business continuity program and data-retention policies reporting annually to the AVP/CIO.
V. Employee training and education
While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, L&ITS and the Office of University Counsel will work in cooperation with the Office of Human Resources to develop training and education programs for all employees who have access to covered data. These employees typically fall into three categories: professionals in information technology who have general access to all university data; custodians of data in other university offices, and those employees who use the data as part of their essential job duties.
VI. Oversight of Service Providers and Contracts
GLB requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. The Offices of Finance and Accounting, in cooperation with the Office of University Counsel and Administration, will take steps to ensure that existing and future contracts with all covered contractors include a privacy clause in compliance with GLB.
VIII. Evaluation and Revision of the Information Security Plan
GLB mandates that this Information Security Plan be subject to periodic review and adjustment. The most frequent of these reviews will occur within L&ITS where constantly changing technology and constantly evolving risks indicate the wisdom of quarterly reviews. Processes in other relevant offices of the University such as data access procedures and the training program should undergo regular review. The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.
Customer for the purposes of this policy shall be anyone with whom Belmont has a consumer relationship or who has obtained a financial product or service from the University. While students are clearly customers under this definition, the University has taken a broader approach and considers it prudent to cover donors, those who purchase tickets for University events and other such individuals who might from time to time share financial information with Belmont. The University does not consider employees or vendors as customers under the definition of the act; however, the same safeguards will apply wherever feasible.
Covered data and information for the purpose of this policy includes student finanacial information required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required by federal law, Belmont chooses as a matter of policy to also define covered data and information to include credit card information received in the course of business by the University, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.
Financial Information is information Belmont has obtained from a student, or his/her parents if applicable, in the process of offering a financial product or service, or such information provided to the University by another financial information. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR & 225.28. Examples of financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.
L&ITS is the Library and Information Technology Services division of the University.
Service provider is any person or entity that receives, maintains, processes or otherwise is permitted access to covered data and information through its direct provision of services to Belmont University.