Information Security Policy

Transcription

1 Purpse The risk t Charlestn Suthern University, its emplyees and students frm data lss and identity theft is f significant cncern t the University and can be reduced nly thrugh the cmbined effrts f every emplyee and cntractr. Charlestn Suthern University adpts this sensitive infrmatin plicy t help prtect emplyees, students, cntractrs and the University frm damages related t the lss r misuse f sensitive infrmatin. This plicy will: 1. Define sensitive infrmatin; 2. Describe the physical security f data when it is printed n paper; 3. Describe the electrnic security f data when stred and distributed; and 4. Place the University in cmpliance with federal law regarding identity theft prtectin. This plicy enables the University t prtect students and emplyees, reducing risk frm identity fraud, and minimize ptential damage t the University. The prgram will help Charlestn Suthern University: 1. Identify risks that signify ptentially fraudulent activity within new r existing cvered accunts; 2. Detect risks when they ccur in cvered accunts; 3. Respnd t risks t determine if fraudulent activity has ccurred and act if fraud has been attempted r cmmitted; and 4. Update the prgram peridically, including reviewing the accunts that are cvered and the identified risks that are part f the prgram. Scpe This plicy and prtectin prgram applies t emplyees (including student wrkers), vlunteers, cntractrs, cnsultants, temprary wrkers, and ther wrkers at Charlestn Suthern University, including all persnnel affiliated with third parties. Sensitive Infrmatin Plicy Definitin f Sensitive Infrmatin "Sensitive Infrmatin" refers t the facts, data, r knwledge itself regardless f the medium f its cnveyance. Therefre, dcuments are deemed t cnvey r cntain infrmatin and are nt cnsidered t be infrmatin per se. Sensitive Infrmatin is t be categrized in ne f the fllwing classificatins: Business Sensitive Persnnel Sensitive Attrney-Client Privileged Other Written 2/15/09 Page 1

2 Fr infrmatin t be cnsidered "Sensitive Infrmatin", the infrmatin must have the ptential t damage the University s interests, r an individual s private interests if disseminated t r btained by persns wh d nt need the infrmatin t perfrm their jbs r ther University-authrized activities. Infrmatin that is available in the public dmain is generally nt cnsidered t be Sensitive Infrmatin. The fllwing are the categries and examples f Sensitive Infrmatin in use at the University. Business Sensitive Infrmatin The fllwing are examples f the ptential types f Business Sensitive infrmatin in use within the University: Nte; this infrmatin may be the result f the University s wn business activities; it may have been prvided by a vendr r sub-cntractr, r a cmbinatin theref: Cmmercial/prprietary infrmatin generally cncerns infrmatin such as trade secrets, business plans, financial r cst data received frm a cmpany ding business r cntemplating business with the University. Persnal statements r dcuments supplied by cntractrs in the curse f inspectins, reviews, site visits, investigatins, r audits when such infrmatin is received in cnfidence shuld als be maintained as Business Sensitive Infrmatin. Infrmatin prduced by the University in the perfrmance f wrk (basic research, Cperative Research and Develpment Agreements, etc.) may be cnsidered prprietary by the University, r a vendr r subcntractr t the University and cnsequently be Business Sensitive Infrmatin. Als, privileged infrmatin such as the University s acquisitin/evaluatin plans, and results f evaluatins and audits shuld be maintained as Business Sensitive Infrmatin. Intellectual prperty, cntract negtiatin infrmatin, prcurement data, and research and develpment infrmatin cnsidered prprietary are als t be cnsidered Business Sensitive Infrmatin. Pre-decisinal infrmatin invlving internal University business cmmunicatins r plans that have nt been published r determined t be final may als be defined as Business Sensitive Infrmatin. Persnnel Sensitive Infrmatin Persnnel Sensitive Infrmatin includes persnnel and medical files and similar files whse disclsure wuld cnstitute a clear unwarranted invasin f privacy. Examples include emplyee payrll data, tax reprts and payments, payments fr emplyee benefit and welfare plans, travel related csts and infrmatin, emplyee perfrmance infrmatin and medical recrds. Nte; this infrmatin usually falls under the prtectin f the Privacy Act f Persnally Identifiable Infrmatin, such as a date f birth, Scial Security Accunt Number r a driver s license number, is classified as Persnnel Sensitive Infrmatin. Attrney-Client Privileged Infrmatin Attrney-client privileged infrmatin r wrking papers prepared by an attrney in cntemplatin f litigatin. Cntact the University s legal cunsel fr instructins befre Written 2/15/09 Page 2

3 creating r accepting any infrmatin that may be cnsidered "Attrney-Client Privileged Infrmatin." Other The University may receive Sensitive Infrmatin frm ther entities, such as vendrs, subcntractrs, r ther business partners. Staff shuld always remember that the University is respnsible fr maintaining the same level f security fr Sensitive Infrmatin delivered by an external surce as is maintained fr Sensitive Infrmatin develped frm within the University. University persnnel are encuraged t use cmmn sense judgment in securing cnfidential infrmatin t the prper extent. If an emplyee is uncertain f the sensitivity f a particular piece f infrmatin, he/she shuld cntact their supervisr. Hard Cpy Distributin Physical Strage - Stre dcuments and cmputer media in apprpriate receptacles (Department grups shuld determine the level f prtectin required fr specific dcuments, i.e., fire prf safes, lcked files r desk drawers, etc.). Lcking the ffice alne is nt adequate. Dcument Destructin - When dcuments cntaining sensitive infrmatin are discarded they will be placed inside a lcked shred bin r immediately shredded using a mechanical crss cut shredding device. University recrds, hwever, may nly be destryed in accrdance with the University s recrds retentin plicy. Lcked Offices - Offices cntaining Sensitive Infrmatin shall be lcked whenever the ffice is vacated and at the end f each business day. Visitr Cntrl - Staff shuld be vigilant t ensure that visitrs (including cntractrs) cannt access Sensitive Infrmatin. Electrnic Distributin Each emplyee and cntractr perfrming wrk fr Charlestn Suthern University will cmply with the plicies set frth in the Infrmatin Technlgy Security Plicy and the GLB Security Plan, bth f which are psted n the University website at Additinal Identity Theft Preventin Prgram Cvered accunts A cvered accunt includes any accunt that invlves r is designed t permit multiple payments r transactins. Every new and existing custmer accunt that meets the fllwing criteria is cvered by this prgram: 1. Accunts fr which there is a reasnably freseeable risk f identity theft; r 2. Accunts fr which there is a reasnably freseeable risk t the safety r sundness f the University frm identity theft, including financial, peratinal, cmpliance, reputatin, r litigatin risks. Written 2/15/09 Page 3

4 Red flags The fllwing red flags are ptential indicatrs f fraud. Any time a red flag, r a situatin clsely resembling a red flag, is apparent, it shuld be investigated fr verificatin. 1. Alerts, ntificatins r warnings frm a cnsumer reprting agency; 2. A fraud r active duty alert included with a cnsumer reprt; 3. A ntice f credit freeze frm a cnsumer reprting agency in respnse t a request fr a cnsumer reprt; r 4. A ntice f address discrepancy frm a cnsumer reprting agency as defined in (b) f the Fairness and Accuracy in Credit Transactins Act. 5. Red flags als include cnsumer reprts that indicate a pattern f activity incnsistent with the histry and usual pattern f activity f an applicant r custmer, such as: A recent and significant increase in the vlume f inquiries; An unusual number f recently established credit relatinships; A material change in the use f credit, especially with respect t recently established credit relatinships; r An accunt that was clsed fr cause r identified fr abuse f accunt privileges by a financial institutin r creditr. 6. Suspicius dcuments Dcuments prvided fr identificatin that appears t have been altered r frged. The phtgraph r physical descriptin n the identificatin is nt cnsistent with the appearance f the applicant r custmer presenting the identificatin Other infrmatin n the identificatin is nt cnsistent with infrmatin prvided by the persn pening a new cvered accunt r custmer presenting the identificatin Other infrmatin n the identificatin is nt cnsistent with readily accessible infrmatin that is n file with Charlestn Suthern University 7. Suspicius persnal identifying infrmatin Persnal identifying infrmatin prvided is incnsistent when cmpared against external infrmatin surces used by Charlestn Suthern University. Fr example The address des nt match any address in the cnsumer reprt The Scial Security number (SSN) has nt been issued r is listed n the Scial Security Administratin s Death Master File; r Persnal identifying infrmatin prvided by the custmer is nt cnsistent with ther persnal identifying infrmatin prvided by the custmer. Fr example, there is a lack f crrelatin between the SSN range and date f birth. Persnal identifying infrmatin prvided is assciated with knwn fraudulent activity as indicated by internal r third-party surces used by Charlestn Suthern University. Fr example, the address n a dcument submissin is the same as the address prvided n a fraudulent dcument. Persnal identifying infrmatin prvided is f a type cmmnly assciated with fraudulent activity as indicated by internal r third-party surces used by Charlestn Suthern University. Fr example: The address n a dcument is fictitius, a mail drp, r a prisn; r The phne number is invalid r is assciated with a pager r answering service. The SSN prvided is the same as that submitted by anther student. The address r telephne number prvided is the same as r similar t the address r Written 2/15/09 Page 4

5 telephne number submitted by an unusually large number f ther students. The student fails t prvide all required persnal identifying infrmatin n an applicatin r in respnse t ntificatin that the applicatin is incmplete. Persnal identifying infrmatin prvided is nt cnsistent with persnal identifying infrmatin that is n file with Charlestn Suthern University. When using security questins (mther s maiden name, pet s name, etc.), the persn pening the cvered accunt r the custmer cannt prvide authenticating infrmatin beynd that which generally wuld be available frm a wallet r cnsumer reprt. 8. Unusual use f, r suspicius activity related t, the cvered accunt Shrtly fllwing the ntice f a change f address fr a cvered accunt, Charlestn Suthern University receives a request fr a replacement check. A cvered accunt that has been inactive fr a reasnably lengthy perid f time is used (taking int cnsideratin the type f accunt, the expected pattern f usage and ther relevant factrs). Mail sent t the custmer is returned repeatedly as undeliverable althugh transactins cntinue t be cnducted in cnnectin with the custmer s cvered accunt. Charlestn Suthern University receives ntice frm students, victims f identity theft, law enfrcement authrities, r ther persns regarding pssible identity theft in cnnectin with cvered accunts held by the University. Respnding t Red Flags Once ptentially fraudulent activity is detected, an emplyee must act quickly as a rapid apprpriate respnse can prtect students and Charlestn Suthern University frm damages and lss. 1. Once ptentially fraudulent activity is detected, gather all related dcumentatin and write a descriptin f the situatin. Present this infrmatin t the designated authrity in yur area fr determinatin. 2. The designated authrity will cmplete additinal authenticatin, using utside surces such as banks, credit card issuers, etc., where apprpriate, t determine whether the attempted transactin was fraudulent r authentic. If a transactin is determined t be fraudulent, apprpriate actins must be taken immediately. Actins may include: 1. Canceling the transactin; 2. Ntifying and cperating with apprpriate law enfrcement; 3. Determining the extent f liability f Charlestn Suthern University; and 4. Ntifying the actual student that fraud has been attempted. Peridic Updates T Plan Annually, prgram will be re-evaluated by the Vice President fr Business and the Chief Infrmatin Officer t determine whether all aspects f the prgram are up t date and applicable in the current business envirnment. Such reviews will include an assessment f which accunts are cvered by the prgram, listing f red flags, actin t take in event f fraudulent activity. Written 2/15/09 Page 5

6 Prgram Administratin The Infrmatin Security Plicy warrants the highest level f attentin and s adptin f such a plicy is the respnsibility f the gverning bdy. Operatinal respnsibility f the prgram is delegated t the senir administratin fr their respective areas f authrity. Senir administratin shall maintain a listing f all emplyees, fficials and cntractrs fr whm it is reasnably freseeable that they may cme int cntact with accunts r persnally identifiable infrmatin that may cnstitute a risk t Charlestn Suthern University r its students, Distribute t such persns a cpy f this plicy, Obtain frm each such persn a signed statement indicating that they have read, understand and agree t abide by this plicy. Oversight f service prvider arrangements It is the respnsibility f Charlestn Suthern University t ensure that the activities f all service prviders are cnducted in accrdance with reasnable plicies and prcedures designed t detect, prevent, and mitigate the risk f identity theft. A service prvider that maintains its wn identity theft preventin prgram, cnsistent with the guidance f the red flag rules and validated by apprpriate due diligence, may be cnsidered t be meeting these requirements. This plicy will take effect immediately upn its apprval by the University Bard f Trustees. Written 2/15/09 Page 6