INFORMATION SECURITY PROGRAM



Similar documents
INFORMATION SECURITY PROGRAM

Valdosta Technical College. Information Security Plan

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

College of DuPage Information Technology. Information Security Plan

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

California State University, Sacramento INFORMATION SECURITY PROGRAM

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Austin Peay State University

787 Wye Road, Akron, Ohio P F

Wellesley College Written Information Security Program

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Data Management Policies. Sage ERP Online

Network Security Policy

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

IBX Business Network Platform Information Security Controls Document Classification [Public]

Responsible Access and Use of Information Technology Resources and Services Policy

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

HIPAA Security Alert

Client Security Risk Assessment Questionnaire

Subject: Safety and Soundness Standards for Information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Supplier Security Assessment Questionnaire

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

How To Write A Health Care Security Rule For A University

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Mike Casey Director of IT

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

How To Protect Decd Information From Harm

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Network & Information Security Policy

Service Children s Education

INFORMATION SECURITY California Maritime Academy

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

HIPAA Security COMPLIANCE Checklist For Employers

Information Security

Delaware State University Policy

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Policy for the Acceptable Use of Information Technology Resources

Information Security Plan effective March 1, 2010

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Rotherham CCG Network Security Policy V2.0

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Managing internet security

UF IT Risk Assessment Standard

IT04 UO ACH Security Policy

COUNCIL POLICY NO. C-13

Fortinet Solutions for Compliance Requirements

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

HIPAA Information Security Overview

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

INFORMATION TECHNOLOGY SECURITY STANDARDS

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

ITECH Net Monitor. Standards Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

933 COMPUTER NETWORK/SERVER SECURITY POLICY

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance

How To Protect Research Data From Being Compromised

How are we keeping Hackers away from our UCD networks and computer systems?

How To Ensure The C.E.A.S.A

Better secure IT equipment and systems

Auburn Montgomery. Registration and Security Policy for AUM Servers

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Retention & Destruction

Network Security Policy

Automation Suite for. 201 CMR Compliance

Information Technology Security Procedures

Policy Document. Communications and Operation Management Policy

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Information Resources Security Guidelines

UMDNJ Information Security Plan 2007

Cyber Self Assessment

Identity Theft Prevention Program Compliance Model

SUPPLIER SECURITY STANDARD

R345, Information Technology Resource Security 1

Page 1 of 15. VISC Third Party Guideline

Transcription:

WSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM November 30, 2012 Version 5.2

Table of Contents A. Introduction.Page 1 B. Program Coordinators..Page 2 C. Security Risk Assessment.Page 3 1. Employee Training and Management......Page 3 2. Safeguards of Information Systems/Technology,,,....Page 3 a. Hard Copy Records...Page 3 b. Electronic Records... Page 4 3. Methods to Detect, Prevent, and Respond to Attacks, Intrusions, or Other System Failures.. Page 4 D. Implementation of Safeguards...Page 5 1. Employee Training and Management.....Page 5 2. Safeguards of Information Systems/Technology...Page 5 a. Hard Copy Records...Page 5 b. Electronic Records...Page 6 3. Methods to Detect, Prevent, and Respond to Attacks, Intrusions, or Other System Failures...Page 7 E. Oversight of Service Providers and Contracts......Page 8 F. Evaluation and Revision of Program. Page 9 G. Distribution of the Program...Page 10 1. Annual Distribution to Primary Access Employees..Page 10 2. Distribution to New Employees....Page 10 3. Reference/Notice in Employee Handbooks..Page 10 4. Internet Publication..Page 10 Attachment A Employee Training Process Overview..Page 11

A. Introduction On May 23, 2003, the Federal Trade Commission adopted the Standards for Safeguarding Customer Information Rule promulgated under the authority of the Gramm-Leach-Bliley Act (GLBA). The GLBA safeguarding rule requires all financial institutions, including institutions of higher education, to develop and draft a comprehensive, written Information Security Program that includes administrative, technical and physical safeguards to protect the confidentiality of customers nonpublic financial information that is held in the institution s possession. According to Tennessee Board of Regents guidelines, nonpublic financial information means any information regarding a student or third party obtained in connection with providing a financial service to that person. Examples of nonpublic information include, but are not limited to, mailing addresses, phone numbers, bank and credit card account numbers, income tax records, credit histories, and Social Security numbers. In order to comply with the Federal Trade Commission s safeguarding rule and the GLBA, Walters State Community College has prepared this Information Security Program. B. Program Coordinators As security needs have changed over the years Walters State has responded by placing more focus on security controls and awareness. In 2009 all security programs, including GLBA, were placed under the direction of the Information Protection Committee (IPC). The Information Protection Committee is responsible for oversight of the Information Security Program initiatives associated with current and future legislation and industry guidelines related to the protection of personal identifiable and financial information. This oversight includes, but is not limited to, legislation and industry programs such as PCI-DSS, NACHA, Red Flag Rules, HIPPA, FERPA, and GLBA. Each member of the IPC serves as a program coordinator in accordance to GLBA regulations. The chairman of the IPC is the Executive Director of Information and Educational Technologies. The chairman serves as the Primary Coordinator in accordance to GLBA regulations. 1

The departments and respective coordinators are listed below: Joe Sargent Roger Beverly Heather Carrier Linda Roberts Mike Campbell Lynette Strickland Heather Carrier Mark Hurst Joe Combs Terry Stansberry Cynthia Gilland Tammy Goode Ande Munsey Bill Morefield Amanda Barnes Linda Mason James Marshall Andrew Cox Dr. Debra McCarter IET (Chair and Program Coordinator) Business Affairs Business Affairs Academic Affairs Admission and Registration Business Affairs Business Affairs College Advancement Community and Economic Development Financial Aid Greeneville Center Human Resources IET Administrative Computing and Internet Systems IET Communication and User Services Sevierville Center Student Information Systems and Records WIA IET Network and Security Manager Office of Planning, Research, and Assessment The Primary Coordinator works in conjunction with departmental coordinators who in turn are responsible for oversight of safeguarding nonpublic financial records in their departments in accordance with this Information Security Program. Additional departments and coordinators will be added as appropriate during the periodic evaluation and revision of the program. 2

C. Security Risk Assessment Walters State s Information Security Program will identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. To this end, Walters Sate will assess: what employees have access to nonpublic financial information what access they have what type of training is required for each employee what type of safeguards are needed for hard copy records and for electronic records/systems what type of controls are needed to detect, prevent, and respond to threats or failures of these systems 1. Employee Training and Management Walters State recognizes that one of the most serious threats to the security, confidentiality, and integrity of nonpublic financial information is through errors made on the part of employees not familiar with proper procedures for handling such information. Training such employees to protect nonpublic financial information is essential to the success of the program. Consequently, yearly re-training will be offered in a live, online, or recorded format with content designed to satisfy GLBA re-training requirements. Once recorded training has been viewed, the employee will certify that he or she has participated in this training. The Human Resources department will then collect the employee s certification. Walters State will continue with yearly re-training requirements as required by TBR policy for all GLBA affected employees. All new employees will have GLBA training as part of the orientation process. 2. Safeguards of Information Systems/Technology a. Hard Copy Records Walters State recognizes that it has both internal and external risks involving hard copy records. These risks may include, but are not limited to: Unauthorized access to covered data and information (i.e., mailing addresses, phone numbers, bank and credit card account numbers, income tax records, credit histories, and Social Security numbers) by someone other than the owner of the covered data and information Unauthorized access of covered data and information by employees Unauthorized requests for covered data and information by someone other than the owner of the covered data and information Unauthorized access to hard copy files or records Unauthorized transfer/delivery of covered data and information through third parties Walters State realizes that this list may not be complete. Risks associated with the protection of hard copy and covered data and information change as procedures within the college change. To 3

this end, the college will actively monitor and/or participate in advisory groups associated with the security risks involving hard copy records. Presently, Walters State assesses a need for reasonable and appropriate steps to be taken to specifically train employees who are in contact with hard copy records of covered data and information to ensure that hard copy records of covered data and information may be protected from internal and external risks. b. Electronic Records Walters State s computer network consists of thousands of staff and customers, most of whom are students, stretched across the East Tennessee region. These users are capable of reaching all college computer resources from any of the college s campuses via data lines connected to the main campus in Morristown. A network the size of Walters State s is vulnerable to many types of security breaches, virus attacks, and malicious use by unauthorized as well as authorized users. Internal network resources, servers, and computers are vulnerable to staff or student misuse by releasing a known or unknown computer virus that could infect the entire network, possibly allowing data to be easily accessed. Computer systems that lack password authentication could open confidential information to countless numbers of unauthorized users. Having networks that are commingled with many types of users can also allow unscrupulous users the ability to intercept traffic as it flows across the network as well as launch denial of service attacks at multiple systems. Other ways data integrity can be violated is simply by users sharing passwords or allowing others to access their computer session. Loss of data is always a possibility due to power failure, system failure, or user error. 3. Methods to Detect, Prevent, and Respond to Attacks, Intrusions, or other System Failures WSCC offers high speed Internet access to all network users at all campuses. All Internet bound network traffic must flow through the Morristown campus as it serves as the college s only egress to the Internet. By allowing access to the Internet WSCC is also allowing Internet users to access its internal network. This can often lead to many of the same risks that are associated with the internal network as stated above, but those risks are multiplied due to the vastness of the Internet. Malicious users on the Internet often take advantage of vendor security flaws to attack systems and access restricted data. WSCC has identified that users from the Internet could attack college computers and servers using known and unknown software and hardware vulnerabilities or deliver virus payloads directly to a computer or indirectly via electronic mail. Having open systems available to the Internet can often lead to direct system attacks by using specialized software written specifically to locate user accounts, user passwords, system security vulnerabilities, or vendor specific system flaws. 4

D. Implementation of Safeguards 1. Employee Training and Management During employee orientation, each new employee from areas that work with covered data and information will receive proper training on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Each new employee will also be trained in the proper use of computer information and passwords. Training will also include controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including pretext calling, and how to properly dispose of documents that contain covered data and information. Each employee responsible for maintaining covered data and information will be instructed how the college takes steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information will coordinate with Human Resources for the annual review of additional privacy training appropriate to the department. At a minimum, all employees who work with and/or have primary access to records containing nonpublic financial information will attend a mandatory annual training session covering essential elements of the Information Security Program. These training efforts should help minimize risk and safeguard covered data and information security. Yearly re-training will be offered in a live, online, or recorded format with content designed to satisfy GLBA re-training requirements. Once the training has been completed the employee will certify that he or she has participated in this training. The Human Resources department will then collect the employee s certification. Walters State will continue with yearly re-training requirements as required by TBR policy for all GLBA affected employees. All new employees will have GLBA training as part of the orientation process. An overview of the employee training process is shown in Attachment A. 2. Safeguards of Information Systems/Technology a. Hard Copy Records To ensure that all Walters State employees are in compliance with the GLBA, the following guide outlines basic measures for ensuring student hard copy records. Information that must be protected under GLBA Information including, but not limited to, names, addresses, phone numbers, bank and credit card account numbers, financial information, income credit histories, and Social Security numbers. Directory information not associated with GLBA may be released in accordance with the Walters State student record policy, which mirrors SACS guidelines in following FERPA. Request for covered data and information Covered data and information may be requested by phone or e-mail from a third party other than the owner of the data or information. It is important that any employee receiving such a request 5

report the request for personal information to a Walters State employee who has undergone appropriate GLBA information security training. At times an employee may suspect that the third party requesting information is involved in pretext calling -which occurs when an individual improperly obtains personal information of a student with intent to commit identity theft. Pretext callers may pose as the student or someone authorized to have student covered data and information. The pretext caller, in an effort to gain employee trust, may offer a piece of personal information about the student already in their possession. If it is suspected that the request for covered student data and information is fraudulent, the request should immediately be reported to the Vice President for Student Affairs, who is considered the keeper of all hard copy student data and information. An employee should never give out a student s social security number over the phone or email and never confirm covered data and information a third party caller provides. A student s personal information may be released only if the student has specifically authorized you (the employee) to do so in a written waiver, and only if the release meets one of the stipulations covered by our internal policies that follow SACS and FERPA guidelines. Daily use and storage of covered data and information Hard copy records, printouts, forms, phone messages, etc. that contain covered data and information must also be secured. Employees should not leave any of the above materials containing covered data or information where an unauthorized person from inside or outside the institution could obtain this data. Hard copy materials containing student covered data and information should be secured in locked filing cabinets or other secured storage areas. b. Electronic Records WSCC has taken proactive steps to protect the network and secure confidential information. Routine system upgrades are performed to ensure all network, server, and computer systems have the latest vendor releases. Network and server personnel routinely apply appropriate security system patches as released by the vendors. The college has implemented a domain structure where all computers are controlled centrally and require user authentication in order to logon. All shared server resources are secured by requiring user authentication. Data is further protected by allowing users the ability to view data but not alter it in any way. The college also restricts access to information by restricting students from logging into staff computers. In order to access a system a user must have a unique username and password and is required to change the password frequently and adhere to system password policies. Each user must agree to follow the college s computer use policies, which include not sharing usernames, passwords, or confidential information. Users are not allowed access to restricted information until properly authorized according to current policies. The college has protected against network traffic interception by implementing multiple networks on switched networking equipment. Wireless network traffic is protected by using authentication to access the wireless network, and encrypting the data to secure it from being intercepted. All computers and server systems are protected by anti-virus software that is automatically updated to the latest vendor releases. All electronic mail is scanned for viruses before the user has access to the message or as the message is being sent by the user. Loss of information either by system failure, power failure, or user error is protected by having redundant server systems with multiple hard drives that are archived to tape and/or disk on a daily basis. These archived tapes and/or disks are then stored at an offsite location for a period of time as directed by current 6

policies. All computer and network systems are protected from power outages or spikes by universal power supplies that will allow the system to operate for short periods during emergencies. The college also has disaster recover policies to ensure quick recovery after a disaster. 3. Methods to Detect, Prevent, and Respond to Attacks, Intrusions, or Other System Failures All Internet traffic must pass through a firewall that protects all internal campus computers from direct Internet attacks. Suspect network traffic is isolated and removed from the network. To further strengthen the network from intrusion from the Internet, internal non-routable private IP addressing has been implemented. This ensures that all traffic coming from the Internet pass through the firewall and be inspected before being forwarded to any college computer system. All servers that are accessible from the Internet are isolated on a separate network to further protect confidential information. No internal network system allows direct contact from the Internet. The communications staff constantly monitors all systems for any indication of attacks, intrusion, or system failures. Network monitoring systems are in place that will alert staff when systems have failed and are unreachable by users. Other systems alert staff that attacks are taking place against network systems, and some systems have automatic safeguards to isolate themselves to protect the network as a whole. Other methods of detection include, but are not limited to, monitoring system logs, paging systems, and e-mail systems. Staff constantly research current trends in network and system security and attempt to implement safeguards before an attack takes place. Other safeguards include constant review of current policies and procedures and modifying those as necessary to keep current as technology changes. User accounts are periodically evaluated to make sure users are currently employed and that a user does not have access to unauthorized systems. 7

E. Oversight of Service Providers and Contracts The College may share customers non-public financial information with third parties as appropriate during the normal course of business. Such business activities may include, but not be limited to, collection of accounts, transmission of documents, destruction of paper and electronic records, destruction of equipment, and other similar services. Within the framework of this Information Security Program, the College will ensure that reasonable steps are taken to secure third party contractors that are willing and capable of appropriately securing customers non-public financial information. College contracts with third party service providers will include standard contract provisions promulgated by the Tennessee Board of Regents that require the service provider to comply with GLBA safeguarding rules in its handling of such records. Existing contracts will be reviewed; if GLBA applies, the contracts will be amended by incorporating the standard TBR amendment. The Contracts Officer will work with the office of Business Affairs and other units as appropriate to identify third party service providers that are provided access to customers non-public financial information. The Contracts Officer will work with appropriate campus and TBR personnel to ensure that third party service provider contracts contain language to protect customers non-public financial information. F. Evaluation and Revision of Program The Information Security Program will be subject to periodic review and adjustment. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Program Coordinators who will assign specific responsibility for implementation and administration as appropriate. The coordinators will no less than annually review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security. 8

G. Distribution of the Program 1. Annual Distribution to Primary Access Employees All employees who work with and/or have primary access to records containing nonpublic financial information will attend an annual mandatory training session covering essential elements of the Information Security Program. During this training session, a current version of the college s Information Security Program will be distributed directly to each employee in attendance. 2. Distribution to New Employees Copies of the Walters State Information Security Program will be distributed to all new employees at the time of their new employee orientation session with Human Resources staff. 3. Reference/Notice in Employee Handbooks Reference to this Information Security Program will be included in the WSCC Policies and Procedures Manual when revised. 4. Internet Publication The current version of the Walters State Information Security Program will be posted in its entirety on the college s Intranet. 9

Attachment A Employee Training Process Overview 10

Attachment A: Walters State will provide training on an annual basis for the employees who require training based on GLBA guidelines. The training provided by Walters State will utilize an online self-paced presentation which will provide a certification opportunity at the end. This online training can also utilize different multimedia presentation methods that include, but are not restricted to videos, audio clips, and presentation graphics. This training is located online via WSCC s web servers and can be accessed as directed by the Office Human Resources. 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information