Information Security Plan
In order to protect Hartwick College's critical business information and data and to comply with The Financial Services Modernization Act of 1999 (also known as Gramm-Leach-Bliley Act), the Department of Information Technology recommends the adoption and review of the College's various practices pertaining to safeguarding and dissemination of College information and information about the College's constituents. The recommended practices primarily build upon the policies adopted for "authorized access and use" at the time the College implemented the Datatel system, and mostly affect the technologies areas; however, some of the recommended policies and procedures have a broader, College-wide impact, including some of our third-party service providers. The purpose of this document is to define the College's Information Security Plan (the Plan), to provide an outline to assure ongoing compliance with federal regulations related to the Plan, and to position the College to address future changes in privacy and security regulations.
The Financial Services Modernization Act of 1999 (FSMA) (Gramm-Leach-Bliley (GLB)) Requirements
The FSMA requires that the College appoint an Information Security Plan Coordinator, conduct a risk assessment of likely security and privacy risks and identify such risks, design and implement a safeguards program/information security plan, institute a training and awareness program for all employees who have access to covered data and information, oversee service providers and contracts and require them to demonstrate safeguards, and evaluate and adjust the Information Security Plan periodically.
I. Information Security Plan Coordinator
Hartwick College has designated an Information Security Plan Coordinator. This individual reports to the Chief Academic Officer and works closely with the the College Cabinet. The Coordinator is the Executive Director of Information Technology. The Coordinator may delegate compliance responsibilities to other individuals as appropriate.
The Coordinator will provide guidance in complying with applicable regulations and overall College policies. The Coordinator or his designee will assist College offices and departments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of College constituent information; develop departmental policies and procedures; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program; and coordinate any external reviews with Financial Services.
Annual Information Security Review
The Coordinator will identify potential and actual risks to security and privacy of information across the College. College Cabinet members are responsible for identifying all employees in their respective areas who work with data and information that is covered by FSMA, FERPA, or other applicable regulations. Cabinet members will also be responsible for ensuring that appropriate department-level policies and procedures are documented and current and that employees are knowledgeable about specific procedures for their departments.
The Coordinator will periodically review the College's disaster recovery program and data-retention policies and present a report to the College Cabinet. This typically will be done in conjunction with the annual financial and A-133 audits.
Server & System Security
Information Technology is responsible for physical security of all central servers that contain covered data and information. Information Technology will work with other areas of the College to develop guidelines for security of any covered servers in locations outside the central server area which are maintained by staff other than Information Technology staff or that are maintained by third-party service providers.
Service Packs, Patches, and Upgrades
Information Technology assumes the responsibility of assuring that patches and service-level releases for operating systems or software environments are up to date, and will keep records of patching and upgrade activity. Information Technology will review its procedures for patches and service-level upgrades to operating systems and software, and will keep current on potential threats to the network and its data. Risk assessments will be updated quarterly.
Information Technology will develop a plan to ensure that all covered electronic information is encrypted in transit and that the central databases and servers are strongly protected from security risks.
Information Technology will develop written plans and procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.
Institutional Information System (Datatel)
In order to protect the security and integrity of the College network and its data, Information Technology maintains a registry of all personnel with account and log-in privileges on its central Institutional Information Systems (Datatel) server. This registry, and individual security classes, will be reviewed with the departmental supervisor anytime an employee is replaced or a position is changed. Information Systems Services, in cooperation with the Data Reporting Team, under the direction of the Office of Institutional Research, works to regularize and coordinate the reporting of key institutional data; to increase the institutional awareness of accurate and consistent data reporting. Information Systems Services also maintains a list of those persons ("module leaders") responsible for each owned software module supporting key departmental areas (financial, student administration, advancement). System users will be advised to report any questionable changes in data to the Institutional Information Systems Senior Systems Manager.
The College will conduct a survey of other physical security risks, including the storage of and access to covered paper records, and other procedures that may expose the College to risks.
Personal Identification Codes (IDs, SSN)
While the College does not use Social Security numbers as student or employee identifiers, one of the largest security risks may be the possible non-standard practices concerning Social Security numbers, e.g. continued reliance by some College employees on the use of Social Security numbers. Social Security numbers are considered protected information under both FSMA and the Family Educational Rights and Privacy Act (FERPA). By necessity, student Social Security numbers still remain in the College student and employee information system. The College will conduct an assessment to determine who has access to Social Security numbers, in what systems the numbers are still used, and in what instances students may be inappropriately asked to provide a Social Security number. This assessment will cover College employees and subcontracted service providers (food service, tuition payment plan, loan servicing, and long distance telephone service providers).
Employee Background Checks: Hartwick College is committed to providing a safe and secure campus for its students, staff, faculty, and visitors, and to protecting the material resources of the College. As part of our strategy to achieve this goal and to ensure that the College has taken reasonable care in selecting its new faculty and staff, the College conducts background checks on all new Hartwick faculty and staff.
Background Check Policy: As a condition of employment, background checks are conducted prior to new faculty and staff beginning their employment. Furthermore, background checks also are conducted on current employees transferring into senior administrative, sensitive, financial, information technology, or student-oriented positions.
Access to Employee, Student, Alumni, and Donor Information Policy: The employee handbook and Faculty Manual will be amended to include a statement pertaining to authorized access to covered data. This policy statement is modeled largely upon the College's existing Institutional Information Systems/Services log-in agreement.
Confidentiality Agreement: All employees will be asked to sign an agreement consenting to following Hartwick's confidentiality and security standards for handling College constituent information (exhibit 3). This is in addition to acknowledging receipt of the Hartwick College Technology Resources User Responsibilities and "Acceptable Use" Policy, and attending "Responsible Use of Technology" training.
III. Employee Training and Education
While department directors and supervisors are ultimately responsible for ensuring compliance with information security practices and providing department-specific and function-specific training, Information Technology and Human Resources will continue to provide broad-based training and education programs for all employees who have access to covered data ("Responsible Use of Technology" and "Datatel Orientation" training). In addition, specialized training and workshop sessions will be conducted for professionals in information technology who have general access to all College data. New employee orientation will be modified to include a discussion about information and systems security and the Hartwick College Technology Resources User Responsibilities and Appropriate Use Policy.
IV. Evaluation and Revision of the Information Security Plan
FSMA mandates that this Information Security Plan be subject to periodic review and adjustment. Processes in other relevant offices of the College, such as data access procedures and training programs, should undergo regular review at least annually. The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations. Timing of this review should occur as part of the annual external audit.
Covered data and information for the purpose of this policy, includes constituent financial information required to be protected under the Gramm-Leach-Bliley Act (GLB), and data required to be protected under the Family Education Rights and Privacy Act (FERPA). In addition to this coverage that is required by federal law, Hartwick College chooses as a matter of policy to define covered data and information to also include any credit card information received in the course of business by the College, whether or not such credit card information is covered by FSMA. Covered data and information includes both paper and electronic records.
Constituent information means any record containing non-public personal information about a constituent of the College (student, employee, alumnus/ae, donor, parent, trustee, etc.) whether in paper, electronic, or another form, that is handled or maintained by or on behalf of the College.
Constituent financial information is information the College has obtained from a constituent (student, employee, parent, alumni, donor, etc.) in the process of offering a financial product or service, or such information provided to the College by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. A non-exhaustive list of examples of constituent financial information includes addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers, in both paper and electronic format.
Information security program means the administrative, technical, or physical safeguards the College uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle constituent information.
Non-public personal information is defined as "personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available." (16 CFR Part 313.3(n)(1)). An example for colleges and universities would be information that a student provides on the Free Application for Federal Student Aid (FAFSA).
Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to constituent information through its direct provision of services to Hartwick College.