Hartwick College
Hartwick College
Giving News Campus Life Athletics Admissions Academics About

Information For:


Thomas Travisano, Professor of English
Worked with students to produce critically acclaimed “Words in Air.”
Worked with students to produce critically acclaimed “Words in Air.”
An image of Hartwick's beautiful campus.
HOME / About Us / Why Hartwick? / Technology at Hartwick / Information Technology (IT) / Policies / Information Security Plan

Information Security Plan

In order to protect Hartwick College’s critical business information and data and to comply with The Financial Services Modernization Act of 1999 (also known as Gramm-Leach-Bliley Act), the Office of Information & Planning recommends the adoption and review of the College’s various practices pertaining to safeguarding and dissemination of College information and information about the College’s constituents.  The recommended practices primarily build upon the policies adopted for “authorized access and use” at the time the College implemented the Datatel system, and mostly affect the technologies areas; however, some of the recommended policies and procedures have a broader, College-wide impact, including some of our third-party service providers. The purpose of this document is to define the College's Information Security Plan (the Plan), to provide an outline to assure ongoing compliance with federal regulations related to the Plan, and to position the College to address future changes in privacy and security regulations.

The Financial Services Modernization Act of 1999 (FSMA) (Gramm-Leach-Bliley (GLB)) Requirements
The FSMA requires that the College appoint an Information Security Plan Coordinator, conduct a risk assessment of likely security and privacy risks and identify such risks, design and implement a safeguards program/information security plan, institute a training and awareness program for all employees who have access to covered data and information, oversee service providers and contracts and require them to demonstrate safeguards, and evaluate and adjust the Information Security Plan periodically.

Plan provisions include:
Information Security Plan Coordinator
Risk Assessment and Safeguards
Employee Training and Education
Oversight of Service Providers and Contracts
Evaluation and Revision of the Information Security Plan
Definitions

I. Information Security Plan Coordinator
Hartwick College has designated an Information Security Plan Coordinator. This individual works closely with the College’s Counsel, the College’s external auditors, the College’s Board of Trustees and in particular the Audit Committee of the Board, and the College Cabinet.  The Coordinator is the Vice President and Chief Information & Finance Officer. The Coordinator may delegate compliance responsibilities to other individuals as appropriate.

The Coordinator will provide guidance in complying with applicable regulations and overall College policies. The Coordinator or her designee will assist College offices and departments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of College constituent information; develop departmental policies and procedures; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program; regularly monitor and test the program; and coordinate review with annual audits, accreditation, and state/agency reviews.

II. Risk Assessment and Safeguards
The following areas and procedures have been identified as particularly important to information security.

Annual Information Security Review
The Coordinator will identify potential and actual risks to security and privacy of information across the College. Each major division of the College will conduct an annual information security review to include all areas within the division, with guidance from the Coordinator. College Cabinet members are responsible for identifying all employees in their respective areas who work with data and information that is covered by FSMA, FERPA, or other applicable regulations.  Cabinet members will also be responsible for ensuring that appropriate department-level policies and procedures are documented and current and that employees are knowledgeable about specific procedures for their departments.

In addition, Technology Services areas will conduct a quarterly review of procedures, incidents, and responses. The review will be documented by a report to the Coordinator. Technology Services, with the purpose of educating the broader campus community about network security and privacy issues, will publish summaries of findings and “best practices,” except in those cases where publication could lead to breaches of security or privacy. Technology Services will assure that procedures and responses  appropriately reflect those practiced at other independent colleges and universities, as measured by security advisory groups (The Educause Security Institute, the SANS Top Twenty risks list, the Federal NIST Computer Security Resource Center, etc.), as recommended by the College’s external auditors, as recommended by the College’s Counsel or other advisors.

While Technology Services is responsible for the identification of internal and external risk assessment, all members of the College community have a shared responsibility for risk assessment. Technology Services, working in conjunction with the relevant College departments and offices, will conduct regular risk assessments, including but not limited to the categories listed by the FSMA.

Technology Services will work with the relevant offices (Finance, Human Resources, the Registrar, Academic Affairs, Student Life, Institutional Advancement, and the Library, among others) to develop and maintain a registry of faculty, staff, and student employees who have access to covered data and information. Technology Services, in cooperation with Human Resources, will work to keep this registry up to date.

The Coordinator will periodically review the College's disaster recovery program and data-retention policies and present a report to the College Cabinet. This typically will be done in conjunction with the annual financial and A-133 audits.

Server & System Security
Technology Services is responsible for physical security of all central servers that contain covered data and information. Technology Services will work with other areas of the College to develop guidelines for security of any covered servers in locations outside the central server area which are maintained by staff other than Technology Services staff or that are maintained by third-party service providers.

Service Packs, Patches, and Upgrades: Technology Services assumes the responsibility of assuring that patches and service-level releases for operating systems or software environments are up to date, and will keep records of patching and upgrade activity. Technology Services will review its procedures for patches and service-level upgrades to operating systems and software, and will keep current on potential threats to the network and its data. Risk assessments will be updated quarterly.

Encryption: Technology Services will develop a plan to ensure that all covered electronic information is encrypted in transit and that the central databases and servers are strongly protected from security risks.

Security Response: Technology Services will develop written plans and procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.

Institutional Information System (Datatel)
In order to protect the security and integrity of the College network and its data, Technology Services maintains a registry of all personnel with account and log-in privileges on its central Institutional Information Systems (Datatel) server. This registry, and individual security classes, will be reviewed on a quarterly basis, with departmental supervisor and Cabinet-level administrator annual review of individuals with privileges and access.

Technology Services, working in cooperation with relevant departments, will develop and maintain a data handbook, listing those persons  (“module leaders”) responsible for each covered data field in relevant software systems (financial, student administration, development, etc.). Technology Services and the relevant departments will conduct ongoing (at least biannual) audits of activity, and will report any significant questionable activities.  System users will be advised to report any questionable changes in data to the Institutional Information Systems Senior Systems Manager.

Non-Electronic Records
The College will conduct a survey of other physical security risks, including the storage of and access to covered paper records, and other procedures that may expose the College to risks.

Personal Identification Codes (IDs, SSN)
While the College does not use Social Security numbers as student or employee identifiers, one of the largest security risks may be the possible non-standard practices concerning Social Security numbers, e.g. continued reliance by some College employees on the use of Social Security numbers.  Social Security numbers are considered protected information under both FSMA and the Family Educational Rights and Privacy Act (FERPA). By necessity, student Social Security numbers still remain in the College student and employee information system.  The College will conduct an assessment to determine who has access to Social Security numbers, in what systems the numbers are still used, and in what instances students may be inappropriately asked to provide a Social Security number. This assessment will cover College employees and subcontracted service providers (food service, tuition payment plan, loan servicing, long distance telephone service providers).

Human Resources
Employee Background Checks: It is recommended that Human Resources and Academic Affairs, with advice of College Counsel, determine whether more extensive background or reference checks or other forms of confirmation are prudent in the hiring process for certain new employees, for example employees handling confidential student or financial information. 

Access to Employee, Student, Alumni, and Donor Information Policy: The employee handbook and Faculty Manual will be amended to include a statement pertaining to authorized access to covered data. This policy statement is modeled largely upon the College’s existing Institutional Information Systems/Services log-in agreement.

Confidentiality Agreement:  All employees will be asked to sign an agreement consenting to following Hartwick’s confidentiality and security standards for handling College constituent information (exhibit 3). This is in addition to acknowledging receipt of the Hartwick College Technology Resources User Responsibilities and “Acceptable Use” Policy, and attending “Responsible Use of Technology” training.

III. Employee Training and Education
While department directors and supervisors are ultimately responsible for ensuring compliance with information security practices and providing department-specific and function-specific training, Technology Services and Human Resources will continue to provide broad-based training and education programs for all employees who have access to covered data (“Responsible Use of Technology” and “Datatel Orientation” training).  In addition, specialized training and workshop sessions will be conducted for professionals in information technology who have general access to all College data. New employee orientation will be modified to include a discussion about information and systems security and the Hartwick College Technology Resources User Responsibilities and Appropriate Use Policy.

IV. Oversight of Service Providers and Contracts
FSMA requires Hartwick College to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Auxiliary Services, in cooperation with the Office of the Vice President and Chief Information & Finance Officer, will develop and send form letters to all covered contractors requesting assurances of FSMA compliance. While contracts entered into prior to June 24, 2002 are “grandfathered” until May 2004, the Office of the VP and CIO/CFO will take steps to ensure that all relevant contracts include a privacy clause and that all existing contracts are in compliance with FSMA.

V. Evaluation and Revision of the Information Security Plan
FSMA mandates that this Information Security Plan be subject to periodic review and adjustment. The most frequent of these reviews will occur within Technology Services, where constantly changing technology and constantly evolving risks indicate the wisdom of quarterly reviews. Processes in other relevant offices of the College, such as data access procedures and training programs, should undergo regular review at least annually. The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations. Timing of this review should occur as part of the annual external audit.

VI. Definitions
Covered data and information for the purpose of this policy, includes constituent financial information required to be protected under the Gramm-Leach-Bliley Act (GLB), and data required to be protected under the Family Education Rights and Privacy Act (FERPA). In addition to this coverage that is required by federal law, Hartwick College chooses as a matter of policy to define covered data and information to also include any credit card information received in the course of business by the College, whether or not such credit card information is covered by FSMA. Covered data and information includes both paper and electronic records.

Constituent information means any record containing non-public personal information about a constituent of the College (student, employee, alumnus/ae, donor, parent, trustee, etc.) whether in paper, electronic, or another form, that is handled or maintained by or on behalf of the College.

Constituent financial information is information the College has obtained from a constituent (student, employee, parent, alumni, donor, etc.) in the process of offering a financial product or service, or such information provided to the College by another financial institution.  Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. A non-exhaustive list of examples of constituent financial information includes addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers, in both paper and electronic format.

Information security program means the administrative, technical, or physical safeguards the College uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle constituent information.

Non-public personal information is defined as “personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.” (16 CFR Part 313.3(n)(1)). An example for colleges and universities would be information that a student provides on the Free Application for Federal Student Aid (FAFSA).

Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to constituent information through its direct provision of services to Hartwick College.

 



Printer-Friendly Version
Email This Page
admissions@hartwick.edu
Copyright 2010 Hartwick College. All rights reserved.
Hartwick College - P.O. Box 4020 - Oneonta, New York 13820, USA - 607.431.4000
Get Directions to Campus - Campus Map - Employment - RSS  RSS