Information Security Program (Policy IT-9)

This policy outlines the Information Security Program (“Program”) at Clarkson College. This policy directs the program to effectively secure data and information at Clarkson College and comply with regulations such as the Gramm-Leach-Bliley Act. Clarkson College follows NIST publication SP 800-171 as a baseline to guide its information security framework.

Procedure:

Designation of Representatives: 

The Director, College Technology Services is appointed as the Program Officer who shall be responsible for coordinating and overseeing the Program.  The Program Officer may designate representatives in applicable departments to be responsible for maintaining covered data and information who shall take serious and meaningful steps to protect information in accordance with the Program.  (see Appendix) 

These designated representatives’ roles, responsibilities, and the steps they take are consistent with Clarkson College’s policies IT-10 Data Classification and Protection and IT-11 Data Stewardship.

Covered Data and Information: 

In this Program, the term “covered data and information” is defined as and includes Student Financial Information required to be protected under the Gramm-Leach-Bliley Act (GLBA), as well as credit card information protected by the Payment Card Industry Data Security Standard that received in the course of business by the College.  Covered data and information includes both paper and electronic records.

Student Financial Information is defined as information that the College has obtained from a student in the process of offering a financial product or service, or such information provided to the College by another financial institution.  Examples of offering a financial product or service include offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 C.F.R 225.28.  Examples of student financial information include bank and credit card account numbers, income and credit histories, and Social Security numbers.

Elements of the Program: 

  1. Risk Identification and Assessment.  As part of the Program, the College intends to identify and assess internal and external risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. These risks include, but are not limited to: 
    1. Unauthorized access of covered data and information by someone other than the owner. 
    2. Compromised system security as a result of system access by an unauthorized person 
    3. Interception of data during transmission 
    4. Loss of data integrity 
    5. Physical loss of data in a disaster 
    6. Corruption of data or systems 
    7. Unauthorized access through hard copy files or reports 
    8. Unauthorized transfer of covered data and information through third parties 
    This is not a complete list of risks associated with the protection of covered data and information. Since technology is ever-changing, new risks are created regularly. In response, the College actively monitors new risks through the IT Risk Assessment.
  2. Design and Implement a Safeguards Program.
    1. Security Awareness Training.
      1. Clarkson College makes its policies outlining the safeguarding of information available to all employees. Employees are informed of the location of these policies upon employment and are educated to understand and adhere to them.
      2. Clarkson College employees working in areas that interact with covered data and information are required to undergo security awareness training upon hire and annually thereafter to obtain and maintain access to information systems. Topics of the training may include proper security, handling, and disposal of “Sensitive Data” and “Restricted Data” in addition to, cyber security best practices and phishing/pretexting training.
      3. Security awareness training will be centrally provided to all Clarkson College employees (faculty, staff, administration, program directors, etc.).
      4. It is the responsibility of the manager to enforce that required training is completed.
    2. Information Systems and Information Processing and Disposal.
      1. Clarkson College will take reasonable and appropriate steps consistent with current technology developments to provide for the security, safety, and integrity of all covered data and information.  NIST publication SP 800-171 will be used as a baseline to define gaps in security. 
      2. When commercially reasonable, encryption technology will be used for both storage and transmission of covered data and information.   
      3. Upon disposal of hardware, a record providing proof of destruction will be kept on file for systems containing covered data and information. 
    3. Detecting, Preventing, and Responding to Threats.
      1. The Program Officer may designate representatives of the IT department to be responsible for the monitoring of threats, verification of system integrity, scanning of potential vulnerabilities, and remediation of risks.   
  3. Overseeing Service Providers
    1. Due to various constraints or specialized needs, outside service providers may be needed to provide resources the College determines not to provide on its own.
    2. In choosing service providers, an evaluation will be done to determine that the provider is capable of meeting the required safeguards for confidential financial information.
    3. Example provisions may include; 
      1. An explicit acknowledgement that the contract allows the service provider to access confidential information; 
      2. A specific definition or description of the confidential information being provided; 
      3. A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract; 
      4. A provision providing the return or destruction of all confidential information received by the service provider upon completion or termination of the contract; 
      5. An agreement that any violation of the contract’s confidentiality conditions may constitute a material breach of the contract and entitles the College to terminate the contract without penalty; and 
      6. A provision ensuring that the contract’s confidentiality requirements shall survive any termination agreement. 
    4. The appendix attached to this agreement outlines a model contract provision to be used with all future applicable service providers on or after July 1, 2017. 
  4. Evaluation and Adjustment to Program
    1. The Information Security Program will be subject to periodic review and adjustment.  The most frequent reviews will occur between the Program Officer and designated representatives in response to risk identification, new threats, changing technologies, and compliance regulations.   
    2. The Program Officer will designate a role or function that maintains a plan of action to address identified improvements based on the periodic reviews and track completion of activities designed to correct deficiencies and reduce or eliminate vulnerabilities. The plan will be reviewed by the Program Officer and designated representatives to ensure progress is made to appropriately manage risk and improve the College’s information security posture.
    3. The Information Security Program will be subject to annual policy review before Operations Council.  Covered items may include: 
      1. Review of compliance and operational imperatives
      2. Review of the Information Security Program 
      3. Review of IT Risk Assessment 
      4. Review of Service Provider controls 
      5. Review of Incident Response Plan 
      6. Review of current compliance requirements and controls 
      7. Vulnerability and Security Awareness Training results 
      8. Recommendations for program changes. 
      9. Recommendations for budgetary adjustments

Appendix: 

Listed below are the designated department representatives for the Information Security Program. 

  • Financial Aid: Director, Financial Aid  
  • Registrar’s Office: Registrar 
  • Admissions: Director, Admissions 
  • Finance: Controller 
  • Human Resources: Director, Human Resources 
  • Information Technology: Director, College Technology Services 
  • Academics: VP, Academic Affairs 
  • Professional Development: Director, Professional Development 
  • Facilities: Director, Facilities