Information Security Program (Policy IT-9)

This policy outlines the Information Security Program (“Program”) at Clarkson College. This policy directs the program to effectively secure data and information at Clarkson College and comply with regulations such as the Gramm-Leach-Bliley Act. Clarkson College follows NIST publication SP 800-171 as a baseline to guide its information security framework.

Procedure:

Designation of Representatives: 

The director of College Technology Services is appointed as the program officer who shall be responsible for coordinating and overseeing the program. The program officer may designate representatives in applicable departments to be responsible for maintaining covered data and information who shall take serious and meaningful steps to protect information in accordance with the program. (see Appendix) 

These designated representatives’ roles, responsibilities and the steps they take are consistent with the Clarkson College policies IT-10 Data Classification and Protection and IT-11 Data Stewardship.

Covered Data and Information: 

In this program, the term “covered data and information” is defined as and includes Student Financial Information required to be protected under the Gramm-Leach-Bliley Act (GLBA), as well as credit card information protected by the Payment Card Industry Data Security Standard that received in the course of business by the College. Covered data and information includes both paper and electronic records.

Student Financial Information is defined as information that the College has obtained from a student in the process of offering a financial product or service, or such information provided to the College by another financial institution.  Examples of offering a financial product or service include offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 C.F.R 225.28. Examples of student financial information include bank and credit card account numbers, income and credit histories, and Social Security numbers.

Elements of the Program: 

  1. Risk Identification and Assessment. As part of the program, the College intends to identify and assess internal and external risks to the security, confidentiality and integrity of non-public financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. These risks include, but are not limited to: 
    1. Unauthorized access of covered data and information by someone other than the owner
    2. Compromised system security as a result of system access by an unauthorized person 
    3. Interception of data during transmission 
    4. Loss of data integrity 
    5. Physical loss of data in a disaster 
    6. Corruption of data or systems 
    7. Unauthorized access through hard copy files or reports 
    8. Unauthorized transfer of covered data and information through third parties 
    This is not a complete list of risks associated with the protection of covered data and information. Since technology is ever-changing, new risks are created regularly. In response, the College actively monitors new risks through the IT Risk Assessment.
  2. Design and Implement a Safeguards Program
    1. Security Awareness Training
      1. Clarkson College makes its policies outlining the safeguarding of information available to all faculty and staff members. Faculty and staff memebrs are informed of the location of these policies upon employment and are educated to understand and adhere to them.
      2. Clarkson College faculty and staff members working in areas that interact with covered data and information are required to undergo security awareness training upon hire and annually thereafter to obtain and maintain access to information systems. Topics of the training may include proper security, handling, and disposal of “Sensitive Data” and “Restricted Data” in addition to, cyber security best practices and phishing/pretexting training.
      3. Security awareness training will be centrally provided to all Clarkson College employees (faculty, staff, administration, program directors, etc.).
      4. It is the responsibility of the manager to enforce that required training is completed.
    2. Information Systems and Information Processing and Disposal
      1. Clarkson College will take reasonable and appropriate steps consistent with current technology developments to provide for the security, safety, and integrity of all covered data and information.  NIST publication SP 800-171 will be used as a baseline to define gaps in security. 
      2. When commercially reasonable, encryption technology will be used for both storage and transmission of covered data and information.   
      3. Upon disposal of hardware, a record providing proof of destruction will be kept on file for systems containing covered data and information. 
    3. Detecting, Preventing, and Responding to Threats
      1. The program officer may designate representatives of the IT department to be responsible for the monitoring of threats, verification of system integrity, scanning of potential vulnerabilities, and remediation of risks.   
  3. Overseeing Service Providers
    1. Due to various constraints or specialized needs, outside service providers may be needed to provide resources the College determines not to provide on its own.
    2. In choosing service providers, an evaluation will be completed as defined in the IT-12 Vendor Management policy to determine that the provider can meet the required safeguards for confidential financial information.
    3. The appendix attached to this agreement outlines a model contract provision to be used with service providers whose base contracts do not meet minimum requirements as of July 1, 2017.
  4. Evaluation and Adjustment to Program
    1. The Information Security Program will be subject to periodic review and adjustment. The most frequent reviews will occur between the Program officer and designated representatives in response to risk identification, new threats, changing technologies and compliance regulations.   
    2. The Program officer will designate a role or function that maintains a plan of action to address identified improvements based on the periodic reviews and track completion of activities designed to correct deficiencies and reduce or eliminate vulnerabilities. The plan will be reviewed by the Program officer and designated representatives to ensure progress is made to appropriately manage risk and improve the College information security posture.
    3. The Information Security Program will be subject to annual policy review before Leadership Council.  Covered items may include: 
      1. Review of compliance and operational imperatives
      2. Review of the Information Security Program 
      3. Review of IT Risk Assessment 
      4. Review of Service Provider controls 
      5. Review of Incident Response Plan 
      6. Review of current compliance requirements and controls 
      7. Vulnerability and Security Awareness Training results 
      8. Recommendations for program changes
      9. Recommendations for budgetary adjustments

Appendix: 

Listed below are the designated department representatives for the Information Security Program. 

  • Financial Aid: director of Financial Aid  
  • Registrar’s office: registrar 
  • Enrollment and Advising: director of Enrollment and Advising
  • Finance: Controller 
  • Human Resources: director of Human Resources 
  • Information Technology: director of College Technology Services 
  • Academics: vice president of Academic Affairs 
  • Professional Development: director of Professional Development 
  • Facilities: director of Facilities