Information Security Program (Policy IT-9)
This policy outlines the Information Security Program (“Program”) at Clarkson College. This policy directs the program to effectively secure data and information at Clarkson College and comply with regulations such as the Gramm-Leach-Bliley Act. Clarkson College follows NIST publication SP 800-171 as a baseline to guide its information security framework.
Procedure:
Designation of Representatives:
The director of College Technology Services is appointed as the program officer who shall be responsible for coordinating and overseeing the program. The program officer may designate representatives in applicable departments to be responsible for maintaining covered data and information who shall take serious and meaningful steps to protect information in accordance with the program. (see Appendix)
These designated representatives’ roles, responsibilities and the steps they take are consistent with the Clarkson College policies IT-10 Data Classification and Protection and IT-11 Data Stewardship.
Covered Data and Information:
In this program, the term “covered data and information” is defined as and includes Student Financial Information required to be protected under the Gramm-Leach-Bliley Act (GLBA), as well as credit card information protected by the Payment Card Industry Data Security Standard that received in the course of business by the College. Covered data and information includes both paper and electronic records.
Student Financial Information is defined as information that the College has obtained from a student in the process of offering a financial product or service, or such information provided to the College by another financial institution. Examples of offering a financial product or service include offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 C.F.R 225.28. Examples of student financial information include bank and credit card account numbers, income and credit histories, and Social Security numbers.
Elements of the Program:
- Risk Identification and Assessment. As part of the program, the College intends to identify and assess internal and external risks to the security, confidentiality and integrity of non-public financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. These risks include, but are not limited to:
- Unauthorized access of covered data and information by someone other than the owner
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Corruption of data or systems
- Unauthorized access through hard copy files or reports
- Unauthorized transfer of covered data and information through third parties
- Design and Implement a Safeguards Program
- Security Awareness Training
- Clarkson College makes its policies outlining the safeguarding of information available to all faculty and staff members. Faculty and staff memebrs are informed of the location of these policies upon employment and are educated to understand and adhere to them.
- Clarkson College faculty and staff members working in areas that interact with covered data and information are required to undergo security awareness training upon hire and annually thereafter to obtain and maintain access to information systems. Topics of the training may include proper security, handling, and disposal of “Sensitive Data” and “Restricted Data” in addition to, cyber security best practices and phishing/pretexting training.
- Security awareness training will be centrally provided to all Clarkson College employees (faculty, staff, administration, program directors, etc.).
- It is the responsibility of the manager to enforce that required training is completed.
- Information Systems and Information Processing and Disposal
- Clarkson College will take reasonable and appropriate steps consistent with current technology developments to provide for the security, safety, and integrity of all covered data and information. NIST publication SP 800-171 will be used as a baseline to define gaps in security.
- When commercially reasonable, encryption technology will be used for both storage and transmission of covered data and information.
- Upon disposal of hardware, a record providing proof of destruction will be kept on file for systems containing covered data and information.
- Detecting, Preventing, and Responding to Threats
- The program officer may designate representatives of the IT department to be responsible for the monitoring of threats, verification of system integrity, scanning of potential vulnerabilities, and remediation of risks.
- Security Awareness Training
- Overseeing Service Providers
- Due to various constraints or specialized needs, outside service providers may be needed to provide resources the College determines not to provide on its own.
- In choosing service providers, an evaluation will be completed as defined in the IT-12 Vendor Management policy to determine that the provider can meet the required safeguards for confidential financial information.
- The appendix attached to this agreement outlines a model contract provision to be used with service providers whose base contracts do not meet minimum requirements as of July 1, 2017.
- Evaluation and Adjustment to Program
- The Information Security Program will be subject to periodic review and adjustment. The most frequent reviews will occur between the Program officer and designated representatives in response to risk identification, new threats, changing technologies and compliance regulations.
- The Program officer will designate a role or function that maintains a plan of action to address identified improvements based on the periodic reviews and track completion of activities designed to correct deficiencies and reduce or eliminate vulnerabilities. The plan will be reviewed by the Program officer and designated representatives to ensure progress is made to appropriately manage risk and improve the College information security posture.
- The Information Security Program will be subject to annual policy review before Leadership Council. Covered items may include:
- Review of compliance and operational imperatives
- Review of the Information Security Program
- Review of IT Risk Assessment
- Review of Service Provider controls
- Review of Incident Response Plan
- Review of current compliance requirements and controls
- Vulnerability and Security Awareness Training results
- Recommendations for program changes
- Recommendations for budgetary adjustments
Appendix:
Listed below are the designated department representatives for the Information Security Program.
- Financial Aid: director of Financial Aid
- Registrar’s office: registrar
- Enrollment and Advising: director of Enrollment and Advising
- Finance: Controller
- Human Resources: director of Human Resources
- Information Technology: director of College Technology Services
- Academics: vice president of Academic Affairs
- Professional Development: director of Professional Development
- Facilities: director of Facilities
Academic Policies and Procedures
- Academic Integrity (Policy SW-25)
- Academic Probation (Policy AA-20)
- Academic Travel Abroad Release (Policy SW-11)
- Academic Year
- Access to Campus Facilities (Policy SW-28)
- Academic-Related Activities and Travel Release (Policy SW-40)
- Admissions (Policy AD-1, AD-2, and AA-57)
- Advanced Standing Credit (Policy AA-47)
- Articulation Agreements
- Assessment of Student Success Skills (Policy OG-23)
- Last Date of Attendance (Policy AA-63)
- Auditing a Course (Policy AA-35)
- Background Checks and Drug Screening for Students (Policy SW-23)
- Clarkson College Behavioral Intervention Team (Policy SW-24)
- Bookstore Voucher (Policy SA-2)
- Cancellation of Course (Policy AA-36)
- Change of Personal Information
- Undergraduate Class Standing (Policy AA-38)
- Code of Conduct (Policy SW-18)
- Public Complaint (Policy OG-20)
- Copyright (Policy IT-4)
- Coursework Categories for Undergraduate Degrees
- Credit Hour Definition (Policy AA-55)
- Crime Awareness & Campus Security (Policy SW-5)
- Undergraduate Deans List (Policy AA-27)
- Degree Plan (Policy AA-5)
- Dismissal (Policy AA-24)
- Drug and Alcohol (Policy SW-15)
- Computing Policy (Policy IT-2)
- Email (Policy IT-1)
- Emergency Notification, Response and Evacuation (Policy SW-30)
- Emotional Support Animal (Policy SW-38)
- Family Education Rights & Privacy Act (Policy SS-9)
- Financial Aid Award (Policy FA-19)
- Forms Submission
- Freedom of Expression (Policy OG-22)
- Grade Change (Policy AA-37)
- Grade Point Average (Policy AA-29)
- Grade Reports
- Letter Grades and Quality Points (Policy AA-6)
- Academic Honors (Policy AA-16)
- Graduation Requirements (Policy AA-8)
- Student Grievance (Policy SW-14)
- Health and Safety Requirements (Policy SW-7)
- Identification Badge (Policy SS-10)
- Incomplete Grades (Policy AA-10)
- Independent Study (Policy AA-41)
- Information Security Program (Policy IT-9)
- Institutional Repository (Policy OG-30)
- Institutional Review of Research Involving Human Subjects (Policy OG-8)
- International Admissions (Policy AD-2)
- Law Enforcement on Campus (Policy SW-33)
- Leave of Absence (Policy AA-30)
- Liability Insurance (Policy SW-12)
- Library Collection Development (Policy OG-29)
- Media (Policy OG-12)
- Missing Student (Policy SW-34)
- New Student Experience Resources and Requirements (Policy AA-62)
- Equal Opportunity and Non- Discrimination (Policy SW-1)
- Student Location & Disclosures for Professional Licensure or Certification Disclosure (Policy OG-33)
- Online Education
- Organizational Governance (Policy OG-15)
- Petition for a Course Offering
- Student Petition for Reconsideration (Policy SW-22)
- Privacy (Policy IT-3)
- Program Completion (Policy AA-17)
- Progression (Policy AA-2)
- Readmission (Policy AD-10)
- Registration/Add a Course (Policy AA-32)
- Reporting Criminal Offenses (Policy SW-36)
- Residence Hall (Policy SS-3)
- Credit Hour Residency Requirement (Policy AA-28)
- Records Retention (Policy OG-2)
- Right of Students with Disabilities (Policy SW-2)
- Security Awareness Programs (Policy SW-37)
- Service Animal (Policy SW-39)
- Interprofessional Education and Service Requirements (Policy AA-54)
- Sexual Misconduct (Policy SW-27)
- Non-Smoking (Policy SW-16)
- Social Media (Policy OG-28)
- State Authorization
- Student Classifications & Status
- Student Parking (Policy SS-1)
- Transcripts
- Transfer Credit (Policy AA-52)
- Weather-Related School Closing (Policy OG-4)
- Withdrawal From Course Grade (Policy AA-3)