Technology Procedure Categories
Information Security Program
When was this document updated?
April 6, 2017
Prepared by John Dunning, CIO and ISPC based on an initial draft prepared by Ann Burk, CIO for Chadron State College
In accordance with Nebraska State College System (NSCS) Board Policy 7004, the Wayne State College (College) Information Security Program (ISP) is established to protect the confidentiality, integrity, and availability of data, systems, services, and infrastructure components in compliance with the Gramm-Leach-Bliley Act (GLBA). This ISP also serves as the Identity Theft Prevention Program in compliance with the Federal Trade Commission’s Red Flag Rules.
The GLBA establishes a Safeguards Rule and regulations issued by the Federal Trade Commission to:
- Ensure the security and confidentiality of customer information
- Protect against anticipated threats or hazards to the security or integrity of such information
- Guard against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Consistent with its efforts to meet these objectives, the College will:
- Develop, implement, and maintain this written ISP.
- Designate a ISPC to oversee the ISP.
- Conduct risk assessments to identify foreseeable internal and external risks that could lead to unauthorized disclosure or misuse of confidential information.
- Develop written policies and procedure (safeguards) to minimize, manage and control these risks.
- Contractually require third-party providers to implement and maintain confidentiality safeguards.
- Evaluate and adjust the ISP to reflect changes in technology, the sensitivity of covered data, and internal or external threats to information security.
Roles and responsibilities
- College Information Technology (NATS) employees are responsible for overall technology security and implementation
- College Employees and students are responsible for following guidance regarding technology use and security in their respective handbooks, institutional policy and procedure, NSCS policy, and applicable state and federal law
- Contractors and vendors are responsible for performing their contracted service in a secure fashion
Information Security Program Coordinator
The College’s Chief Information Officer (CIO) has been appointed as the Information Security Program Coordinator (ISPC) by the President of Wayne State College. The ISPC will work with all relevant areas of the College to identify reasonably foreseeable risks to the security, confidentiality and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program; and monitor and test the program.
An annual ISP report, prepared by the ISPC, will be provided to President’s Staff. The report may include risk assessments, controls to mitigate risks, effectiveness of the controls, summaries of monitoring activities, actions taken to correct security concerns, and other information to provide assurance that the ISP is implemented and maintained.
Identification and Assessment of Risks to Customer Information
Risk assessment is the foundation upon which informed security management decisions are made. The ISPC will work with all relevant areas of the College to identify foreseeable potential and actual internal and external risks to security and privacy of information. The ISPC will work with staff and/or vendors to develop assessment procedures and assure that assessments and mitigation actions reflect those widely practiced in Higher Education as informed by the Educause Information Security Program, which takes into account NIST, COBIT, and ISO security standards. Risk assessments will be reviewed and refreshed annually. Risk assessment reports will be posted on the NATS G: drive.
Potential risks include but may not be limited to:
- Unauthorized access to covered data and information by someone other than the owner of the covered data and information
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access to covered data and information by employees
- Unauthorized requests for covered data and information
- Unauthorized access through hardcopy files or reports
- Unauthorized transfer of covered data and information through third parties
Safeguards to Protect Against Risk
The ISPC will ensure that an evolving matrix of safeguards is identified, implemented, monitored and maintained. Safeguards, reflective of current risk assessments, will be matched to institutional resources and will evolve in a best effort to provide security and confidentiality to covered data and information maintained by the College. Additionally, safeguards will be designed to reasonably protect against current anticipated threats or hazards to the integrity of such information. Such safeguards will include the following:
Employee Management and Training
Safeguards will include management and training of those individuals with authorized access to covered data.
The ISPC will, working with responsible offices and units, identify categories of employees or others who have access to covered data. The ISPC will ensure that appropriate training and education is provided to all employees who have access to covered data. Such training will include education on relevant policies and procedures and other safeguards in place or developed to protect covered data. Training and education may also include newsletters, promotions or other programs to increase awareness.
References and/or background checks, as appropriate and depending on position, of new employees working in areas that regularly work with covered data and information will be checked/performed prior to granting access to data. During employee orientation, each new employee in these departments will receive proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee will receive training in the proper use of computer information and passwords, controls and procedures to prevent employees from providing data to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information.
The physical security of covered data and information and technology resources such as network and server infrastructure will be protected by monitoring and limiting access to only those employees who have a legitimate business reason to access such resources or handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available to only those employees with an appropriate business need for such information. Furthermore, each department responsible for maintaining covered data and information will be instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards such as fire and water damage, or technical failures.
Access to covered data and information will be limited to those employees who have a legitimate business reason to access such information. The College will have policies and procedures in place to complement the physical and technical safeguards in order to provide security to information systems. Policies will be maintained on the College policy management system and made available for viewing from the policy web site.
Management of System Failures
NATS will develop and maintain a written plan and procedures to implement systems that prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include anti-virus software; appropriate security levels on desktops; vendor updates to obtain and install patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents and shredding paper copies; backing up data regularly and storing backup media appropriately and securely; as well as other reasonable measures to protect the integrity and safety of information systems.
Monitoring and Testing
Monitoring systems will be implemented to regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed and to swiftly detect and correct breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include sampling, system checks, system access reports, physical access reports, reviews of logs, audits, and any other reasonable measures adequate to verify that the ISP’s controls, systems and procedures are working.
Oversight of Service Providers
GLBA requires the College to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. In the course of business, the College may share covered data with third parties. Such activities may include collection activities, transmission of data or documents, destruction of documents or media, or other similar services.
This ISP will ensure that reasonable steps are taken to select and retain services providers that are capable of maintaining appropriate safeguards for the customer information at issue and by requiring service providers, by contract, to implement and maintain such safeguards.
The ISP’s ISPC will identify service providers who have or will have access to covered data and will work with the NSCS legal staff and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of covered data.
Continuing Evaluation and Adjustment
This ISP will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the ISP will be the responsibility of the designated ISP’s ISPC, who will assign specific responsibility for technical, logical, physical, and administrative safeguards implementation and administration as appropriate. The ISPC will review the standards set forth in this ISP and recommend updates and revisions as necessary; it may be necessary to adjust the ISP to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security. A copy of the ISP will be provided to the NSCS office.
Covered data and information
Student financial information (defined below) that is protected under the GLBA. In addition to this coverage, which is required under federal law, the College chooses to include in this definition sensitive (non-directory) data received in the course of business by the College, whether or not such information is covered by GLBA. Covered data and information includes both paper and electronic records.
Student financial information
Information the College has obtained from a student or customer in the process of offering a financial product or service, or information provided by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student or parent, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, account numbers, account balances, tax return information, driver’s license number, date/location of birth, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.
Related Policies, Standards and Guidelines
The College has adopted policies, standards, and guidelines relating to information security, which are incorporated by reference into this ISP. They include:
- NSCS Board Policy 2070 – Records of the System
- NSCS Board Policy 3650 – Student Records
- NSCS Board Policy 4651 – Academic Responsibility - Faculty
- NSCS Board Policy 5018 – Employee Personnel Records
- NSCS Board Policy 5008 – Employee Use of System Computers
- NSCS Board Policy 5018 – Personnel Information
- NSCS Board Policy 7004 – Federal Personal Information Security Program
- NSCS Board Policy 7008 – Risk Management
- NSCS Board Policy 7014 – Inventories and Disposal of Surplus Personal Property
- Dear Colleague Letter GEN-15-18
- Dear Colleague Letter GEN-16-12
- Gramm-Leach-Bliley Act (15 U.S. Code 6801)
- Title IV Federal Student Aid Program Participation Agreement
- Student Aid Internet Gateway (SAIG) enrollment Agreement
- National Institute of Standards and Technology (NIST) Special Publication 800-171
- An Introduction to NIST Special Publication 800-171 for Higher Education Institutions
Last Updated: 4/6/2017