In order to protect critical information and data, and to comply with federal law, Belmont University adopts the following practices in the university information environment and institutional information security procedures. While these practices mostly affect Belmont’s information technology operations, some of them will impact diverse areas of the university, including but not limited to Finance and Accounting, Registrar, University Advancement, Student Affairs, the Library, and third party contractors, including food services. The goal of this document is to define the University's Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the program and to position the university for compliance with likely future privacy and security regulations.
II. Gramm Leach Bliley (GLB) Requirements
GLB mandates that the university appoint an Information Security Plan Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.
III. Information Security Plan Coordinator
In order to comply with GLB, Belmont has designated an Information Security Policy Coordinator. This individual must work closely with the University Counsel's office, the IT department, as well as all relevant academic and administrative colleges and schools throughout the university.
The Coordinator must help the relevant offices of the university identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.
IV. Risk Assessment and Safeguards
The Coordinator must work with all relevant areas of the university to identify potential and actual risks to security and privacy of information. Each college or school head, or her designee, will conduct an annual data security review, with guidance from the coordinator. Vice Presidents will be asked to identify any employees in their respective areas that work with covered data and information. In addition, Data and Information Systems, User Services and Technology Services will conduct a quarterly review of procedures, incidents, and responses, and will publish all relevant materials except in those cases where publication may likely lead to breaches of security or privacy. Publication of these materials is for the purpose of educating the university community on network security and privacy issues. In order to protect the security and integrity of the university network and its data, Technology Services/User Services will develop and maintain a registry of all computers attached to the university network. This registry will include, where relevant, IP address or subnet, MAC address, physical location, operating system, intended use (server, personal computer, lab machine, dorm machine, etc.), the person, persons, or department primarily responsible for the machine, and whether the machine has or has special access to any confidential data covered by relevant external laws or regulations. Technology Services assumes the responsibility of assuring that patches for operating systems or software environments are reasonably up to date, and will keep records of patching activity. Technology Services will review its procedures for patches to operating systems and software, and will keep current on potential threats to the network and its data. Risk assessments will be updated quarterly. Technology Services bears primary responsibility for the identification of internal and external risk assessment, but all members of the university community are involved in risk assessment. Technology Services, working in conjunction with the relevant university offices, will conduct regular risk assessments, including but not limited to the categories listed by GLB.
Administrative Computing and Instructional Technology (ACIT), working in cooperation with relevant university offices, will develop and maintain a data handbook, listing those persons or offices responsible for each covered data field in relevant software systems (financial, student administration, development, etc.). DIS and the relevant departments will conduct ongoing (at least biannual) audits of activity, and will report any significant questionable activities.
ACIT will work with the relevant offices (Finance and Accounting, Human Resources, the Registrar, University Advancement, and the Library, among others) to develop and maintain a registry of those members of the university community who have access to covered data and information. ACIT in cooperation with Human Resources and Finance and Accounting will work to keep this registry rigorously up to date. Technology Services will assure the physical security of all servers and terminals which contain or have access to covered data and information. Technology Services will work with other relevant areas of the university to develop guidelines for physical security of any covered servers in locations outside the central server area. The university will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, and other procedures which may expose the university to risks.
Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA). The University will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are used, and in what instances students are being asked to provide a social security number. This assessment will cover university employees as well as subcontractors such as food services.
Technology Services/ACIT will develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks.
It is recommended that relevant offices of the university decide whether more extensive background or reference checks or other forms of confirmation are prudent in the hiring process for certain new employees, for example employees handling confidential financial information.
Technology Services will develop written plans and procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.
The Information Security Coordinator will review the university's disaster recovery program and data-retention policies and present a report to the Vice Presidents.
V. Employee training and education
While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, Technology Services/DIS and the Office of University Counsel will work in cooperation with the Office of Human Resources to develop training and education programs for all employees who have access to covered data. These employees typically fall into three categories: professionals in information technology who have general access to all university data; custodians of data in other university offices, and those employees who use the data as part of their essential job duties.
VI. Selection of Appropriate Service Providers
Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that Belmont determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard confidential financial information.
Contracts with service providers may include the following provisions:
• An explicit acknowledgment that the contract allows the contract partner access to confidential information;
• A specific definition or description of the confidential information being provided;
• A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
• An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information;
• A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
• An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles Belmont to terminate the contract without penalty; and
• A provision ensuring that the contract’s confidentiality requirements shall survive any termination agreement.
VII. Oversight of Service Providers and Contracts
GLB requires the university to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Finance and Accounting, in cooperation with the Office of University Counsel, will develop and send form letters to all covered contractors requesting assurances of GLB compliance. While contracts entered into prior to June 24, 2002 are grandfathered until May 2004, the Office of University Counsel will take steps to ensure that all relevant future contracts include a privacy clause and that all existing contracts are in compliance with GLB.
VIII. Evaluation and Revision of the Information Security Plan
GLB mandates that this Information Security Plan be subject to periodic review and adjustment. The most frequent of these reviews will occur within Technology Services where constantly changing technology and constantly evolving risks indicate the wisdom of quarterly reviews. Processes in other relevant offices of the university such as data access procedures and the training program should undergo regular review. The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.
Covered data and information for the purpose of this policy includes student financial information required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required by federal law, Belmont chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by the university, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.
Student financial information is that information the university has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.