This Information Security Plan describes TTC’s procedures in order to protect covered data and information. The plan complies with federal statutes and regulations, specifically the Federal Trade Commission “Safeguards Rule” (16 CFR Part 314, Standards for Safeguarding Customer Information; Final Rule) and the Gramm-Leach-Bliley Act of 1999 (GLBA). Trident Technical College’s Information Security Task Force developed this Information Security Plan which applies to, but is not limited to, Business Operations, Admissions and the Registrar’s Office, Financial Aid, Student Services,Learning Resource Centers, the Bookstore, Institutional Research, Information Services, Systems Operations Services, Information Technology Services, and many third party contractors.
The Federal Trade Commission’s “Safeguards Rule” requires that the Information Security Plan address the following:
- Designation of the coordination of the Information Security Plan
- Assessment of reasonably foreseeable risks, both internal and external
- Identification of safeguards for managing known risks with routine monitoring and testing of safeguards
- Oversight of contractual agreements with college service providers to ensure service providers are capable of safeguarding financial information
- Evaluation, documentation, and adjustment to the Information Security Plan on an annual basis
TTC Policy 3-1-0, “Use of Information Technology Resources” and Procedure 16-7-1, “Student Records, Confidentiality” are included in this plan by reference and are part of the college’s commitment to maintaining and limiting access and use of covered systems and data, as required by federal and state statutes and regulations.
Covered data and information for the purpose of this procedure include student financial information required to be protected under the Gramm-Leach-Bliley Act (GLBA). In addition to this coverage, which is required under federal law, TTC chooses as a matter of procedure to also include in this definition any credit card information received in the course of business by the college, whether or not such credit card information is covered by GLBA. Covered data and information includes both paper and electronic records.
Student financial information is that information the college has obtained from a student in the process of offering a financial product or service, or such information provided to the college by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CRF § 225.28. Examples of student financial information include names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, in both paper and electronic format.
III. Coordination of the Information Security Plan
The Assistant Vice President for Student Services (Chair), the Information Technology Security Manager, the Finance Director, the Assistant Vice President for Instruction, and the Institutional Records Officer and Custodian serve on the Financial Information Plan Task Force (the Task Force) to coordinate the implementation of this plan.
IV. Assessment of Risks
TTC recognizes that it has both internal and external financial risks. These risks include, but are not limited to:
- Unauthorized access of covered data and information by someone other than the owner of the covered data and information
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of covered data and information by employees
- Unauthorized requests for covered data and information
- Unauthorized access through hardcopy files or reports
- Unauthorized transfer of covered data and information through third parties
In order to protect the security and integrity of the college network and its data, the college’s Information Technology Division will:
Develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks in collaboration with governing agencies.
- Assure the timely installation of patches for operating systems or software in collaboration with third party service providers’ installation and certification requirements. Responsibilities include: (a) keeping operations systems and software environments reasonably up to date; (b) maintaining records of patch/update activities and reviewing procedures for patches to operating systems and software; and; (c) staying current on potential threats to the network and its data;
Additionally, the Trident Users Group (TUG) committee has been appointed to review Existing schedules to make recommendations for continued compliance.
V. Safeguard for Social Security Numbers
Several college departments will continue to use social security numbers in the college’s information systems, which are considered protected information under both the Graham-Leach-Bliley Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA). All TTC employees who have access to social security numbers have the responsibility to safeguard and to protect social security numbers.
VI. Design and Implementation of Safeguards Program
1. Employee Training and Education
References are checked for new employees. The Human Resources Director will conduct training for every appropriate current employee and new employee during employee orientation on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Appropriate employees will sign a confidentiality agreement to indicate their understanding and agreement with their privacy and safeguarding obligations. All employees will receive information and training as appropriate on the proper use of computer information and passwords. Training also includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including “pretext calling”1 and how to properly dispose of documents that contain covered data and information. Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. These training efforts should help minimize risk and safeguard covered data and information security.
2. Physical Security
TTC has addressed the physical security of covered data and information by limiting access to only those employees who have a business reason to know such information.
Loan files, account information, and other paper documents are kept in file cabinets, rooms, or vaults that are locked each night. Only authorized employees know combinations and have access to keys. Paper documents that contain covered data and information are shredded at time of disposal.
VII. Information Systems
Access to covered data and information via TTC’s computer information system is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and a distinct password. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to TTC employees in appropriate departments and positions.
TTC will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission.
GLBA requires the college to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. The Procurement Director, after consultation with the college’s Vice President for Finance and Administration, will develop standard, contractual provisions applicable to third-party service providers, which will require such providers to implement and maintain appropriate safeguards. All relevant future contracts between the college and these service providers should contain these provisions. Any deviation from these standard provisions will require prior approval. Contracts with service providers may include the following provisions:
- An explicit acknowledgement that the contract allows the contract partner access to confidential information;
- A specific definition or description of the confidential information being provided;
- A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- A guarantee from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own information;
- A stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract;
- A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
- An agreement that any violation of the contract’s confidentiality conditions may constitute a material breach of the contract and entitles TTC to terminate the contract without penalty;
- A provision ensuring that the contract’s confidentiality requirements shall survive any termination agreement, and;
- a provision allowing auditing of the contract partners’ compliance with the contract safeguard requirements.
VIII. Evaluation and Revision of the Information Security Plan
GLBA mandates that this Information Security Plan be subject to periodic review and adjustment. The plan and TTC’s related policies and procedures will be reevaluated by the Task Force in February of each year in order to assure ongoing compliance with existing laws and regulations. Also in February of each year, the Task Force will review and update lists from divisional vice presidents identifying departmental managers who are responsible for the physical security of computers and/or hardware located within their departments As a result of the evaluations and reviews, it may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.
GLBA mandates that this Information Security Plan be subject to periodic review and adjustment. The plan and TTC’s related policies and procedures will be reevaluated by the Task Force in February of each year in order to assure ongoing compliance with existing laws and regulations. Also each year, the Task Force will obtain and review an updated list of the college’s computer inventory from the Inventory Supply Specialist. This review will be based upon the college’s Equipment Inventory Management Procedure, 10-0-2. As a result of the evaluations and reviews, it may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.
The Task Force will continue to identify and monitor risks to security and privacy of information. The Task Force will present a written report to the President’s cabinet by March 1 each year which includes an evaluation of risks related to compliance, design and implementation of the College’s information security program. The report will also include recommendations on how to reasonably safeguard information systems. Recommendations for revisions to related policies and procedures will include both positive and negative impact on all college operations and academic programs.
1 “Pretext calling” occurs when an individual improperly obtains personal information of college customers so as to be able to commit identity theft. It is accomplished by contacting the college, posing as a customer or someone authorized to have the customer’s information, and through the use of trickery and deceit, convincing an employee of the college to release customer identifying information.