This Information Security Plan describes TTC’s procedures in order to protect covered data and information. The plan complies with federal statutes and regulations, specifically the Federal Trade Commission “Safeguards Rule” (16 CFR Part 314, Standards for Safeguarding Customer Information; Final Rule) and the Gramm-Leach-Bliley Act of 1999 (GLBA). Trident Technical College’s Information Security Task Force developed this Information Security Plan which applies to, but is not limited to, Business Operations, Admissions and the Registrar’s Office, Financial Aid, Student Services, Learning Resource Centers, the Bookstore, Institutional Research, Information Services, Systems Operations Services, Information Technology Services, all faculty and staff, and many third party contractors.
The Federal Trade Commission’s “Safeguards Rule” requires that the Information Security Plan address the following:
- Designation of the coordination of the Information Security Plan
- Assessment of reasonably foreseeable risks, both internal and external
- Identification of safeguards for managing known risks with routine monitoring and testing of safeguards
- Oversight of contractual agreements with college service providers to ensure service providers are capable of safeguarding financial information
- Evaluation, documentation, and adjustment to the Information Security Plan on an annual basis
TTC Policy 3-1-0 and TTC Procedure 3-1-1, “Use of Information Technology Resources” and TTC Procedure 16-7-1, “Student Records, Confidentiality” are included in this plan by reference and are part of the college’s commitment to maintaining and limiting access and use of covered systems and data, as required by federal and state statutes and regulations. In addition, it is essential that employees review and understand response requirements for ‘red flag’ identity theft incidents and/or breaches of confidential data as outlined in TTC Procedure 6-18-1, Red Flags Rule Identity Theft Prevention Plan
Covered data and information for the purpose of this procedure include student financial information required to be protected under the Gramm-Leach-Bliley Act (GLBA). In addition to this coverage, which is required under federal law, TTC chooses as a matter of procedure to also include in this definition any credit card information received in the course of business by the college, whether or not such credit card information is covered by GLBA. Covered data and information includes both paper and electronic records.
FERPA (Family Educational Rights and Privacy Act) requirements also apply to the definitions in this procedure as outlined in TTC Procedure 16-7-1, Confidentiality of Student Records. In particular, the release of personally identifiable information in TTC Procedure 16-7-1 is explicitly prohibited and also applies to protection under the GLBA Act:
FERPA regulations specifically prohibit the use of ’personally identifiable information that, alone or in combination, links or is linkable to a specific student's identity' without the student's permission. Social Security numbers are personally identifiable and contain private information that is part of the student's education records. The College may choose to restrict a student's birth date and birthplace as personally identifiable information as a protection from identity theft.
HIPAA (Health Insurance Portability and Accountability Act) privacy regulations require health care providers and organizations that deal with health care information to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic.
Student financial information is that information the college has obtained from a student in the process of offering a financial product or service, or such information provided to the college by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CRF § 225.28. Examples of student financial information include names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, in both paper and electronic format.
III. Coordination of the Information Security Plan
TTC’s Information Security Liaison (chair), the Assistant Vice President for Student Services, the IT Services Network Systems Manager, the Finance Director, the Assistant Vice President for Instruction, an Institutional Research (Planning & Accreditation) representative, the Director of the Information Technology Training Center, the Internal Auditor, and a Continuing Education representative serve on the Information Security Task Force to coordinate the implementation of this plan.
IV. Assessment of Risks
TTC recognizes that it has both internal and external data risks. These risks include, but are not limited to:
- Unauthorized access of covered data and information by someone other than the owner of the covered data and information
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of covered data and information by employees
- Unauthorized requests for covered data and information
- Unauthorized access through hardcopy files or reports
- Unauthorized transfer of covered data and information through third parties
- Unintended disclosure of covered data through electronic communications, hard copy files, mobile storage, and mobile computing devices
In order to protect the security and integrity of the college network and its data, the college’s Information Technology Division will:
- Assure the timely installation of patches for operating systems or software in collaboration with third party service providers’ installation and certification requirements. Responsibilities include: (a) keeping operations systems and software environments reasonably up to date; (b) maintaining records of patch/update activities and reviewing procedures for patches to operating systems and software; and; (c) staying current on potential threats to the network and its data;
- Maintain schedules of security classes that include an up-to-date listing of persons or offices with access to each covered data field or screen in relevant software systems (financial, student services, development, etc.).
- Develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks in collaboration with governing agencies.
Additionally, the Trident Users Group (TUG) committee has been appointed to review existing schedules to make recommendations for continued compliance.
V. Safeguard for Social Security Numbers
Several college departments will continue to use social security numbers in the college’s information systems, which are considered protected information under both the Graham-Leach-Bliley Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA). All TTC employees who have access to social security numbers have the responsibility to safeguard and to protect social security numbers. Employees and managers with access to Social Security Numbers (SSNs) are responsible for reviewing and understanding all aspects of required protections to safeguard SSNs. Employees and managers with access to SSNs are responsible for reviewing and understanding all aspects of required protections to safeguard SSNs. Employees and managers with access to SSNs are responsible for reviewing and understanding all aspects of required protections to safeguard SSNs – remove is redundant. Incident response requirements for breaches of protecting SSNs are the same requirements for reporting red flag identity theft breaches as outlined in TTC Procedure 6-18-1, Red Flags Rule Identity Theft Prevention Plan.
VI. Design and Implementation of Safeguards Program
1. Employee Training and Education
Background checks are performed and references are checked for new employees. The Human Resources Director will conduct training for every appropriate current employee and new employee during employee orientation on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Appropriate employees will sign a confidentiality agreement to indicate their understanding and agreement with their privacy and safeguarding obligations. All employees will receive information security awareness training including the proper use of computer information and passwords. All employees will receive information and training as appropriate on the proper use of computer information and passwords. Training also includes controls and procedures to prevent employees from providing any protected, confidential information to an unauthorized individual, either electronically or in a paper copy, including “pretext calling”1 and how to properly dispose of documents that contain covered data and information. Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. These training efforts should help minimize risk and safeguard covered data and information security.
2. Physical Security
TTC has addressed the physical security of covered data and information by limiting access to only those employees who have a business reason to know such information.
Loan files, account information, and other paper documents that contain confidential, protected data must be kept in file cabinets, rooms, or vaults that are locked each night. Only authorized employees know combinations and have access to keys. Paper documents that contain covered data and information are shredded at time of disposal.
3. Electronic, Digital, Virtual Security
Employees must adhere to all college procedures and best practices for safeguarding covered data. This includes redacting and/or encrypting emails and password protected attachments containing confidential data sent in an external email to authorized agencies and/or individuals. Protection of covered data also applies to college sites such as shared departmental drives and secure web-based, virtual systems and portals. All employees will receive information security awareness training including the proper use of computer information and passwords.
VII. Information Systems
Access to covered data and information via TTC’s computer information system is limited to those employees who have a business reason to know such information. Each employee receives a user name and creates their own distinct password after initial login. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to TTC employees in appropriate departments and positions.
TTC will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission.
GLBA requires the college to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. The Procurement Director, after consultation with the college’s Vice President for Finance and Administration, will develop standard, contractual provisions applicable to third-party service providers, which will require such providers to implement and maintain appropriate safeguards. All relevant future contracts between the college and these service providers should contain these provisions. Any deviation from these standard provisions will require prior approval. Contracts with service providers may include the following provisions:
- An explicit acknowledgement that the contract allows the contract partner access to confidential information;
- A specific definition or description of the confidential information being provided;
- A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- A guarantee from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own information;
- A stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract;
- A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
- An agreement that any violation of the contract’s confidentiality conditions may constitute a material breach of the contract and entitles TTC to terminate the contract without penalty;
- A provision ensuring that the contract’s confidentiality requirements shall survive any termination agreement, and;
- A provision allowing auditing of the contract partners’ compliance with the contract safeguard requirements.
VIII. Evaluation and Revision of the Information Security Plan
GLBA mandates that this Information Security Plan be subject to periodic review and adjustment. The plan and TTC’s related policies and procedures will be reevaluated by the Task Force in February of each year in order to assure ongoing compliance with existing laws and regulations. Also in February of each year, the Task Force will review and update lists from divisional vice presidents identifying departmental managers who are responsible for the physical security of computers and/or hardware located within their departments As a result of the evaluations and reviews, it may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.
Also each year, the Task Force will obtain and review an updated list of the college’s computer inventory from the Inventory Supply Specialist. This review will be based upon the college’s Equipment Inventory Management Procedure, 10-0-2. As a result of the evaluations and reviews, it may be necessary for the Information Security Task Force to adjust the plan and recommendations to reflect changes in equipment and technology that impact the sensitivity of student/customer data and internal or external threats to information security.
The Task Force will continue to identify and monitor risks to security and privacy of information. The Task Force will present a written report to the President’s cabinet by March 1 each year which includes an evaluation of risks related to compliance, design and implementation of the College’s information security program. The report will also include recommendations on how to reasonably safeguard information systems. Recommendations for revisions to related policies and procedures will include both positive and negative impact on all college operations and academic programs._______________
1 “Pretext calling” occurs when an individual improperly obtains personal information of college customers so as to be able to commit identity theft. It is accomplished by contacting the college, posing as a customer or someone authorized to have the customer’s information, and through the use of trickery and deceit, convincing an employee of the college to release customer identifying information.