Information Security ProgramTechnology Services

Purpose

This document provides a summary of Gustavus Adolphus College’s (the “College”) comprehensive information security program (the “Program”) as mandated by the Federal Trade Commission’s (“FTC”) Safeguards Rule and the Gramm-Leach-Bliley Act (“GLBA”). Specifically, this document outlines Program features that are intended to (1) ensure the security and confidentiality of covered records, (2) protect against anticipated threats or other identified risks to the security and integrity of such records, (3) protect against unauthorized access or misuse of covered records that could result in substantial damage or inconvenience to College customers. The Program incorporates referenced College policies and procedures, and serves in conjunction with any policies and procedures that may be required pursuant to other federal and state laws and regulations, such as the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act (“HIPAA”).

Scope

The Program applies to any record containing nonpublic personal information (“NPI”) about a student or other third party who has a relationship with the College, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the College or its affiliates and was obtained in connection with the delivery of a financial product or service. For these purposes, delivering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of NPI contained in covered records include addresses, phone numbers, bank and credit card account numbers, income and credit histories, and social security numbers.

Designated Program Coordinator

The College designates the Chief Technology Officer (“CTO”) to serve with overall responsibility as the Program Coordinator. The Coordinator may, at their discretion, designate other representatives of the College, as individuals or chartered committees, to oversee particular 

Program Areas

  1. Risk Identification and Assessment. The College intends, as part of the Program, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of NPI that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Covered records are housed in a number of systems, and therefore, several offices have responsibility for the assessment and safeguarding necessary to protect customer information. In implementing the Program, the Program Coordinator will establish procedures for identifying and assessing such risks in each relevant area of the College’s operations, including:
    1. Employee training and management. The Program Coordinator will work with representatives from relevant offices to evaluate the effectiveness of the College's procedures and practices relating to access to and use of covered records, including NPI obtained from financial aid information. This evaluation will include assessing the effectiveness of the College’s current policies and procedures in this area.
    2. Information Systems and Information Processing and Disposal. The Program Coordinator will work with representatives of relevant offices to assess the risks to NPI associated with the College’s information systems, including network and software design, information processing, and the storage, transmission, and disposal of NPI. This evaluation will include assessing the College’s current policies and procedures relating to the acceptable use of network resources, as well as data and document retention practices. The Program Coordinator will also work with Technology Services personnel to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
    3. Detecting, Preventing and Responding to Attacks. The Program Coordinator will work with the Technology Services and other relevant offices to evaluate:
      1. procedures for and methods of detecting, preventing, and responding to attacks or other system failures;
      2. existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks, and developing incident response teams and policies.
      3. In this area, the Program Coordinator may elect to delegate to a representative of Technology Services the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks, and other threats to the integrity of networks utilized by the College.
  2. Designing and Implementing Safeguards. The risk assessment and analysis described above shall apply to all methods of handling or disposing of NPI, whether in electronic, paper or other form. The Program Coordinator will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
  3. Managing Service Providers. The Program Coordinator shall work with those responsible for the third party service procurement activities of Technology Services and other relevant offices to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for NPI of students and other third parties to which they will have access. In addition, the Program Coordinator will work with the Finance office to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the Chief Financial Officer. These standards shall apply to all existing and future contracts entered into with such third party service providers.
  4. Adjustments to the Program. The Program Coordinator is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the College’s operations or other circumstances that may have a material impact on the Program. The Program Coordinator will provide an annual report to the executive leadership team (XLT) on an annual basis, typically in July. 

Policy Implementation Assistance

Contact the Chief Technology Officer with questions or comments related to this policy.

Policy Authority

The XLT has responsibility for this policy and will obtain necessary approvals for changes.