Information Security Policy
As it pertains to FTC Regulated Activity
PURPOSE:
Jefferson Community College (JCC) is required to comply with the Gramm-Leach-Bliley Act and the rules promulgated hereunder by the Federal Trade Commission. These requirements have been established to:
- Ensure the security and confidentiality of customer records and information.
- Protect against anticipated threats to the security and/or integrity of such customer
records and information.
- Guard against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
STATEMENT OF POLICY:
- Program Coordination
- Institutional Technology and the Vice President for Administration shall coordinate
the Information Security Program (the "Program.")
- The Program includes input from other JCC divisions, including Institutional Technology,
Students and the Academic Affairs divisions.
- The Program will be reviewed and evaluated annually, during the month of May. Selected
aspects will be tested. Adjustments to the Program will be made as needed.
- Institutional Technology and the Vice President for Administration shall coordinate
the Information Security Program (the "Program.")
- Risk Assessment and Safeguards
- There is inherent risk in handling and storing any information that must be protected.
Identifying areas of risk and maintaining appropriate safeguards can reduce risk.
Safeguards are designed to reduce the risk inherent in handling customer information.
The Federal Trade Commission has identified four areas to address:
- Employee Management & Training
- Information Systems
- Managing System Failures
- Service Providers
- Employee Management & Training
- There is inherent risk in handling and storing any information that must be protected.
Identifying areas of risk and maintaining appropriate safeguards can reduce risk.
Safeguards are designed to reduce the risk inherent in handling customer information.
The Federal Trade Commission has identified four areas to address:
- Appendix
- Legal References - Appendix A
- Jefferson Community College FERPA Policy - incorporated by reference
- All Jefferson Community College Institutional Technology policies, including the Acceptable
Use, Internet/Email and Network Policies incorporated by reference.
- Jefferson Community College Student Code of Conduct incorporated by reference
- Legal References - Appendix A
Program Details
- Designated Information Security Program Coordinators
- Representatives
- Institutional Technology
- Vice President for Administration
- Representatives
- Offices Possessing Customer Information: All Campus offices have some level of access to customer information.
- Offices having Responsibility in Safeguarding Customer Information: Admissions, Administrative Services (including Financial Services, Human Resources,
Facilities and Records), Institutional Technology, Student Records (Registrar) and
Financial Services.
- Risk Assessment and Safeguards
- Definitions
- Covered data and information for the purpose of this policy includes student and other
customer financial information required to be protected under the Gramm-Leach-Bliley
Act (GLB). Covered data and information includes both paper and electronic records.
- Customer financial information is that information the Campus has obtained from a
student or other customer in the process of offering a financial product or service,
or such information provided to the university by another financial institution.
Offering a financial product or service includes offering the student loans to students,
receiving income tax information from a student' parent when offering a financial
aid package and other miscellaneous financial services as defined in 12 DFR.225.28.
Examples of customer financial information include addresses, phone numbers, bank
and credit card account numbers, income and credit histories and social security numbers,
in both paper and electronic format.
- Covered data and information for the purpose of this policy includes student and other
customer financial information required to be protected under the Gramm-Leach-Bliley
Act (GLB). Covered data and information includes both paper and electronic records.
- Employee Management & Training
- Employees handle and have access to customer information in order to perform their
job duties. This includes permanent and temporary employees and Work-Study/Student
Aid students, whose job duties require them to access customer information or work
in a location where there is access to customer information.
- Hiring Employees
- JCC exercises great care in its efforts to select qualified employees. Search committees
carefully review applications, interview and check references before making final
selections. This process is part of all hiring and is incorporated within Jefferson
County procedures for hiring civil service/support staff and the College's Search
Guide for Professional Positions.
- JCC exercises great care in its efforts to select qualified employees. Search committees
carefully review applications, interview and check references before making final
selections. This process is part of all hiring and is incorporated within Jefferson
County procedures for hiring civil service/support staff and the College's Search
Guide for Professional Positions.
- Work Study/Student Aid Students (& Temporary Employees)
- Temporary employees are hired following the same process as full-time employees stated
in #1 above.
- Work-Study/Student Aid students are referred to departments by Financial Aid and the
Counseling Center. In addition, departments actively recruit students on campus through
posters, etc.
- Each individual department is responsible for interviewing and checking references.
Training, including confidentiality and safeguarding, is provided by the hiring office.
- All applications and forms are completed with Personnel and kept on file with Personnel.
Timesheets are monitored and signed by the individual office designee and filed with
Payroll.
- Temporary employees are hired following the same process as full-time employees stated
in #1 above.
- Permanent Employees
- Before receiving access to the Student Information System all employees take part
in training which includes information about confidentiality, safe-guarding and FERPA.
This training is provided by the Registrar's Office and Institutional Technology.
- All employees receive a copy of the Employee Handbook which includes pertinent policies
and procedures. FERPA information is also included on the College website.
- Before receiving access to the Student Information System all employees take part
in training which includes information about confidentiality, safe-guarding and FERPA.
This training is provided by the Registrar's Office and Institutional Technology.
- Ongoing Training
- Periodically, employees with access to protected customer information will take part
in FERPA and safeguards training, as a refresher.
- Periodically, employees with access to protected customer information will take part
in FERPA and safeguards training, as a refresher.
- Access to Customer Information
- Only employees whose job duties required it shall have access to customer information.
- Only employees whose job duties required it shall have access to customer information.
- Disciplinary Measures for Breaches
- Breaches of information security may result in appropriate disciplinary action, depending
upon the nature and severity of the breach. All accidental breaches should be reported
and rectified as soon as possible. Employees and Work Study/Student Aid students
accidental are encouraged to report any intentional and/or malicious breaches.
suspected.
- Breaches of information security may result in appropriate disciplinary action, depending
upon the nature and severity of the breach. All accidental breaches should be reported
and rectified as soon as possible. Employees and Work Study/Student Aid students
accidental are encouraged to report any intentional and/or malicious breaches.
- A copy of the Institutional Technology Acceptable Use policy and excerpts from the
Student Code of Conduct can be found in Appendix C.
- Employees handle and have access to customer information in order to perform their
job duties. This includes permanent and temporary employees and Work-Study/Student
Aid students, whose job duties require them to access customer information or work
in a location where there is access to customer information.
- Information Systems. Information systems include network and software design, information
processing, storage, transmission, retrieval, backup and disposal.
- Paper Storage and Systems.
- Storage and work areas are protected and secured. Admittance is limited to approved
personnel.
- Critical customer documents are stored in fireproof file cabinets.
- Files are stored so as to minimize damage in the case of flooding.
- Storage and work areas are protected and secured. Admittance is limited to approved
personnel.
- Computer Information Systems
- Institutional Technology provides the infrastructure for central electronic information
systems. The following information security policies and practices that protect against
unanticipated threats to the security or integrity of electronic customer information
and guard against the unauthorized use of such information apply.
- Acceptable Use Policy
- Internet/email Policy
- Network Policy
- Disaster Recovery Plan including individual departmental plans is in place
- Institutional Technology maintains an inventory of all computers equipment including
those connecting to the campus network
- A yearly review of employee access to electronic systems is conducted
- A firewall is in place to provide protection from outside attacks
- Virus protection is in place for email services, network servers and individual desktops
- Backup procedures are in place
- The use of Social Security Numbers is in accordance with New York State bill AO9965.
- Acceptable Use Policy
- Institutional Technology provides the infrastructure for central electronic information
systems. The following information security policies and practices that protect against
unanticipated threats to the security or integrity of electronic customer information
and guard against the unauthorized use of such information apply.
- Customer Information Disposal
- JCC provides for confidential disposal of documents through its Office of Administrative
Services.
- JCC contracts with an outside agency to perform the above service. The outside contractor
does provide statement of certification with regards to the confidentiality of records
disposal.
- JCC erases all date when disposing of computers, magnetic tapes, hard drives or any
other electronic media that contains customer information. All computer hard drives
are reformatted and/or wiped and magnetic tapes are shredded before disposal.
- The Registrar's Office archives customer transaction information as necessary.
- JCC disposes of obsolete customer information in accordance with applicable records
retention policies.
- JCC provides for confidential disposal of documents through its Office of Administrative
Services.
- Managing System Failures
- Written Contingency Plans
- Disaster Recovery Plan including individual departmental plans is in place.
- Disaster Recovery Plan including individual departmental plans is in place.
- Centralized Protection from E-Invasion
- JCC utilizes several resources to protect internal systems from outside attackers.
a firewall is installed at the front of the network, which intercepts all incoming
(and outgoing) network traffic and makes decisions about allowing the traffic to enter
the local network. Logs are retained that show all traffic, allowed or disallowed.
In addition to the firewall, several virus protection systems are installed. Systems
protected by virus protection include services, network hardware and workstations.
Lastly, all operating systems and application are protected by their internal security
systems.
- JCC utilizes several resources to protect internal systems from outside attackers.
a firewall is installed at the front of the network, which intercepts all incoming
(and outgoing) network traffic and makes decisions about allowing the traffic to enter
the local network. Logs are retained that show all traffic, allowed or disallowed.
In addition to the firewall, several virus protection systems are installed. Systems
protected by virus protection include services, network hardware and workstations.
Lastly, all operating systems and application are protected by their internal security
systems.
- System Backup
- All servers housed in the centralized Computer Center are backed up on a regular schedule.
Three weeks of backups are kept on separate media with a copy of the most current
full backup stored off-site. Other "non-centralized" equipment is backed up by persons
responsible fo the equipment.
- All servers housed in the centralized Computer Center are backed up on a regular schedule.
Three weeks of backups are kept on separate media with a copy of the most current
full backup stored off-site. Other "non-centralized" equipment is backed up by persons
responsible fo the equipment.
- Security Breaches
- The handling of security breaches will be determined by the nature and scope of the
breach.
- The handling of security breaches will be determined by the nature and scope of the
breach.
- Written Contingency Plans
- Paper Storage and Systems.
- Definitions
- Service Providers
- Contracts
- All contracts with service providers are reviewed by the Institutional Technology
to ensure that external service providers agree to observe the College's standards
of information security. Contracts will not be approved with providers that cannot
maintain appropriate safeguards.
- All contracts with service providers are reviewed by the Institutional Technology
to ensure that external service providers agree to observe the College's standards
of information security. Contracts will not be approved with providers that cannot
maintain appropriate safeguards.
- Relevant Current Contracts
- Contracts with vendors for shredding, recycling services, etc.
- Contracts with collection agencies
- Contracts with software vendor having access to financial transactions and related
information
- Contracts with campus-related entities, such as Campus Foundations, Alumni Associations,
Security, FSA
- Contracts with vendors for shredding, recycling services, etc.
- Monitoring
- JCC will periodically evaluate providers to ensure that they have complied with the
information security requirements of the contract.
- JCC will periodically evaluate providers to ensure that they have complied with the
information security requirements of the contract.
- Contracts
- The Board of Trustees hereby authorizes the President, or his/her designee, to develop and establish appropriate standards and procedures to implement and enforce this policy.
Appendix A
Legal References
- 15 USC, Subchapter I, sec. 6801-6809 (Gramm-Leach-Bliley Act)
- 16 CFR, Part 313 (Privacy Regulations, see reference to FERPA)
- 20 USC, Chapter 31, 1232g (FERPA)
- 34 CFR, part 99 (FERPA regulations)
- 16 CFR, part 314 (Safeguard Regulations, as published in the Federal Register, 5/23/02)
- NACUBO Advisory Report 2003-01, issued 1/13/03
- FTC Facts for Business: Financial Institutions and Customer Data: Complying with the Safeguards Rule, published September 2002.
Information Security
Resolution 128-12