Information Security Policy
SUNY Jefferson
APPLY TODAY

Information Security Policy

As it pertains to FTC Regulated Activity

PURPOSE:

Jefferson Community College (JCC) is required to comply with the Gramm-Leach-Bliley Act and the rules promulgated hereunder by the Federal Trade Commission.  These requirements have been established to:

  • Ensure the security and confidentiality of customer records and information.

  • Protect against anticipated threats to the security and/or integrity of such customer records and information.

  • Guard against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

STATEMENT OF POLICY:

  1. Program Coordination

    1. Institutional Technology and the Vice President for Administration shall coordinate the Information Security Program (the "Program.")

    2. The Program includes input from other JCC divisions, including Institutional Technology, Students and the Academic Affairs divisions.

    3. The Program will be reviewed and evaluated annually, during the month of May.  Selected aspects will be tested.  Adjustments to the Program will be made as needed.

  2. Risk Assessment and Safeguards

    1. There is inherent risk in handling and storing any information that must be protected.  Identifying areas of risk and maintaining appropriate safeguards can reduce risk.  Safeguards are designed to reduce the risk inherent in handling customer information.  The Federal Trade Commission has identified four areas to address:

      1. Employee Management & Training

      2. Information Systems

      3. Managing System Failures

      4. Service Providers

  3. Appendix

    1. Legal References - Appendix A

    2. Jefferson Community College FERPA Policy - incorporated by reference

    3. All Jefferson Community College Institutional Technology policies, including the Acceptable Use, Internet/Email and Network Policies incorporated by reference.

    4. Jefferson Community College Student Code of Conduct incorporated by reference

 

Program Details

  1. Designated Information Security Program Coordinators

    1. Representatives

    2. Institutional Technology

    3. Vice President for Administration

  2. Offices Possessing Customer Information:  All Campus offices have some level of access to customer information.

  3. Offices having Responsibility in Safeguarding Customer Information:  Admissions, Administrative Services (including Financial Services, Human Resources, Facilities and Records), Institutional Technology, Student Records (Registrar) and Financial Services.

  4. Risk Assessment and Safeguards

    1. Definitions

      1. Covered data and information for the purpose of this policy includes student and other customer financial information required to be protected under the Gramm-Leach-Bliley Act (GLB).  Covered data and information includes both paper and electronic records.

      2. Customer financial information is that information the Campus has obtained from a student or other customer in the process of offering a financial product or service, or such information provided to the university by another financial institution.  Offering a financial product or service includes offering the student loans to students, receiving income tax information from a student' parent when offering a financial aid package and other miscellaneous financial services as defined in 12 DFR.225.28.  Examples of customer financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

    2. Employee Management & Training

      1. Employees handle and have access to customer information in order to perform their job duties.  This includes permanent and temporary employees and Work-Study/Student Aid students, whose job duties require them to access customer information or work in a location where there is access to customer information.

      2. Hiring Employees

        1. JCC exercises great care in its efforts to select qualified employees.  Search committees carefully review applications, interview and check references before making final selections.  This process is part of all hiring and is incorporated within Jefferson County procedures for hiring civil service/support staff and the College's Search Guide for Professional Positions.

      3. Work Study/Student Aid Students (& Temporary Employees)

        1. Temporary employees are hired following the same process as full-time employees stated in #1 above.

        2. Work-Study/Student Aid students are referred to departments by Financial Aid and the Counseling Center.  In addition, departments actively recruit students on campus through posters, etc.

        3. Each individual department is responsible for interviewing and checking references.  Training, including confidentiality and safeguarding, is provided by the hiring office.

        4. All applications and forms are completed with Personnel and kept on file with Personnel.  Timesheets are monitored and signed by the individual office designee and filed with Payroll.

      4. Permanent Employees

        1. Before receiving access to the Student Information System all employees take part in training which includes information about confidentiality, safe-guarding and FERPA.  This training is provided by the Registrar's Office and Institutional Technology.

        2. All employees receive a copy of the Employee Handbook which includes pertinent policies and procedures.  FERPA information is also included on the College website.

      5. Ongoing Training

        1. Periodically, employees with access to protected customer information will take part in FERPA and safeguards training, as a refresher.

      6. Access to Customer Information

        1. Only employees whose job duties required it shall have access to customer information.

      7. Disciplinary Measures for Breaches

        1. Breaches of information security may result in appropriate disciplinary action, depending upon the nature and severity of the breach.  All  accidental breaches should be reported and rectified as soon as possible.  Employees and Work Study/Student Aid students accidental are encouraged to report any  intentional and/or malicious breaches.
          suspected.

      8. A copy of the Institutional Technology Acceptable Use policy and excerpts from the Student Code of Conduct can be found in Appendix C.

    3. Information Systems.  Information systems include network and software design, information processing, storage, transmission, retrieval, backup and disposal.

      1. Paper Storage and Systems.

        1. Storage and work areas are protected and secured.  Admittance is limited to approved personnel.

        2. Critical customer documents are stored in fireproof file cabinets.

        3. Files are stored so as to minimize damage in the case of flooding.

      2. Computer Information Systems

        1. Institutional Technology provides the infrastructure for central electronic information systems.  The following information security policies and practices that protect against unanticipated threats to the security or integrity of electronic customer information and guard against the unauthorized use of such information apply.

          • Acceptable Use Policy

          • Internet/email Policy

          • Network Policy

          • Disaster Recovery Plan including individual departmental plans is in place

          • Institutional Technology maintains an inventory of all computers equipment including those connecting to the campus network

          • A yearly review of employee access to electronic systems is conducted

          • A firewall is in place to provide protection from outside attacks

          • Virus protection is in place for email services, network servers and individual desktops

          • Backup procedures are in place

          • The use of Social Security Numbers is in accordance with New York State bill AO9965.

      3. Customer Information Disposal

        1. JCC provides for confidential disposal of documents through its Office of Administrative Services.

        2. JCC contracts with an outside agency to perform the above service.  The outside contractor does provide statement of certification with regards to the confidentiality of records disposal.

        3. JCC erases all date when disposing of computers, magnetic tapes, hard drives or any other electronic media that contains customer information.  All computer hard drives are reformatted and/or wiped and magnetic tapes are shredded before disposal.

        4. The Registrar's Office archives customer transaction information as necessary.

        5. JCC disposes of obsolete customer information in accordance with applicable records retention policies.

      4. Managing System Failures

        1. Written Contingency Plans

          1. Disaster Recovery Plan including individual departmental plans is in place.

        2. Centralized Protection from E-Invasion

          1. JCC utilizes several resources to protect internal systems from outside attackers.  a firewall is installed at the front of the network, which intercepts all incoming (and outgoing) network traffic and makes decisions about allowing the traffic to enter the local network.  Logs are retained that show all traffic, allowed or disallowed.  In addition to the firewall, several virus protection systems are installed.  Systems protected by virus protection include services, network hardware and workstations.  Lastly, all operating systems and application are protected by their internal security systems.

        3. System Backup

          1. All servers housed in the centralized Computer Center are backed up on a regular schedule. Three weeks of backups are kept on separate media with a copy of the most current full backup stored off-site.  Other "non-centralized" equipment is backed up by persons responsible fo the equipment.

        4. Security Breaches

          1. The handling of security breaches will be determined by the nature and scope of the breach.

  5. Service Providers

    1. Contracts

      1. All contracts with service providers are reviewed by the Institutional Technology to ensure that external service providers agree to observe the College's standards of information security.  Contracts will not be approved with providers that cannot maintain appropriate safeguards.

    2. Relevant Current Contracts

      1. Contracts with vendors for shredding, recycling services, etc.

      2. Contracts with collection agencies

      3. Contracts with software vendor having access to financial transactions and related information

      4. Contracts with campus-related entities, such as Campus Foundations, Alumni Associations, Security, FSA

    3. Monitoring

      1. JCC will periodically evaluate providers to ensure that they have complied with the information security requirements of the contract.

  6. The Board of Trustees hereby authorizes the President, or his/her designee, to develop and establish appropriate standards and procedures to implement and enforce this policy.

 

Appendix A

Legal References

  1. 15 USC, Subchapter I, sec. 6801-6809 (Gramm-Leach-Bliley Act)
  2. 16 CFR, Part 313 (Privacy Regulations, see reference to FERPA)
  3. 20 USC, Chapter 31, 1232g (FERPA)
  4. 34 CFR, part 99 (FERPA regulations)
  5. 16 CFR, part 314 (Safeguard Regulations, as published in the Federal Register, 5/23/02)
  6. NACUBO Advisory Report 2003-01, issued 1/13/03
  7. FTC Facts for Business:  Financial Institutions and Customer Data: Complying with the Safeguards Rule, published September 2002.

Adopted:
June 2012, R
es. 128-12