Ensure the security and confidentiality of customer records and information.
Protect against anticipated threats to the security and/or integrity of such customer records and information.
Guard against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Comply with the Gramm-Leach-Bliley Act and the rules promulgated thereunder by the Federal Trade Commission.
I. Program Coordination
A. Designated representatives from Offices of ITS and Internal Control shall coordinate the Information Security Program.
B. The Program includes input from other SUNY at Fredonia departments, including Human Resources, Admissions, Financial Aid, Student Accounts, Registrar, Faculty Student Association, Internal Control, Payroll Services, College Services, University Advancement and Foundation, Residence Life, and the Banner SIS Security Committee.
C. The Program will be reviewed and evaluated annually, during the month of May. Selected aspects will be tested. Adjustments to the Program will be made as needed.
II. Risk Assessment & Safeguards
A. There is an inherent risk in handling and storing any information that must be protected. Identifying areas of risk and maintaining appropriate safeguards can reduce risk. Safeguards are designed to reduce the risk inherent in handling customer information. The Federal Trade Commission has identified four areas to address:
Employee Management & Training
Managing System Failures
Legal References B. FERPA Policy at http://www.ed.gov/policy/gen/reg/ferpa/index.html C. Federal Work Study Manual located in SUNY Fredonia Financial Aid Office, 215 Maytum Hall D. Social Engineering Security Policy E. Student Employee Security Responsibility and Confidentiality Agreement F. State Employee Confidentiality Agreement G. Physical Information Security Policy H. Electronic Information Security Policy I. Telephone and Fax Security Policy
I. Designated Information Security Program Coordinators
Karen S. Klose Associate Vice President for ITS 712 Maytum Hall SUNY College at Fredonia Fredonia, NY 14063 (716) 673-4670
Jennifer Burke Internal Control Coordinator 502 Maytum Hall SUNY College at Fredonia Fredonia, NY 14063 (716) 673-4761
B.Offices Possessing Customer Information
The following have been identified as among the relevant offices to be considered when assessing the risks to customer information: Human Resources, Admissions, Financial Aid, Student Accounts, Registrar, Faculty Student Association, Internal Control, Payroll Services, College Services, University Advancement and Foundation, Residence Life, and the Banner SIS Security Committee. Each relevant area is responsible to secure customer information in accordance with all relevant privacy guidelines.B.Offices Possessing Customer Information
C.Offices Having Responsibility in Safeguarding Customer Information
Human Resources, Admissions, Financial Aid, Student Accounts, Registrar, Faculty Student Association, Internal Control, Payroll Services, College Services, University Advancement and Foundation, Residence Life, and the Banner SIS Security Committee.
II. Risk Assessment & Safeguards
Covered data and information for the purpose of this policy includes student and other customer financial information are required to be protected under the Gramm-Leach-Bliley Act (GLB). Covered data and information includes both paper and electronic records.
Customer financial information is that information the Campus has obtained from a student or other customer in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of customer financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.
B. Employee Management & Training
Employees handle and have access to customer information in order to perform their job duties. This includes permanent and temporary state and student employees, whose job duties require them to access customer information or work in a location where there is access to customer information.
1. Hiring Employees
SUNY Fredonia exercises great care in trying to select well-qualified employees. Hiring supervisors review applications, carry out interviews, check references, and verify educational credentials before making their final selection. Recruitment policies and procedures are available at http://www.fredonia.edu/aaoffice/index.htm.
2. Work Study and Temporary Service Student Employees
Work-Study students are assigned by the Office of Financial Aid, and must comply with the Federal Work Study Manual (see appendix C.). Confidentiality and safeguarding of information is covered by each hiring office during an individual orientation session conducted by the first day of work. All student employees and supervisors sign the ”Security Responsibility and Confidentiality Agreement” (Appendix E.), during the orientation session. One copy is retained in the employee’s office, and one copy is retained by Payroll Services. Once e-sign is instituted, the electronic agreement will be maintained in the Campus Information System (CIS).
3. State Employees (Permanent, Term, Part-time, Graduate Assistants).
All employees take part in Information Security and FERPA training at the time of new employee orientation. In addition, the ITS Help Desk Coordinator includes FERPA requirements during Basic Banner Navigation Training and administrative offices review FERPA during student records orientation.
All employees receive a copy of the Information Security Policy Documents (Appendices D-I of the SUNY Fredonia Information Security Program), which includes the Social Engineering and Telephone/Fax Security Policies, and sign a “Confidentiality Agreement” form (Appendix F). The Confidentiality Agreement form is maintained by the Office of Human Resources in each employee file.
Once e-sign is instituted, theelectronic agreement will be maintained in the Campus Information System (CIS).
4. Ongoing Training
"The Information Security Program and Policies will be available as a link from the Human Resources website. In addition, Human Resources will annually send a confidentiality and FERPA regulation reminder via e-mail to all state employees."
5. Access to Customer Information
Only employees whose job duties require them to access customer information shall have access.
6. Disciplinary Measures for Breaches
Breaches of information security may result in appropriate disciplinary action by the immediate supervisor depending upon the nature and severity of the breach. All accidental breaches should be reported and rectified as soon as possible. Employees are encouraged to report any suspected intentional and/or malicious breaches. Human Resources will be notified of any breach of information security by state employees. State employees may be subjected to disciplinary actions for the violation of this policy. Student breaches will be dealt with by the immediate supervisor and abuse flagged by the Office of Student Payroll.
C. Information Systems
Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal.
1. Paper Storage Systems
Access and handling safeguards are outlined in the Physical Information Security Policy, appendix F. The Office of Internal Control maintains the Record Retention policy.
2. Computer Information Systems
The Office of Computing Services in ITS serves as the central electronic information security office and as such provides or terminates access based on employee status information from Human Resources. Access to the Campus Information System (CIS) is determined by position description with roles and access maintained by the Database Administrator. Access to employee data is maintained by SUNY System Administration. Desktop connection to the Internet is accomplished via static IP, allowing ITS intervention as necessary in the event of network security breaches. Additionally, the network administration tool tracks network connections by desktop hardware address.
Electronic security safeguards are outlined in the Electronic Information Security Policy, appendix G.
3. Customer Information Disposal
SUNY Fredonia provides for confidential disposal of documents through its Office of College Services. Obsolete confidential documents are placed in recycling containers or are tagged for shredding in secure areas and marked confidential before being transferred to the recycling/shredding center. Two paper shredders are available for use in the Thompson Copy Center and Fenton Hall copy room. Offices disposing of confidential documents must notify the Internal Control Officer, as logs of disposal must be maintained.
(Or, campus contracts with an outside agency to perform the above service. The outside contractor does provide secure recycling containers.)
SUNY Fredonia erases all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information. (Computers swapped to new owners are completely re-formatted following old user’s sign-off. Computers designated as obsolete equipment are wiped clean by AIT personnel following procedure created in conjunction with Office of College Services.)
SUNY Fredonia archives customer transaction information as necessary.
SUNY Fredonia disposes of obsolete customer information in accordance with applicable records retention policies (maintained by the Office of Internal Control).
D. Managing System Failures
1. Written Contingency Plans—in development
2. Centralized Protection from E-Invasion
SUNY Fredonia has implemented a tiered approach to protect from e-invasion that incorporates port blocking at the network firewall level, intrusion detection management, regular application of patches and upgrades, and managed antivirus protection at the e-mail gateway and desktop levels. Protection from e-invasion is dependent on timely definition updates and alerts from numerous advisory agencies (e.g. CERT, Infragard, Microsoft, SUNY System Administration, and SANS Institute), as well as educated and cautious computer users.
3. System Back-ups
Systems and databases controlled by ITS are backed up to tape on a daily basis Monday-Friday and stored in a fireproof vault with a 1500 4-hour rating (internal temperature remains below 125 degrees for 4 hours in a 1500 degree fire). Tapes are moved to an off-site location on a monthly basis.
4. Security Breaches
In the event that information security is compromised, a prompt disclosure will be made to any customers that may have been impacted.
E. Service Providers
All contracts with service providers are reviewed by the Office of University Counsel to ensure that external service providers agree to observe the University’s high standards of information security. Contracts will not be approved with providers that cannot maintain appropriate safeguards.
2. Relevant Current Contracts
Contracts with vendors for shredding, recycling services, etc.;
Contracts with collection agencies;
Contracts with software vendors having access to financial transactions and related information;
Contracts with campus-related entities, such as Auxiliary Service Corporations, Campus Foundations, Alumni Associations
SUNY Fredonia will periodically evaluate providers to ensure that they have complied with the information security requirements of the contract.
15 USC, Subchapter I, sec. 6801-6809 (Gramm-Leach-Bliley Act)
16 CFR, Part 313 (Privacy Regulations, see reference to FERPA)
20 USC, Chapter 31, 1232g (FERPA)
34 CFR, part 99 (FERPA regulations)
16 CFR, part 314 (Safeguard Regulations, as published in the Federal Register, 5/23/02)
NACUBO Advisory Report 2003-01, issued 1/13/03
FTC Facts for Business: Financial Institutions and Customer Data: Complying with the Safeguards Rule, published September 2002.