Resources for Information Assurance/Security
Forms; Toolkits and Checklists
EDUCAUSE Informaton Security Program Assessment Tool, April 2013. Developed by the EDUCAUSE Higher Education Information Security Council. The tool is an extensive list of questions and will require the participation of Chief Information or Chief Information Security officers or their designees.
Security and Privacy Issues, Dec. 1, 2010. Powerpoint by the Deputy Chief Information Officer, Federal Student Aid, U.S. Department of Education. Contains a University PII Checklist starting at slide 9 and continuing through slide 18.
CUA Red Flag Action Report Form
This document can be used to note actions taken in response to a red flag (suspicious pattern or practice that indicates the possible existence of identity theft). The form includes who was notified, offices consulted, dates.
Overview of GLB Safeguarding
Five key sections to GLB safeguarding program
Designate an employee or employees to coordinate your information security program.
Who should be the designated employee?
This will depend on the school. It might be the CIO, the HIPAA privacy officer, the Registrar, the Bursar, or a combination of the above. If the designated employee is the Security Officer, consider appointing a second designee who is not part of the information security operation for purposes of checks/balances.
Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.
First identify information and systems to be protected. What offices will be covered?
Suggest taking an organizational chart of the university and look at who has access to customer information or oversees contracts with service providers that have access to customer information. Registrar's Office, Financial Aid, Business Services, Admissions, Development, and Athletics are examples of offices that might be covered.
Eight factors or protecting customer information:
- Access control
- Physical security at locations where customer information is stored
- Encryption of electronic customer information (especially in transit)
- Implement a change management process for customer information system modifications
- Dual control, segregation of duties and employee background checks1 for employees with access to customer information
- Monitoring systems and procedures to detect any actual or attempted attacks or intrusions on customer information systems
- Develop an incident response program for how to handle attempted and actual unauthorized access to customer information
- Disaster recovery program for the protection against destruction of customer information due to physical hazards and technical failures
( These eight factors are not in the law. They came from a SANS document on compliance with GLB.)
Employee training and management
Training on security awareness should include supporting the information security program in general, as well as addressing the safeguarding of customer information. Training should cover anyone who has access to a system that has customer information, and also anyone who has access to paper copies of customer information. Train your employees not to confirm confidential information over the phone or by email, even if the other party provides it. Training might include attendance at industry conferences. Keep documentation of the training. Professors who have access to student information systems will need training, and GLB training for this group may be made a component of FERPA training.
Oversee service providers
· Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
· Require your service providers by contract to implement and maintain such safeguards. Contracts entered into prior to June 24, 2002 are grandfathered in until May 24, 2004.
· Send form letters to third party business partners detailing GLB provisions and attach an amendment to contract where necessary.
· Ensure that as contracts come up for renewal, the privacy clause is included.
Evaluate and adjust your information security program
Some schools are considering audits by outside security firms.
In the university setting, confidentiality agreements may be considered rather than background checks for all employees.
Shakespeare on Cyberliabilty, by Beth Cate, Associate University Counsel, Indiana University, published for the NACUA Annual Conference, Orlando, Florida, June 27, 2005 This is an excellent (and witty) overview of the main privacy laws affecting higher education, HIPAA, FERPA and GLB. The paper also includes a very thorough section on common law tort claims that might arise in connection with security and privacy breaches, as well as an overview of contractual security obligations and the duty to notify in the event of a security breach.
State Data Security Breach Notication laws (current April 2014-by Mintz Levin)
updated mlo 5-7-14