Body
          
Rationale:
Gramm-Leach-Bliley Act (15 U.S. Code § 6801 et seq., hereinafter “GLBA”) requires Cedarville University to ensure the security, integrity, and confidentiality of protected information and data, which includes student financial aid records and information.
Cedarville University is obligated to comply with the privacy provision of GLBA by its compliance with the Family Education Rights and Privacy Act (FERPA).
I. Policy Objective
Reason for Policy
This policy’s purpose is to ensure that administrative, technical, and physical safeguards are implemented by Cedarville University to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle protected data and information in compliance with the Federal Trade Commission’s Safeguards Rule (16 C.F.R. Part 314) promulgated under the GLBA.
Scope of Policy and Entities Affected
This policy promotes and ensures that safeguards are provided to:
	- Ensure the security and confidentiality of protected data and information of Cedarville University;
- Protect against any anticipated threats or hazards to the security or integrity of such information of the university; and
- Protect against unauthorized access to or use of university-protected data and information that could result in substantial harm or inconvenience to Cedarville University.
 
II. Definitions
	- GLBA – Gramm-Leach-Bliley Act - The Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses). The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.
 
- FERPA - Family Education Right and Privacy Act - The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
 
- FTC – Federal Trade Commission - The Federal Trade Commission (FTC) is an independent agency of the U.S. government that aims to protect consumers and ensure a strong competitive market by enforcing consumer protection and antitrust laws. Its principal purpose is to enforce non-criminal antitrust laws in the United States, by preventing and eliminating anticompetitive business practices, including coercive monopoly. The FTC also seeks to protect consumers from predatory or misleading business practices.
 
- Ransomware – Ransomware is malicious software that infects a computer and displays messages demanding a fee to be paid in order for your system to work again. This class of malware is a criminal moneymaking scheme that can be installed through deceptive links in an email message, instant message, or website.
 
- Administrative User: Administrative User is an account with unrestricted access to the computer for the purposes of maintaining and updating software programs on individual workstations.
 
- General User: General User has standard access to computer workstations which prevents the user from making accidental or intentional system-wide changes and can run most applications.
III. Policy Content
In compliance with GLBA and FTC final Safeguards Rule, Cedarville University shall appoint an Information Security Program Coordinator, conduct risk assessments of likely security and privacy risks, maintain a training program for all employees who have access to protected data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.
Designation of Representative
The Associate Vice President (AVP) for Information Technology (IT) serves as the Coordinator of this program. As the designated representative leading the University’s compliance, the Coordinator:
	- Is responsible for maintaining a program for the periodic training and awareness related to the handling and protection of information protected by this program and oversee service providers and contractors.
- Will perform periodic risk assessments to identify likely security and privacy risk to the protected data and provide a remediation plan for the identified risk.
- Will maintain the GLBA Information Security Program artifacts related to periodic risk assessment and remediation and maintain training and awareness data provided to each relevant business unit.
- Is responsible for maintaining a data map, coordinating with each relevant business unit handling protected data, and ensuring training and awareness. Each relevant business unit may also assist with periodic risk assessments and implementation of certain risk assessment remediation and may assist with periodic review and input to this program; and
- Will evaluate this Program periodically to make appropriate adjustments.
 
Elements of the Program
Identification and Assessment of Risks to Customer Information
The Coordinator shall periodically conduct and document risk analysis consisting of, but not limited to the following:
	- Asset Inventory – servers, desktops, and applications that contain or access protected data
- Threat assessments including but not limited to the following:
	
		- Compromised system security as a result of system access by an unauthorized person
- Deliberate network-based attacks or malicious software upload
- Ransomware, rendering protected data unreadable or unusable
- Interception of protected data during transmission
- Loss of protected data integrity
- Inadvertent data entry
- Physical loss of protected data in a disaster (floods, earthquakes, tornados, electrical storms, etc.)
- Inaccessibility of protected data due to environmental factors (long-term power failure, pollution, chemicals, and liquid leakage)
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access (intentional and unintentional) to electronic or hardcopy protected data and information by employees or others
- Unauthorized transfer of protected data and information through third parties
- Third-party vendors who process protected data and information not appropriately safeguarding protected data
- Unsecure storage of protected data and information
- Failure to dispose of protected data and information in a secure manner
 
- Design, implementation, and development of a risk mitigation strategy
- Maintain a written record of risk assessments and remediation
Recognizing that this may not represent a complete list of the risks associated with the protection of protected data and information, and that new risks are created regularly, Cedarville University IT will actively participate and monitor appropriate cybersecurity advisory groups for identification of additional risks.
IT will work to monitor and maintain safeguards that are reasonable, and in light of current risk assessments, are sufficient to provide security and confidentiality to protected data and information maintained by the university. Additionally, IT strives to maintain safeguards that reasonably protect against currently anticipated threats or hazards to the integrity of such information.
Employee Management and Training
Background checks of new employees in areas that regularly work with protected data and information are generally required by Human Resource Policy. Employees in relevant business units receive proper training regarding the importance of safeguarding the confidentiality, security, and integrity of protected data (e.g. student records, student financial information), including the University’s Policy on Confidentiality of Student Records (FERPA), Acceptable Usage Policy, and regulations from the Department of Education. Employees are also trained in security measures, including the proper use of computer information and passwords, and incident response and breach notification procedures.
Reports of these training efforts, which help minimize risk and safeguard protected data and information, are provided to the Coordinator.
Physical Security
Cedarville University has addressed the physical security of protected data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, federal financial aid applications, income and credit histories, accounts, balances, and transactional information are available only to Cedarville University employees with an appropriate business need for such information.
By default, all Cedarville faculty and staff members are assigned General User privileges on their individual workstations. Administrative User privilege is granted to faculty and staff members approved for such privilege. For individuals with administrative privilege, the use of administrative credentials is only to be used when necessary to run or update specific software programs or operating systems on individual workstations.
Furthermore, each department responsible for maintaining protected data and information is instructed to develop and implement a plan protect the information from destruction, loss, or damage due to environmental hazards, such as fire and water damage or technical failures.
Information Systems
Access to protected data and information on Cedarville University’s information system is limited to those employees and faculty who have a legitimate business reason to access such information. The University has adopted an Acceptable Usage Policy which includes comprehensive policies, standards, and guidelines relating to information security which are incorporated by reference into this Information Security Program.
Social Security Numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, the University does not use Social Security Numbers (SSN) as student identifiers in favor of Student Identification Numbers as a matter of policy. By necessity, Student SSNs will remain in the information systems; however, access to SSNs is granted only in cases where there is an approved, documented business need.
 
Management of Security Incidents
Cedarville University has developed written plans and procedures to detect any actual or attempted attacks on the University’s information systems and has an Incident Response and Crisis Plan, which outlines procedures for responding to an actual or attempted unauthorized access to protected data and information, including addressing University officials responsible for breach notification.
Oversight of Service Providers
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for protected data and information. This Information Security Program ensures that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Coordinator will identify service providers who have or will have access to protected data, and work with other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of protected data.
 
Continuing Evaluation and Adjustment
The Coordinator will evaluate this Program periodically to make appropriate adjustments to the Program, to update risk assessment and remediation, and review and update training material.