The Catholic University of America

Archived 6/14/07

Information Security Plan
I. Introduction

In order to protect critical information and data, and to comply with Federal Law[1], the Center for Planning and Information Technology (CPIT), in alliance with the Office of General Counsel (OGC), proposes certain practices in the university information environment and institutional information security procedures. While these practices mostly affect CPIT, some of them will impact diverse areas of the university, including but not limited to Business Services, the Office of the Registrar, Institutional Advancement, Student Life, the Library, Admissions and Financial Aid, and many third party contractors, including food services and the book store. The goal of this document is to define the University's Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to position the university for likely future privacy and security regulations.

II. Definitions

A. Covered data and information for the purpose of this policy includes student financial information required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required by federal law, CUA chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by the university, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

B. Student financial information is that non-public personal information the university has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format. Student financial information also includes such information provided to the university by another financial institution. The CUA student record policy continues to govern the release of directory information. For example, a request for a list of all student names and addresses could be honored as long as students who have placed a hold on the release of directory information were removed from the list.

III. Gramm Leach Bliley Act Requirements

The Financial Services Modernization Act of 1999, also known as the Gramm Leach Bliley Act (GLB) mandates that the university appoint an Information Security Plan Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.

IV. Information Security Plan Coordinator

In order to comply with GLB, CPIT has designated an Information Security Policy Coordinator. This individual must work closely with the General Counsel's office, the Director of Information Technology, the Director of Information Systems and Services, other positions in Information Technology and Information Systems and Services, as well as all relevant academic and administrative Schools and Departments throughout the university. The Coordinator is presently the Director of Academic Technology Services.

The Coordinator must help the relevant offices of the university identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.

V. Risk Assessment and Safeguards
The Coordinator must work with all relevant areas of the university to identify potential and actual risks to security and privacy of information. Each School or Department head, or her designee, will conduct a data security review, with guidance from the Coordinator. Vice Presidents will be asked to identify any employees in their respective areas that work with covered data and information as a significant part of their work assignment. The Coordinator, with guidance from the Vice Presidents and Provost, will establish a GLB working committee that will work with the Coordinator to carry out the elements of the Program. In addition, the relevant departments of CPIT will conduct a review of procedures, incidents, and responses. CPIT will assure that procedures and responses are appropriately reflective of those widely practiced at other national research Universities, as measured by four advisory groups: The Educause Security Institute, The Internet2 security working group, the SANS Top Twenty risks list, and the Federal NIST Computer Security Resource Center.

In order to protect the security and integrity of the university network and its data, CPIT will develop and maintain a registry of all computers attached to the university network. This registry will include, where relevant, IP address or subnet, MAC address, physical location, operating system, intended use (server, personal computer, lab machine, dorm machine, etc.), the person, persons, or department primarily responsible for the machine, and whether the machine has or has special access to any confidential data covered by relevant external laws or regulations.

CPIT assumes the responsibility of assuring that patches for operating systems or software environments are reasonably up to date, and will keep records of patching activity. CPIT will review its procedures for patches to operating systems and software, and will keep current on potential threats to the network and its data. Risk assessments will be updated quarterly.

CPIT bears primary responsibility for the identification of internal and external risk assessment, but all members of the university community are involved in risk assessment. CPIT, working in conjunction with the relevant university offices, will conduct periodic risk assessments, including but not limited to the categories listed by GLB.

CPIT, working in cooperation with relevant university departments, will develop and maintain a data handbook, listing those persons or offices responsible for each covered data field in relevant software systems (financial, student administration, development, etc.). CPIT and the relevant departments will conduct ongoing audits of activity, and will report any significant questionable activities.

CPIT will work with the relevant offices (Business Services, Human Resources, the Registrar, Institutional Advancement, and the Library, among others) to develop and maintain a registry of those members of the university community who have access to covered data and information. CPIT in cooperation with Human Resources and Business Services will work to keep this registry up to date.

CPIT will assure the physical security of all servers and terminals which contain or have access to covered data and information. CPIT will work with other relevant areas of the university to develop guidelines for physical security of any covered servers in locations outside the central server area. The university will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, and other procedures which may expose the university to risks.

While the university has discontinued usage of social security numbers as student identifiers, one of the largest security risks may be the possible non-standard practices concerning social security numbers, e.g. continued reliance by some university employees on the use of social security numbers. Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA)[2]. By necessity, student social security numbers still remain in the university student information system[3]. The university will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are still used, and in what instances students are being asked to provide a social security number. This assessment will cover university employees as well as subcontractors such as the bookstore and food services, and consortiums such as the Washington Library Research Consortium.

CPIT will, to the extent feasible, develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks.

It is recommended that relevant offices of the university decide whether more extensive background or reference checks or other forms of confirmation are prudent in the hiring process for certain new employees, for example employees handling confidential financial information.

CPIT will develop written plans and procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.

The Information Security Coordinator will periodically review the university's disaster recovery program and data-retention policies and present a report to the Vice Presidents.

VI. Employee Training and Education

While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, CPIT and the OGC will work in cooperation with the Office of Human Resources to develop training and education programs for all employees who have access to covered data. These employees typically fall into three categories: professionals in information technology who have general access to all university data; custodians of data as identified in the data handbook, and those employees who use the data as part of their essential job duties.

VII. Oversight of Service Providers and Contracts
GLB requires the university to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Business Services, in cooperation with the Office of General Counsel, will develop and send form letters to all covered contractors requesting assurances of GLB compliance. While contracts entered into prior to June 24, 2002 are grand-fathered until May 2004, the Office of General Counsel will take steps to ensure that all relevant future contracts include a privacy clause and that all existing contracts are in compliance with GLB.

VIII. Evaluation and Revision of the Information Security Plan
GLB mandates that this Information Security Plan be subject to periodic review and adjustment. The most frequent of these reviews will occur within CPIT where constantly changing technology and constantly evolving risks indicate the wisdom of more frequent reviews. Processes in other relevant offices of the university such as data access procedures and the training program should undergo regular review. The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.

* posted pending approval

Final Approval by President's Council on Oct. 21, 2003

[1] The Financial Services Modernization Act of 1999 (also known as Gramm Leach Bliley (GLB) 15 U.S.C. §6801)

[2] 20 U.S.C. § 1232g

[3] Social Security Numbers are kept both for historical purposes and due to the requirements of 26 U.S.C. § 6050S, the tuition payment credit reporting requirements.