Information Security Program
Purpose
This document is designed to provide a framework of the Information Security program adopted by George Fox University (“the University”) to protect the critical and sensitive information held by the university. The purpose of this program is to ensure the protection of this information and to comply with legal requirements, including the Federal Trade Commission's Safeguards Rule and the Gramm - Leach - Bliley Act ("GLBA"). The practices set forth in this document will be carried out by and impact diverse areas of the University.
Scope
This security program applies to consumer financial information (“covered data”) the University receives in the course of business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope.
Security Program Framework
The GLBA requires that the University develop, implement, and maintain a comprehensive information security program containing the administrative, technical, and physical safeguards that are appropriate based upon the University's size, complexity, and the nature of its activities. This Information Security Program has five components:
- designating an employee or office responsible for coordinating the program;
- conducting risk assessments to identify reasonably foreseeable security and privacy risks;
- ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored;
- overseeing service providers;
- maintaining and adjusting this Information Security Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.
Security Program Coordinator
The GLBA Security Program Coordinator (“Coordinator”) will be responsible for implementing this Information Security Program. The Coordinator shall be appointed by the Operations Team. The Coordinator will work closely with Institutional Technology, the Registrar’s Office, Human Resources, Student Financial Services, Student Financial Aid, and other offices or departments that may use or own covered data.
Risk Assessment
The Information Security Program will identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks.
The Coordinator will work with all relevant areas to carry out comprehensive risk assessments. Risk assessments will include system-wide risks as well as risks unique to each area with covered data.
Information Safeguards and Monitoring
The Information Security Program will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above. The Coordinator will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data. Such safeguards and monitoring will include the following:
Employee Management and Training
Safeguards for security will include management and training of those individuals with authorized access to covered data.
The Coordinator will, working with other responsible offices and units, identify categories of employees or others who have access to covered data.
Information Systems
Information systems include the hardware and software used for the storage, transmission, creation and access to University information.
These systems will be reasonably designed to limit the risk of unauthorized access to covered data. This may include designing limitations to access and appropriate monitoring programs to detect and identify malicious activity.
Managing System Failures
The University will maintain effective systems to prevent, detect, and respond to disasters, intrusions and other system failures.
Monitoring and Testing
Monitoring systems will be implemented to regularly test and monitor the effectiveness of information security safeguards.
Service Providers
In the course of business, the University may from time to time appropriately share covered data with third parties. Such activities may include collection activities, transmission of documents, transfer of funds, destruction of documents or equipment, or other similar services. This Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards.
Program Maintenance
The Coordinator, working with responsible units and offices, will evaluate and adjust the Information Security Program in response to any material changes to operations or business arrangements; results of assessments, testing or monitoring; or any other circumstances which may reasonably have an impact on the Information Security Program.
Related Policies, Standards, Guidelines
This Information Security Program incorporates by reference the University's policies and procedures regarding the legal requirements of the programs referenced below and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations.