Rochester University Information Security Program
Rochester University is required by the Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations at 16 CFR Part 314, to implement and maintain a comprehensive written Information Security Program (“ISP”) and to appoint a coordinator for the program. The objectives of the ISP are to (1) insure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers. The ISP may incorporate by reference the Institution’s policies and procedures enumerated below and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA, HIPAA, GLBA, GDPR, FTC – Red Flag Policies.
This ISP is in addition to existing Rochester University policies and procedures that address various aspects of information privacy and security, including but not limited to, the Rochester University Employee Handbook Policy and the Rochester University Information Technology Acceptable Use Policy.
Rochester University has designated the Director of Information Technology as its ISP Coordinator. The ISP Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP. The ISP Coordinator chairs a subcommittee that approves all ISP policies, protocols, and risk and asset assessments.
“Covered information” means nonpublic personal information about a student or other third party who has a continuing relationship with Rochester University, where such information is obtained in connection with the provision of a service or product by Rochester University, and that is maintained by Rochester University or on Rochester University’s behalf. Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).
Elements of the ISP
Risk Identification and Assessment. Rochester University’s ISP identifies and assesses external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other mishandling of such information. The ISP focuses risk and asset assessments in the following areas:
- Employee Training and Management. The ISP Coordinator will coordinate with the appropriate personnel to ensure continual training and assessment of all faculty/staff as per the handling of covered information.
- Information Systems. The ISP Coordinator will coordinate with the appropriate personnel to assess the risks to covered information associated with the institution’s information systems, networks, backup and recovery systems, cloud systems, information transmission/retention/disposal, and outside vendor usage of covered information.
- Detecting, Preventing and Responding to Attacks and System Failures. The ISP Coordinator will coordinate with the appropriate personnel to evaluate procedures used for preventing, detecting, and responding to cyber-attacks, intrusions, and other system failures.
Designing and Implementing Safeguards. The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments. The ISP Coordinator will oversee the plans that test and monitor the effectiveness of safeguards. Monitoring and problem escalation may be accomplished using existing network tools and/or outside contract services to assist in determining safeguard effectiveness.
Service Provider Oversight/Management. The ISP Coordinator, in conjunction with the CFO and General Counsel for Rochester University, will assist to develop and incorporate standard, contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards for covered information. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA.
Changes and Updates to the ISP. The ISP Coordinator will evaluate and adjust the ISP as needed, pursuant to any material changes implemented by Rochester University operations and/or circumstances that impact the institution materially.