Gramm-Leach-Bliley Act (“GLBA”) Policy
ROCHESTER CHRISTIAN UNIVERSITY INFORMATION SECURITY PROGRAM
PURPOSE
Rochester Christian University is required by the Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations at 16 CFR Part 314, to implement and maintain a comprehensive written Information Security Program (“ISP”) and to appoint a coordinator for the program. The objectives of the ISP are to (1) insure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers. The ISP may incorporate by reference the Institution’s policies and procedures enumerated below and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA, HIPAA, GLBA, GDPR, FTC – Red Flag Policies.
RELATED POLICIES
This ISP is in addition to existing Rochester Christian University policies and procedures that address various aspects of information privacy and security, including but not limited to, the Rochester Christian University Employee Handbook Policy and the Rochester Christian University Information Technology Acceptable Use Policy.
ISP COORDINATOR
Rochester Christian University has designated the Director of Information Technology as its ISP Coordinator. The ISP Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP. The ISP Coordinator chairs a subcommittee that approves all ISP policies, protocols, and risk and asset assessments.
COVERED INFORMATION
“Covered information” means nonpublic personal information about a student or other third party who has a continuing relationship with Rochester Christian University, where such information is obtained in connection with the provision of a service or product by Rochester Christian University, and that is maintained by Rochester Christian University or on Rochester Christian University’s behalf. Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).
ELEMENTS OF THE ISP
Risk Identification and Assessment. Rochester Christian University’s ISP identifies and assesses external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other mishandling of such information. The ISP focuses risk and asset assessments in the following areas:
- Employee Training and Management. The ISP Coordinator will coordinate with the appropriate personnel to ensure continual training and assessment of all faculty/staff as per the handling of covered information.
- Information Systems. The ISP Coordinator will coordinate with the appropriate personnel to assess the risks to covered information associated with the institution’s information systems, networks, backup and recovery systems, cloud systems, information transmission/retention/disposal, and outside vendor usage of covered information.
- Detecting, Preventing and Responding to Attacks and System Failures. The ISP Coordinator will coordinate with the appropriate personnel to evaluate procedures used for preventing, detecting, and responding to cyber-attacks, intrusions, and other system failures.
Designing and Implementing Safeguards. The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments. The ISP Coordinator will oversee the plans that test and monitor the effectiveness of safeguards. Monitoring and problem escalation may be accomplished using existing network tools and/or outside contract services to assist in determining safeguard effectiveness.
Service Provider Oversight/Management. The ISP Coordinator, in conjunction with the CFO and General Counsel for Rochester Christian University, will assist to develop and incorporate standard, contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards for covered information. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA.
Changes and Updates to the ISP. The ISP Coordinator will evaluate and adjust the ISP as needed, pursuant to any material changes implemented by Rochester Christian University operations and/or circumstances that impact the institution materially.