Information Security Plan
This Information Security Plan (“Plan”) describes Occidental College’s safeguards to protect information and data in compliance with the Financial Services Modernization Act of 1999, also known as the Gramm Leach Bliley Act, 15 U.S.C. Section 6801. The Federal Trade Commission (FTC) ruled that GLB applies to institutions of higher education.
Compliance with GLB involves compliance with 1) the privacy provisions of the act and 2) provisions regarding the safeguarding of customer information. These safeguards are intended to:
- Ensure the security and confidentiality of covered data and information;
- Protect against anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.
The FTC has said that colleges are deemed in compliance with the privacy provisions of GLB if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). With respect to colleges being able to safeguard non-public customer information, such as family financial information and social security and identification numbers, the FTC recognizes compliance by having an institutional security program and security plans in specific offices of the college that handle such information.
For purposes of FERPA and GLB, the College considers students, employees, and alumni or any other third party engaged in a financial transaction with Occidental College as “customers”. Customer information that must be safeguarded is “any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form.” It includes financial information, academic and employment information, and other private paper and electronic records.
Information Security and Privacy
With respect to the privacy provisions of the GLB Act, Occidental College is in compliance with FERPA. Directory information (for example, name, address, enrollment at the college and degree information), the list of which is published yearly in the Student Handbook, is considered public (unless a student has requested otherwise in writing). All non-directory information is restricted or confidential, or "non-public." Under FERPA, restricted information (for example, academic or financial records) is released outside the college only with the student's written consent. Designated school officials, including faculty, key employees and occasionally outside service providers, have access to restricted, “non-public” information on a need-to-know basis only. Confidential information (for example, a faculty member's or dean's private notes) is even more protected than restricted information, and released only in certain unusual circumstances as outlined in FERPA. Although FERPA if narrowly construed only applies to enrolled students and past students, in compliance with GLB and long standing good practice, the College extends FERPA privacy protections to all customers of the college.
The Registrar’s Office will provide guidance in complying with all FERPA privacy regulations. In addition, the College also complies with HIPAA (Health Insurance Portability and Accountability Act of 1996) with the Emmons Health Center and Human Resources providing guidance. Each college department is responsible for securing customer information in accordance with all privacy guidelines.
The Occidental College Information Security Plan includes the following:
- Designation of an Information Security Program Coordinator
- A risk assessment of likely security and privacy risks
- Design and implementation of safeguards including a training program for all employees who have access to Covered Data and Information
- Guidelines for service providers and contracts
- Process for continued evaluation and adjustment of the Information Security Plan
- The policies incorporated in this Information Security Plan apply to all College departments. In addition, in the case that individual departments may have additional security provisions, they will maintain written documentation of these and will make them available to the Security Program Coordinator.
Information Security Program Coordinator
The designated Information Security Program Coordinator for Occidental College is Wesley Tomatsu, Director of Networking, Operations and Systems. All correspondence and inquiries about the Occidental College Information Security Plan should be directed to him.
Occidental College recognizes that risks of unauthorized use of or access to Covered Data and Information exist, including, but not limited to:
- Unauthorized access of covered data and information by someone other than the owner of the covered data and information
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of covered data and information by employees
- Unauthorized requests for covered data and information
- Unauthorized access through hardcopy files or reports
- Unauthorized transfer of covered data and information through third parties
Occidental College recognizes that this list of the risks associated with the protection of Covered Data and Information is not exhaustive. New risks of unauthorized use or access to Covered Information and Data are regularly created because technology growth is not static. Accordingly, ITS will actively participate and monitor advisory groups such as the EDUCAUSE Security Institute, the Internet2 Security Working Group and SANS for identification of new risks to safeguarding Covered Data and Information.
Design and Implementation of Safeguards
Employee Management and Training
References of new employees working in areas that regularly work with Covered Data and Information (such as the Controller's Office, Registrar, Student Accounts Receivable, Institutional Advancement, Residential Education/Housing Services and Financial Aid) are checked. Each new employee is also trained in the proper use of computer information and passwords. All College employees, including part-time and temporary employees, and volunteers are given specific training by their supervisors about issues of security of sensitive and confidential material used in their respective offices. Employees are held accountable to know that although they have access to non- public information in order to perform their duties for the College, they are not permitted to access it for unapproved purposes or disclose it to unauthorized persons. The Employee Handbook, which is provided to all employees, states that violation of security policies could result in termination of employment or legal action, or both. Further, each department responsible for maintaining Covered Data and Information should coordinate with the Information Security Plan Coordinator on an annual basis for the coordination and review of additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information security.
Occidental College has addressed the physical security of Covered Data and Information by limiting access to only those employees who have a business reason to know such information. For example, personal customer information, accounts, balances and transactional information are available only to Occidental College employees with an appropriate business need for such information. Whether the information is stored in paper form or any electronically accessible format, departmental non-public information is maintained, stored, transmitted and otherwise handled under the direct personal control of an authorized employee of the College.
Financial aid records, account information and other paper documents are kept in file cabinets or rooms that are locked at the end of each business day. Confidential material is kept secure. Offices have locked doors with key restricted access. When offices are open for business, confidential information is kept out of sight from visitors. Offices and/or computers are shut down when the office will be vacant for an extended length of time. Paper documents that contain covered data and information are shredded at time of disposal.
Access to covered data and information via Occidental College’s computer information system is limited to those employees who have a business reason to know such information. The College relies on the Information Technology Services Department to provide each employee with a unique user name and password. ITS administers the College network, servers and administrative systems according to industry standards. Departmental desktop computers also require use of the user login credential and password for access.
Network security, including firewall technology, has been implemented to protect administrative servers and departmental workstations from unauthorized access through the Internet. Staff in administrative and faculty offices connect to secured computers on the campus network. Off campus access to this subnet is provided through a secure terminal services connection.
Occidental College takes reasonable and appropriate steps consistent with current technological developments to ensure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. ITS maintains the operating system and applications, including application of appropriate patches and updates in a timely fashion. User and system passwords are also required to comply with the Password Policy.
Outside Service Providers
Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that Occidental College determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard Covered Data and Information. Contracts with service providers may include the following provisions:
- An explicit acknowledgement that the contract allows the contract partner access to confidential information;
- A specific definition or description of the confidential information being provided;
- A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than no less rigorously than it protects its own customers' confidential information;
- A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
- An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles Occidental College to terminate the contract without penalty; and
- A provision ensuring that the contract's confidentiality requirements shall survive any termination agreement.
Continuing Evaluation and Adjustment
This Information Security Plan will be subject to periodic review and adjustment. The most frequent of these reviews will occur within Information Technology Services, where constantly changing technology and evolving risks mandate increased vigilance. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the Information Security Plan Coordinator, in consultation with the Information and Data Oversight Committee, as well as the financial, legal and administrative offices of the College. Those groups and individuals will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.