An actual safeguards plan

• Previous message: Piper, Pat: "ITN/RFP for Loan Billing and Servicing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The Colorado Association of Administrators of Student Loans and Accounts Receivables (CAASLAR) will be making a presentation on the safeguards rule at their spring conference on May 1, 2003. Part of that presentation will be a sample information security plan. Because of the great interest in a sample plan, I am posting the plan to this list and sending a copy to Mary Bachinger at NACUBO. The plan is the preliminary document that is being worked on at the University of Northern Colorado. Hope this helps.

Joe Tacoronte
Bursar
University of Northern Colorado

INFORMATION SECURITY PLAN FOR
XYZ UNIVERSITY

        I. The designated employee for the coordination and execution of the Information Security Plan is the Registrar of the XYZ University. All correspondence and inquiries should be directed to the Registrar's Office.
        II. The following have been identified as relevant areas to be considered when assessing the risks to customer information:

                                Employee Management and Training
                                Information Systems
                                Managing System Failures
                                Student Loans
                                Student Card Office
                                Admissions
                                Registrar's Office
                                Financial Aid Office
                                Accounts Receivable Office
                                Residence Life
                                Student Health Center
                                Continuing Education

        III. The Registrar's office will coordinate with the Internal Auditor's office to maintain the information security program. The Registrar's office will provide guidance in complying with all privacy regulations. Each relevant area is responsible to secure customer information in accordance with all privacy guidelines. A written security policy that details the information security policies and processes will be maintained by each relevant area and will be made available to the Registrar's or Internal Auditor's office upon request. In addition the information technology department will maintain and provide access to policies and procedures that protect against any anticipated threats to the security or integrity of electronic customer information and that guard against the unauthorized use of such information.
        IV. XYZ University will select appropriate service providers that are given access to customer information in the normal course of business and will contract with them to provide adequate safeguards. In the process of choosing a service provider that will have access to customer information the evaluation process shall include the ability of the service provider to safeguard customer information. Contracts with service providers shall include the following provisions:
                        * An explicit acknowledgement that the contract allows the contract partner access to confidential information.
                        * A specific definition of the confidential information being provided.
                        * A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract.
                        * A guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract.
                        * A guarantee from the contract partner that it will protect the confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customer's confidential information.
                        * A provision allowing for the return or destruction of all confidential information received by the contract partner upon completion of the contract.
                        * A stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract.
                        * A stipulation that any violation of the contract's protective conditions amounts to a material breach of contract and entitles the XYZ University to immediately terminate the contract without penalty.
                        * A provision allowing auditing of the contract partners' compliance with the contract safeguard requirements.
                        * A provision ensuring that the contracts' protective requirements shall survive any termination agreement.

        V. This information security plan shall be evaluated and adjusted in light of relevant circumstances, including changes in the university's business arrangements or operations, or as a result of testing and monitoring the safeguards. Periodic auditing of each relevant area's compliance shall be done per the internal auditing schedule. Annual risk assessment will be done through the internal auditor's office. Evaluation of risk of new or changed business arrangements will be done through the legal counsel's office.

• Next message: Piper, Pat: "FW: COHEAO Hot News: FTC Safeguard Regulations"
• Previous message: Piper, Pat: "ITN/RFP for Loan Billing and Servicing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 24 2003 - 15:32:40 EDT