Policies and Procedures Manual 2023-2024

3.48 Information Security Program Policy

Piedmont University collects, stores, and shares a variety of data about its faculty, staff, students, and operations as necessary for the accomplishment of its mission. Piedmont University (the “University”), through its Information Security Program (the “Program”), will protect the security of all data collected, stored, or shared in its various information systems as required by law, regulation, and best practice. Further, the University will restrict the use of its information resources to only authorized personnel and only for approved purposes, will ensure the accuracy, privacy, and protection of the University’s information resources as required by law, and will retain personal information no longer than necessary as required by law, and in accordance with departmental data retention policies.  Content within the Program is mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm – Leach – Bliley Act (“GLBA”) and describes the Program elements pursuant to which the University intends to (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.  The Program incorporates by reference the University’s policies and procedures enumerated below and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA. 

 

Designation of Representatives 

The University’s Chief Information Officer (the “CIO”) is responsible for coordinating and overseeing the Program including developing, implementing, maintaining and assessing all University policies and procedures related to information security, for the management of information security incidents, and for advising the University community of matters relating to information security.  The CIO may designate other representatives of the University to oversee and coordinate elements of the Program.  Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the CIO or his or her designees. 

 

Scope of Program

The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the University, whether in paper, electronic or other form that is handled or maintained by or on behalf of the University or its affiliates.  For these purposes, the term nonpublic financial information shall mean any information;

 (i) a student or other third party provides to obtain a financial service from the University, (ii) about a student or other third party resulting from any transaction with the University involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.

 

Definitions

      Confidentiality: refers to ensuring that institutional data is protected from unauthorized disclosure.

      Information Security Officer: the senior institutional official charged with the establishment, implementation, maintenance, and assessment of the Information Security Program is the Chief
    Information Officer (CIO).

      Information Security: refers to the protection of institutional data to ensure its confidentiality, integrity, and availability.

      Information Security Incident: an event that is likely to cause harm to the institution and/or its information assets.

      Information Security Program (ISP): refers to the totality of policies, procedures, training, and other information provided to the University community by the Office of Information
    Technology.

      Information System: refers to a set of components, procedures and people used to collect, store, maintain, and disseminate institutional data. In this document, such systems can be
    either electronic (ex. database/spreadsheet) or manual (ex. file cabinet/other manual files).

      Institutional Data: refers to any data collected, stored, or shared on behalf of the University in connection with the accomplishment of its mission.

      Privacy: refers particularly to the protection of personal information from unauthorized disclosure as defined by law, regulation, or institutional privacy policy.

 

Procedure

The Program shall be based upon, and defined by, an industry-accepted cybersecurity standards framework such as the NIST Cybersecurity Framework or the ISO/IEC 27000 family of standards. Adherence to a standards framework helps insure that the University ISP is comprehensive and in alignment with current best practices.

 

The CIO will manage the Program by:

  • Developing and maintaining the University Program framework
  • Conducting on-going assessments of the state of the University relative to the framework standards, such that each individual standard is assessed at least biennially, to determine the adequacy of its associated controls.
  • Recommending and monitoring the development of controls in response to security standards requirements including:
    • Policy
    • Procedures
    • Hardware/software
    • Training
  • Maintaining documentation concerning the ISP framework and associated assessments
  • Through the CIO, insuring that senior leadership is informed of the current state of information security readiness
  • Overseeing University community information security training
  • Ensuring that the University community is informed about the current information security issues
  • Serving as the University coordinator for all information security issues

 

Risk Identification and Assessment

    The University intends, as part of the Program, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.  In implementing the Program, the CIO will establish procedures for identifying and assessing such risks in each relevant area of the University’s operations, including:

 

  • Employee training and management.  The CIO will coordinate with representatives in the University’s Human Resources, Controller’s and Financial Aid offices to evaluate the effectiveness of the University’s procedures and practices relating to access to and use of student records, including financial aid information.  This evaluation will include assessing the effectiveness of the University’s current policies and procedures in this area found in: The University’s Policies and Procedures Manual:  http://piedmont.smartcatalogiq.com/2021-2022/Policies-and-Procedures-Manual-2021-2022 and the Student Catalog: https://piedmont.smartcatalogiq.com/en/2021-2022/Undergraduate-Catalog

     

  • Information Systems and Information Processing and Disposal.  The CIO will coordinate with representatives of the University’s Department of Information Technology to assess the risks to nonpublic financial information associated with the University’s information systems, including network and software design, information processing, and the storage, transmission, and disposal of nonpublic financial information.  This evaluation will include assessing the University’s current policies and procedures relating to Acceptable Use of the University’s network and network security, document retention and destruction.  The CIO will also coordinate with the University’s Department of Information Technology to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws. 

     

  • Detecting, Preventing and Responding to Attacks.  The Program Officer will coordinate with the University’s Department of Information Technology and other relevant units to evaluate procedures for and methods of detecting, preventing, and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies.  In this regard, the CIO may elect to delegate to a representative of the Department of Information Technology the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by the University. 

 

Designing and Implementing Safeguards

   The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper, or other form.  The CIO will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards.  Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures. 

 

  Overseeing Service Provider

    The CIO shall coordinate with those responsible for the third-party service procurement activities among the Department of Information Technology and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that can maintain appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access.  In addition, the CIO will work with the Chief Financial to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards.  Any deviation from these standard provisions will require the approval of the Chief Financial Officer. These standards shall apply to all existing and future contracts entered with such third-party service providers.

 

  Adjustments to Program

   The CIO is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the University’s operations or other circumstances that may have a material impact on the Program.