ITS Service Center

GLBA Information Security Plan

The University is required by the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation called the Safeguards Rule (the Rule) (16 CFR Part 314) to develop, implement, and maintain a comprehensive written Information Security Program (ISP) to safeguard customer information in the University’s care. This document outlines the efforts of the University’s ISP to address GLBA requirements.

Objective

1. Ensure the security and confidentiality of customer information

2. Protect against anticipated threats or hazards to the security or integrity of such information

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to customers.

Scope

The plan applies to any record, physical or electronic, containing nonpublic personal information about a student or other third party who has a continuing relationship with the University, where such information is obtained in connection with a financial service or product offered by the University, and that is maintained by the University or on the University’s behalf.

Nonpublic Personal Information (NPI) means information:

1. A student or third-party provides in order to obtain a financial service or product from the University

2. About a student or third-party resulting from any transaction with the University involving a financial service or product, or

3. Otherwise obtained about a student or third-party in connection with providing a financial service or product.

For example, nonpublic personal information includes bank and credit card account numbers, tax records, income and credit histories, as well as names, addresses, and social security numbers associated with financial information. Customer information does not include records obtained in connection with single or isolated financial transactions such as ATM transactions or credit card purchases.

Related Policies and Programs

The University has adopted comprehensive policies and practices to protect the privacy and security of information in its care. The University maintains a mandatory data protection training program for all employees. The ISP also includes all security policies and standards found on the University’s policy library at policy.fredonia.edu.

Related Elements of the University’s Information Security Program:

1. Information Security Program Coordinator(s).

The University has designated the University CISO as its ISP Coordinator (Coordinator). The coordinator may designate others to oversee particular elements of the ISP. Questions regarding the ISP should be directed to the CISO or the designees.

2. Risk Identification and Assessment.

The CISO will identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Further, the CISO will assess the sufficiency of any safeguards in place to control these risks. This applies to information in any format, whether electronic, paper, or other form.

The CISO will assess:

  1. Employee training and management: evaluate the effectiveness of current employee training and management procedures relating to the access and use of covered records.
  2. Information systems, information processing, and disposal: assess the risks to covered information associated with the University’s information systems, including network and software design, as well as information processing, storage, transmission, and Disposal.
  3. Detecting, preventing and responding to attacks and system failures: evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions, or other system failures.

3. Designing and Implementing Safeguards

The CISO will design and implement safeguards to control the risks identified in assessments and regularly test or otherwise monitor the effectiveness of such safeguards. Testing and monitoring may be accomplished through existing network monitoring, operational procedures, and other management practices.

4. Overseeing Service Providers.

The CISO will work with the Procurement and Contract Services unit to develop and incorporate standard contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards. In conjunction with the Procurement and Contract Services unit, the CISO will assist in instituting methods to select and retain only those service providers capable of maintaining appropriate safeguards for customer information to which they will have access.

5. Adjustments to Program.

The CISO will evaluate and adjust the plan as needed, based on risk identification and assessment activities and when material changes to the University’s operations or other circumstances may have a material impact.

Please refer to our University Policy Library for a complete list of Information Technology and Security Policies as part of GLBA Information Security Plan. 

For More Assistance

Contact the ITS Information Security Office at security@fredonia.edu.

ITS Service Center

  • W203 Thompson Hall State University of New York at Fredonia Fredonia, NY 14063

Contact

Hours

  • Monday - Thursday: 8:00am - 8:00pm
  • Friday: 8:00am - 4:30pm
  • Saturday & Sunday: 12:00pm - 5:00pm
  • Summer/Break Hours: Monday - Friday: 8:00am - 4:00pm