Approved by the Chancellor, December 20, 2007
University
of North Carolina at Charlotte
GLBA
Information Security Program Regulation
Supplemental
to Policy
Statement #102
I.
Executive Summary and Purpose
This
document summarizes The University of North Carolina
at Charlotte’s (the “Institution’s”) comprehensive
written information security program (the “Program”)
mandated by the Federal Trade Commission’s Safeguards
Rule and the Gramm-Leach-Bliley Act (“GLBA”). In
particular, this document describes the Program elements
pursuant to which the Institution intends to:
-
ensure
the security and confidentiality of covered records,
-
protect
against any anticipated threats or hazards to
the security of such records, and
-
protect
against the unauthorized access or use of such
records or information in ways that could result
in substantial harm or inconvenience to customers.
The
Program incorporates by reference the Institution’s
policies and procedures enumerated below, and is in
addition to any institutional policies and procedures
that may be required pursuant to other federal and
state laws and regulations, including, without limitation,
FERPA.
II. Scope
The
Program applies to any record containing nonpublic
financial information about a student or other third
party who has a relationship with the Institution,
whether in paper, electronic or other form, which
is handled or maintained by or on behalf of the Institution
or its affiliates. For these purposes, the term nonpublic
financial information shall mean any information:
-
a student or other third party provides in order to obtain
a financial service from the Institution,
-
about a student or other third party resulting from any transaction
with the Institution involving a financial service,
or
-
otherwise obtained about a student or other third party in
connection with providing a financial service
to that person.
III. Designation of Representatives
The
Institution’s Information Technology Security Officer
(ITSO) is designated as the Program Officer who shall
be responsible for coordinating and overseeing the
Program. The Program Officer shall have a committee
composed of the following representatives:
-
Director of Student Financial Aid
-
University Registrar
-
Associate Vice Chancellor for Financial
Services
-
General Counsel
-
Director of Development Services
The
Program Officer may designate other representatives
of the Institution to oversee and coordinate particular
elements of the Program. Any questions regarding
implementation of the Program or the interpretation
of this document should be directed to the Program
Officer or his/her designees.
IV. Program Element
a. Risk Identification and Assessment
The
Institution intends, as part of the Program, to undertake
to identify and assess external and internal risks
to the security, confidentiality, and integrity of
nonpublic financial information that could result
in the unauthorized disclosure, misuse, alteration,
destruction or other compromise of such information.
In implementing the Program, the Program Officer
or his/her designee will establish procedures for
identifying and assessing such risks in each relevant
area of the Institution’s operations, including:
i. Employee Training and Management
The
Program Officer will coordinate with representatives
in the Institution’s Division of Business Affairs,
Division of Student Affairs and Division of Academic
Affairs to evaluate the effectiveness of the Institution’s
procedures and practices relating to access to and
use of student records, including financial aid information.
This evaluation will include assessing the effectiveness
of the Institution’s current policies and procedures
in this area.
ii. Information Systems and Information
Processing and Disposal
The
Program Officer will coordinate with representatives
of the other relevant departments to assess the risks
to nonpublic financial information associated with
the Institution’s information systems, including network
and software design, information processing, and the
storage, transmission and disposal of nonpublic financial
information. This evaluation will include assessing
the Institution’s current policies and procedures
relating to acceptable use of the University computing
facilities network security and related matters.
The Program Officer will also assess procedures for
monitoring potential information security threats
associated with software systems and for updating
such systems by, among other things, implementing
patches or other software fixes designed to deal with
known security flaws.
iii.
Detecting, Preventing and Responding
to Attacks
The
Program Officer will, in coordination with other appropriate
administrative units, evaluate procedures for and
methods of detecting, preventing and responding to
attacks or other system failures and existing network
access and security policies and procedures, as well
as procedures for coordinating responses to network
attacks and developing incident response teams and
policies. In this regard, the Program Officer may
recommend that another administrator assume responsibility
for monitoring and participating in the dissemination
of information related to the reporting of known security
attacks and other threats to the integrity of networks
utilized by the Institution.
b. Designing and Implementing Safeguards
The
risk assessment and analysis described above shall
apply to all methods of handling or disposing of nonpublic
financial information, whether in electronic, paper
or other form. The Program Officer will, on a regular
basis, implement safeguards to control the risks identified
through such assessments and to regularly test or
otherwise monitor the effectiveness of such safeguards.
Such testing and monitoring may be accomplished through
existing network monitoring and problem escalation
procedures.
c. Overseeing Service Providers
The
Program Officer shall coordinate with those administrators
responsible for the third party service procurement
activities related to the Information Technology services
unit and other affected departments to raise awareness
of, and to institute methods for, selecting and retaining
only those service providers that are capable of maintaining
appropriate safeguards for nonpublic financial information
of students and other third parties to which they
will have access. In addition, the Program Officer
will work with the Office of Legal Affairs to develop
and incorporate standard, contractual protections
applicable to third party service providers, which
will require such providers to implement and maintain
appropriate safeguards. Any deviation from these standard
provisions will require the approval of the Office of Legal Affairs. These standards shall apply to
all existing and future contracts entered into with
such third party service providers.
The
Program Officer is responsible for evaluating and
adjusting the Program based on the risk identification
and assessment activities undertaken pursuant to the
Program, as well as any material changes to the Institution’s
operations or other circumstances that may have a
material impact on the Program.
V. Procedures
The
GLBA procedural document provides details for implementation
of this regulation. This separate document carries
the full force of this regulation. This separation
allows for easier modifications to the procedures
due to the changing nature of business, technology
and security.
VI. Compliance
Failure
to comply with this regulation and the associated
required procedures will be deemed a violation and
subject to disciplinary action in accordance with
appropriate University disciplinary procedures (Policy Statement #25: Violation
of University Policy).
VII. Communication
Upon
approval, this regulation shall be published on the
appropriate UNC Charlotte web site(s). The following
offices and individuals shall be notified in writing
with any subsequent revisions or amendments made to
this regulation:
•
Chancellor’s Council
• Associate Provosts
• Deans, Directors and Department Heads
|
