I. Executive Summary and Purpose
This document summarizes The University of North Carolina at Charlotte’s (the “Institution’s”) comprehensive written information security program (the “Program”) mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act (“GLBA”). In particular, this document describes the Program elements pursuant to which the Institution intends to:
The Program incorporates by reference the Institution’s policies and procedures enumerated below, and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA.
The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institution, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the Institution or its affiliates. For these purposes, the term nonpublic financial information shall mean any information:
III. Designation of Representatives
The Institution’s Information Technology Security Officer (ITSO) is designated as the Program Officer who shall be responsible for coordinating and overseeing the Program. The Program Officer shall have a committee composed of the following representatives:
The Program Officer may designate other representatives of the Institution to oversee and coordinate particular elements of the Program. Any questions regarding implementation of the Program or the interpretation of this document should be directed to the Program Officer or his/her designees.
IV. Program Element
a. Risk Identification and Assessment
The Institution intends, as part of the Program, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. In implementing the Program, the Program Officer or his/her designee will establish procedures for identifying and assessing such risks in each relevant area of the Institution’s operations, including:
ii. Information Systems and Information Processing and Disposal
iii. Detecting, Preventing and Responding to Attacks
The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The Program Officer will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
c. Overseeing Service Providers
The Program Officer shall coordinate with those administrators responsible for the third party service procurement activities related to the Information Technology services unit and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the Program Officer will work with the Office of Legal Affairs to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the Office of Legal Affairs. These standards shall apply to all existing and future contracts entered into with such third party service providers.
The Program Officer is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the Institution’s operations or other circumstances that may have a material impact on the Program.
The GLBA procedural document provides details for implementation of this regulation. This separate document carries the full force of this regulation. This separation allows for easier modifications to the procedures due to the changing nature of business, technology and security.
Failure to comply with this regulation and the associated required procedures will be deemed a violation and subject to disciplinary action in accordance with appropriate University disciplinary procedures (University Policy 801: Violation of University Policy).
Upon approval, this regulation shall be published on the appropriate UNC Charlotte website(s). The following offices and individuals shall be notified in writing with any subsequent revisions or amendments made to this regulation:
Approved by the Chancellor, December 20, 2007