IRT > Policies > GLBA-IS Policy - PHEC

IRT

  • NEWS!!
  • About IRT
  • Facilities
  • Policies
  • Strategy
  • Metrics
  • Tech Updates

    • SERVICES

  • Computer Accounts
  • Computer Marketplace
  • Mass Mailing
  • Music Select
  • Telephone Services
  • Bb/Vista
  • Workshops

    • SUPPORT

  • HelpCentral
  • Networking
  • System Status
  • The Computer Fixer
  • Web/Media Support
  • Virus Information

    • SEARCH IRT:
     

    CONTACT IRT

    IRT SITEMAP

     

    Gramm Leach Bliley Act Required Information Security Policy

    Overview

    This Policy reflects the intention of the Drexel University College of Medicine (“College”) to implement an information security program (“Program”) that (i) ensures the security and confidentiality of covered records, (ii) protects against any anticipated threats or hazards to the security of such records, and (iii) protects against the unauthorized access or use of such records or information in ways that could result in substantial harm to students, faculty and staff. This Policy incorporates by reference any other College policies and procedures that deal with obligations to maintain the security of confidential information or the implementation of security plans, such as the Security of Information and Networked Systems Plan.

    Designation of Representatives:

    The College ’s Director of Core Technology Infrastructure is designated as the Program Officer who shall be responsible for coordinating the implementation of this policy. The Program Officer may designate other representatives of the College to oversee and coordinate particular elements of the Policy.

    Definitions:

    Non-Public Financial Information: Any information (i) a student or other third party provides in order to obtain a financial service from the College , (ii) about a student or other third party resulting from any transaction with the College involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person. Non-Public Financial Information may be in paper, electronic or other form.

    Elements of the Program:

    1. Risk Identification and Assessment. The College shall undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of Non-Public Financial Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The Program Officer will establish procedures for identifying and assessing such risks, including the evaluation of the effectiveness of the College ’s procedures, policies and practices relating to access to and use of Non-Public Financial Information.

    2. Information Systems and Information Processing and Disposal. The Program Officer will coordinate with representatives of the College and outside auditors to assess and monitor the risks of unintentional disclosure of Non-Public Financial Information arising from the College ’s information systems, including network and software design, information processing, and the storage, transmission and disposal of Non-Public Financial Information.

    3. Detecting, Preventing and Responding to Attacks. The Program Officer will evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks.

    4. Designing and Implementing Safeguards. The Program Officer will design and implement safeguards to control the risks identified through such assessments and to test or monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.

    5. Overseeing Service Providers. The Program Officer shall coordinate with those responsible for the third party service procurement activities to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for Non-Public Financial Information of students and other third parties to which they will have access. The Office of General Counsel will develop and incorporate standard, contractual protections applicable to third party service providers that will require such providers to implement and maintain appropriate safeguards. These standards shall apply to all existing and future contracts entered into with such third party service providers, provided that amendments to contracts entered into prior to June 24, 2002 are not required to be effective until May 2004.

    6. Employee Training and Management. The Program Officer shall designate other representatives of the College to provide training to employees of the College regarding security initiatives to minimize the disclosure of Non-Public Financial Information.

    7. Adjustments to Program. The Program Officer shall adjust the College ’s security initiatives based on the risk identification and assessment activities as well as any material changes to the College ’s operations or other circumstances that may have a material impact on the College ’s security initiatives.

    Last Updated 7/30/03 by Annette Rivera, IRT.


     

     Modified: February 25, 2008 Home Contents Index Contact Us Search Feedback / Corrections