Gramm Leach Bliley Act
Required Information Security Policy
This Policy reflects the intention of Drexel University ("University") to implement an information security program ("Program") that (i) ensures the security and confidentiality of covered records, (ii) protects against any anticipated threats or hazards to the security of such records, and (iii) protects against the unauthorized access or use of such records or information in ways that could result in substantial harm to students, faculty and staff. This Policy incorporates by reference any other University policies and procedures that deal with obligations to maintain the security of confidential information or the implementation of security plans, such as the Security of Information and Networked Systems Plan.
Designation of Representatives:
The University's Director of Core Technology Infrastructure is designated as the Program Officer who shall be responsible for coordinating the implementation of this policy. The Program Officer may designate other representatives of the University to oversee and coordinate particular elements of the Policy.
Non-Public Financial Information: Any information (i) a student or other third party provides in order to obtain a financial service from the University, (ii) about a student or other third party resulting from any transaction with the University involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person. Non-Public Financial Information may be in paper, electronic or other form.
Elements of the Program:
- Risk Identification and Assessment.
The University shall undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of Non-Public Financial Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The Program Officer will establish procedures for identifying and assessing such risks, including the evaluation of the effectiveness of the University's procedures, policies and practices relating to access to and use of Non-Public Financial Information.
- Information Systems and Information Processing and Disposal.
The Program Officer will coordinate with representatives of the University and outside auditors to assess and monitor the risks of unintentional disclosure of Non-Public Financial Information arising from the University's information systems, including network and software design, information processing, and the storage, transmission and disposal of Non-Public Financial Information.
- Detecting, Preventing and Responding to Attacks.
The Program Officer will evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks.
- Designing and Implementing Safeguards.
The Program Officer will design and implement safeguards to control the risks identified through such assessments and to test or monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
- Overseeing Service Providers.
The Program Officer shall coordinate with those responsible for the third party service procurement activities to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for Non-Public Financial Information of students and other third parties to which they will have access. The Office of General Counsel will develop and incorporate standard, contractual protections applicable to third party service providers that will require such providers to implement and maintain appropriate safeguards. These standards shall apply to all existing and future contracts entered into with such third party service providers, provided that amendments to contracts entered into prior to June 24, 2002 are not required to be effective until May 2004.
- Employee Training and Management.
The Program Officer shall designate other representatives of the University to provide training to employees of the University regarding security initiatives to minimize the disclosure of Non-Public Financial Information.
- Adjustments to Program.
The Program Officer shall adjust the University's security initiatives based on the risk identification and assessment activities as well as any material changes to the University's operations or other circumstances that may have a material impact on the University's security initiatives.