Financial Information Security Plan

In accordance with The Financial Services Modernization Act of 1999, also known as the Gramm Leach Bliley Act, and to protect the financial information of our students, faculty, and staff, Clark University has adopted this Financial Information Security Plan. The goal of this document is to outline the measures we will take to comply with this Act, and to assure an ongoing review mechanism to address requests to meet future privacy needs. The Executive Vice President shall serve as the Coordinator of the Plan, and will be assisted by the Vice President for Information Technology, the Controller, and the Registrar, as well as other University Officers as needed.

We will strive to ensure the security and confidentiality of all student and other customer financial records and information. This information will be safeguarded so as to protect to the extent possible any unauthorized access to, or use of, such records in a manner which could cause substantial harm or inconvenience to any customer. We will also protect against any anticipated threats to the security or integrity of this financial information.

• Unauthorized access to data through software applications
• Unauthorized use of other users’ accounts and passwords
• Unauthorized viewing of printed data or computer displayed financial data
• Improper storage of printed financial data
• Unprotected documentation usable by intruders to access data
• Improper destruction of printed financial material

• No financial information will be collected by any department of the university which is not necessary for the effective functioning of that Department.
• Printed copies of customer financial information will be shredded when its usage is completed.
• No printed financial information is to be kept in unlocked storage areas.
• Printed copies of customer financial information are not to be left on desks when such work areas are unattended.
• Key control of all locked areas will be maintained by the Facilities Maintenance department staff, with the cooperation of the University Police and all user departments. All keys must be turned in to the Director of Human Resources upon separation from the University.
• Computer work stations used to display customer financial information are not to be left unattended with that information displayed. Users of such information are to log off when they are away from their workstation for any significant period of time.
• Passwords are to be utilized, and kept confidential, at all times. These will be controlled by the Department of Information Technology Services.
• Disciplinary measures, up to and including termination, may be imposed for breaches to customer information security.
• All staff using customer financial information (both existing and new hires) will be given a copy of this plan, and asked to signify their acceptance of its provisions.
• All service providers to the University with access to student financial information will be required to implement and maintain safeguards to these data. All such service providers will be required to provide an attestation of compliance at least annually.
• The University will remain in full compliance with the Family Educational Rights and Privacy Act (FERPA).
• The University will continually evaluate and, where necessary, amend this Plan to ensure that customer financial information is protected. This testing will include regular evaluation of the effectiveness of the safeguards put into place, and the key controls, systems, and procedures.

The Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, establishes the minimum standards to protect all consumers’ personal financial information. This Act includes the Financial Privacy Rule which governs the collection and disclosure of customer’s personal financial information by financial institutions (Clark is defined as a financial institution under the Act based on issuance of student loans) and the Safeguard Rule which requires all
financial institutions to design, implement and maintain safeguards to protect customer information.

In order to ensure the security and confidentiality of private information and data, and to comply with GLB, the University adopted this Information Security Program (GLB) for certain highly critical and private financial and related information. This security program applies to customer financial information (“covered data”) the University receives in the course of business as required by GLB, as well as other confidential financial information the University has
voluntarily chosen as a matter of policy to include within its scope. This document describes many of the activities the University has established to maintain covered data according to legal and University requirements. This Information Security Program document is designed to provide an outline of the safeguards that apply to this information.

Any office or department on campus that either collects, maintains, shares or has access to records containing protected personal (non-public) financial information for students, faculty or staff, including but not limited to:

• Admissions Office – Undergraduate and Graduate
• Financial Services
• Business Manager/One Card Office
• School of Professional Studies (SPS)
• Financial Assistance Office
• School of Management
• International Development, Community, and Environment
• Human Resources
• International Student and Scholars
• Payroll
• Student Accounts Office
• University Advancement
• Strategic Analytics and Institutional Research
• Registrar’s Office

The following is a list of third party servicers who may maintain records with protected personal (non-public) financial information for students, faculty or staff:

• ADP
• ECSI
• Nelnet
• Collection Agencies – Windham Professionals, Delta Management, William and Fudge, and Reliant
• Payment Gateway Providers – Cashnet, IATS, Authnet Gateway
• Data Analysis Companies
• Secure storage/destruction – Shred-it

All persons who have access to the protected data, including:

• Administrative and faculty department heads
• Every employee that accesses handles or maintains Clark University records (electronic, paper or other form) containing non-public financial information about a constituent who has a relationship with the University. Clark University employees include full-, part-time and hourly staff members as well as student workers who access, handle or maintain records, particularly – but not exclusively – Financial Services , Business Manager, Financial Assistance Office, University Advancement (including fundraising and alumni affairs offices), Undergraduate and Graduate Admissions, International Student and Scholars, SOM, SPS and Athletics. Employees who contract with service providers (third party vendors) who, in the ordinary course of University business, are provided access to covered data. Service providers may include, but are not limited to, banks and financial institutions, businesses retained to transport and dispose of covered data, data analysis firms, collection agencies and payment gateway providers.

Many financial institutions collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories, tax returns, financial profiles and social security numbers. GLB requires financial institutions, which includes colleges and universities, to ensure the security and confidentiality of this type of information, whether it is paper, electronic or some other type of format. The GLBA also requires the University to develop, implement and maintain a comprehensive Information Security Program containing the administrative, technical and physical safeguards that are appropriate based upon the University’s size, complexity and the nature of its activities. This Information Security Program has five components:

• Designating an employee or office responsible for coordinating the program
• Conducting risk assessments to identify reasonably foreseeable security and privacy risks
• Ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored
• Overseeing service providers
• Maintaining and adjusting this Information Security Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.

A Financial institution is as a company that offers financial products or services to individuals, like loans, financial or investment advice or insurance.

A customer is consumer who has developed an ongoing relationship with a financial institution. In general, if the relationship between the financial institution and the individual is significant or long- term, the individual is a customer of the financial institution.

A consumer is an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family or household purposes, and also means the legal representative of such an individual.

Covered data includes information obtained from a constituent with whom the University has a relationship in the course of offering a financial product or service or conducting fundraising activities; or such information provided to the University from another institution. Constituents include students, employees, service providers, alumni, parents and friends (friends are defined as prospective donors or volunteers who do not have other relationships to the University).

A Financial product or service includes offering student loans, receiving income tax information from a current or prospective student’s parents as a part of a financial aid application, offering credit or interest bearing loans, and other miscellaneous financial services Examples of financial information relating to such products or services include bank account numbers, credit card numbers, income and credit histories, social security numbers and wills and other testamentary documents.

Service Providers refer to all third parties who, in the ordinary course of University business, are provided access to covered data. Service providers may include businesses retained to transport and dispose of covered data, collection agencies, loan servicers, collection agencies, and payment gateway providers.

The Information Security Program will identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. Risk assessments will include consideration of risks in each area that has access to covered information. Risk assessments will include, but not be limited to, consideration of employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.

The Coordinator will work with all relevant areas to carry out comprehensive risk assessments. Risk assessments will include system-wide risks, as well as risks unique to each area with covered data. The Coordinator will ensure that risk assessments are conducted at least annually and more frequently where required. The Coordinator will work with the CIO to identify a responsible party from the Clark University Information Technology Department to conduct the system-wide risk assessment. The Coordinator may identify a responsible party in each unit with access to covered data to conduct the risk assessment, or employ other reasonable means to identify risks to the security, confidentiality and integrity of covered data in each area of the University with covered data.

Safeguards for security will include management and training of those individuals with authorized access to covered data. The Coordinator will, working with other department heads, help to identify categories of employees or others who have access to covered data. The responsibility for employee training will reside with various individuals as deemed appropriate by the policy coordinator and the Information Security Officer.

Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal. Network and software systems will be reasonably designed to limit the risk of unauthorized access to covered data. This may include designing limitations to access, and maintaining appropriate screening programs to detect computer hackers and viruses and implementing security patches.

Safeguards for information processing, storage, transmission, retrieval and disposal may include:

• Requiring that financial information be collected only by departments for which it is necessary for the effective functioning of that department.
• Requiring electronic covered data be entered into a secure, password-protected system
• Using secure connections to transmit data outside the University
• Using secure servers
• Ensuring covered data is not stored on transportable media
• Permanently erasing covered data from computers, diskettes, magnetic tapes, hard drives, or other electronic media before re-selling, transferring, recycling, or disposing of them
• Storing physical records in a secure area and limiting access to that area
• Disposing of outdated records under a document disposal policy that includes shredding confidential paper records before disposal; insuring third-party providers provide certification of secure method of shredding and/or disposal
• Requiring that printed financial information be kept in locked storage areas and not left on desks when work areas are unattended.
• Ensuring that computer work stations used to access financial information not be left unattended with that information displayed. Users of such information are required to log off when they are away from their workstation.
• Ensuring that computers with covered data are identified and procedures followed to insure the security of that data during its life cycle in the University’s possession or control.

Monitoring procedures will be used to regularly test and monitor the effectiveness of information security safeguards to ensure that safeguards are being followed, and to swiftly detect and correct breakdowns in security.

In the course of business, the University may from time to time appropriately share covered data with third parties. Such activities may include collection activities, loan servicing, payment plan providers, credit card processers, transmission of documents, destruction of documents or equipment, or other similar services. This Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards.

The Executive Vice President shall serve as the Coordinator of the policy and will be assisted by the Chief Information Officer, the Controller, as well as other University Officers as needed.

The University’s Information Security Officer will oversee enforcement of the policy, including the responsibility of notifying Department Heads about changes to the policy. Additionally, this individual will investigate any reported violations of this policy, lead investigations about identified security breaches and may terminate access to protected information of any users who fail to comply with the policy.

The Federal Trade Commission (FTC) has stated that colleges and universities are considered in compliance with the privacy provisions of GLB if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). The University has adopted comprehensive policies, standards, and guidelines relating to information security, including FERPA. Other related polices (www.clarku.edu) are incorporated by reference into this Information Security Plan, and include:

Policies

• FERPA
• PCI
• Red Flag
• Appropriate Use of Clark’s Information Technology System
• Data Access Policy
• Network-Related Policies