MyGRCC
Menu

Information Security Program

I. Purpose

In order to continue to protect private information and data, and to comply with federal laws, Grand Rapids Community College has adopted this Information Security Program for certain highly critical and private financial and related information. This security program applies to user financial information ("covered data") the College receives in the course of business as required by federal laws, as well as other sensitive information the College has voluntarily chosen as a matter of policy or process to include within its scope. This document describes many of the activities the College currently undertakes, and will undertake, to maintain covered data according to legal and College requirements. This Information Security Program document is designed to provide an outline of the safeguards that apply to this information. The practices set forth in this document will be carried out by and impact diverse areas of the College.

II. Definitions

"Covered data" means all information required to be protected under the Gramm-Leach-Bliley Act ("GLBA"). "Covered data" also refers to financial information that the College, as a matter of policy, has included within the scope of this Information Security Program. Covered data includes information obtained from a student in the course of offering a financial product or service, or such information provided to the College from another institution. "Offering a financial product or service" includes offering student loans, receiving income tax information from a current or prospective student’s parents as a part of a financial aid application, offering credit or interest-bearing loans, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information relating to such products or services are addresses, phone numbers, bank and credit card account numbers, income/credit histories, and social security numbers. "Covered data" consists of both paper and electronic records that are handled by the College or its affiliates.

"Service Providers" refers to all third parties who, in the ordinary course of College business, are provided access to covered data. Service providers may include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers.

III. Security Program Components

Pursuant to the GLBA, the College will develop, implement, and maintain a comprehensive information security program containing the administrative, technical and physical safeguards that are appropriate based upon the College’s size, complexity, and the nature of its activities. Regulations promulgated by the Department of Education require that the College’s Information Security Program contain the following components:

  1. That the College designate a qualified individual responsible for overseeing and implementing the Information Security Program.
  2. That the Information Security Program is based upon a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of user information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place.
  3. That provides for the design and implementation of safeguards to control the risks the College identifies through its risk assessment.
  4. That provides for the College to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
  5. That provides for the implementation of policies and procedures to ensure that personnel are able to enact the Information Security Program.
  6. That addresses how the College will oversee its information system service providers.
  7. That provides for the evaluation and adjustment of the Information Security Program in light of the results of testing and monitoring; any material changes to the College’s operations; the results of risk assessments; or any other circumstances the College knows or has reason to know may have a material impact on the Information Security Program.
  8. That addresses the establishment of an incident response plan.
  9. That provides for the qualified individual responsible for overseeing and implementing the Information Security Program to report at least annually to the College’s Board of Trustees on the Information Security Program.

IV. Security Program Coordinator

The Security Program Coordinator ("Coordinator") will be responsible for implementing and overseeing Information Security Program. The Coordinator is presently the Chief Information Officer / Vice President of Information Technology. The Coordinator, or where necessary, the Coordinator’s designee, will work closely with Information Technology, Financial Aid, Student Records, Human Resources, General Counsel, and other departments, offices and units to implement this Program.

The Coordinator will consult with responsible offices to identify areas of the College with access to covered data. As part of this Information Security Program, the Coordinator has identified areas of the College with access to covered data. The Coordinator will conduct a survey, or utilize other reasonable measures, to confirm that all areas with covered data are included within the scope of this Information Security Program. The Coordinator will maintain a list of areas of the College with access to covered data.

The Coordinator will ensure that risk assessments and monitoring, as set forth in subsequent Sections of this Program, are carried out for each unit or area that has covered data, and that appropriate controls are in place for the identified risks. The Coordinator may require units with substantial access to covered data to further develop and implement comprehensive security plans specific to those units and to

provide copies of the plan documents. The Coordinator may designate, as appropriate, responsible parties in each area or unit to carry out activities necessary to implement this Information Security Program.

The Coordinator will work with responsible parties to ensure adequate training and education is developed and delivered for all employees with access to covered data. The Coordinator will, in consultation with other College offices, verify that existing policies, standards and guidelines that provide for the security of covered data are reviewed and adequate. The Coordinator will make recommendations for revisions to policy, or the development of new policy, as appropriate.

The Coordinator will report annually on the status of the Information Security Program to the College’s Board of Trustees. The Coordinator may report to the Board of Trustees more frequently, as necessary or requested.

The Coordinator will regularly review the Information Security Program, including this and related documents, and will update those documents as necessary.

V. Risk Assessment

The Information Security Program will identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise such information, and assess the sufficiency of any safeguards in place to control these risks. Risk assessments will include consideration of risks in each area that has access to covered information. Risk assessments will include, but not be limited to, consideration of employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.

The Coordinator will work with all relevant areas to carry out comprehensive risk assessments. Risk assessments will include system-wide risks, as well as risks unique to each area with covered data. The Coordinator will ensure that risk assessments are conducted at least annually, and more frequently where required. The Coordinator may identify a responsible party from the Office of Information Technology to conduct the system-wide risk assessment. The Coordinator may identify a responsible party in each unit with access to covered data to conduct the risk assessment considering the factors set forth above, or employ other reasonable means to identify risks to the security, confidentiality and integrity of covered data in each area of the College with covered data.

VI. Information Safeguards and Monitoring

The Information Security Program will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above in Section V. The Coordinator will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data. Such safeguards and monitoring will include the following:

A. Employee Management and Training

Safeguards for security will include management and training of those individuals with authorized access to covered data. The College has adopted comprehensive policies, standards and guidelines setting forth the procedures and recommendations for preserving the security of private information, including covered data. These are set forth in Section X.

The Coordinator will, working with other responsible offices and units, identify categories of employees or others who have access to covered data. The Coordinator will ensure that appropriate training and education is provided to all employees who have access to covered data. Such training will include education on relevant policies and procedures and other safeguards in place or developed to protect covered data. Training and education may also include communications, promotions or other programs to increase awareness of the importance preserving the confidentiality and security of confidential data.

Other safeguards will also be used, as appropriate, including job-specific training relating to maintaining security and confidentiality; requiring user-specific passwords and required periodic changes to those passwords; limiting access to covered data to those with a business need for access to information; requiring signed certification of responsibilities prior to authorizing access to systems with covered data; requiring signed releases for disclosure of covered data; establishing methods for prompt reporting of loss or theft of covered data or media upon which covered data may be stored; and other measures that provide reasonable safeguards based upon the risks identified.

B. Information Systems

Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal.

Network and software systems will be reasonably designed to limit the risk of unauthorized access to covered data. This may include designing limitations to access, and maintaining appropriate screening programs to detect computer hackers and viruses and implementing security patches.

Safeguards for information processing, storage, transmission, retrieval and disposal may include: requiring electronic covered data be entered into a secure, password-protected system; using secure connections to transmit data outside the College; using secure servers; ensuring covered data is not stored on transportable media (floppy drives, zip drives, etc); permanently erasing covered data from computers, diskettes, magnetic tapes, hard drives, or other electronic media before re-selling, transferring, recycling, or disposing of them; storing physical records in a secure area and limiting access to that area; providing safeguards to protect covered data and systems from physical hazards such as fire or water damage; disposing of outdated records under a document disposal policy; shredding confidential paper records before disposal; maintaining an inventory of servers or computers with covered data; and other reasonable measures to secure covered data during its life cycle in the College’s possession or control.

C. Managing System Failures

The College will maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with software vendors and others to regularly obtain and installing patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents and shredding paper copies; backing up data regularly and storing backup information off site, as well as other reasonable measures to protect the integrity and safety of information systems.

D. Monitoring, Testing and Adjustments

Monitoring systems will be implemented to regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed, and to swiftly detect and correct breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include sampling, system checks, reports of access to systems, reviews of logs, audits, and any other reasonable measures adequate to verify that Information Security Program’s controls, systems and procedures are working.

The Coordinator will regularly evaluate, and where necessary, adjust the Information Security Program based upon the results of testing and monitoring; any material changes to the College’s operations; the results of risk assessments; or any other circumstances the Coordinator or College knows or has reason to know may have a material impact on the Program.

E. Reporting

The Coordinator report at least annually on the status of the information safeguards and monitoring implemented for covered data as described in Section IV.

VII. Service Providers

In the course of business, the College may from time to time appropriately share covered data with third parties. Such activities may include collection activities, transmission of documents, destruction of documents or equipment, or other similar services. This Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the user information at issue and requiring service providers by contract to implement and maintain such safeguards.

The Coordinator, by survey or other reasonable means, will identify service providers who are provided access to covered data. The Coordinator will work with the Office of General Counsel, and other offices as appropriate, to make certain that service provider contracts contain appropriate terms to protect the security of covered data.

VIII. Program Maintenance

The Coordinator, working with responsible units and offices, will evaluate and adjust the Information Security Program in light of the results of testing and monitoring described in Section VI, as well as any material changes to operations or business arrangements, and any other circumstances which may reasonably have an impact on the Information Security Program.

This Information Security Program document will be reviewed at least annually by the Coordinator and the College’s Chief Information Security Officer.

IX. Incident Response Plan

The College has developed an Incident Response Plan and corresponding Incident Response Team related to any unauthorized access or breach regarding covered data. The Incident Response Team is authorized to take appropriate steps to contain, mitigate or resolve any incident involving any unauthorized access to, or breach regarding, covered data. The Incident Response Team is also responsible for investigating suspicious activity and reporting any findings to management, appropriate departments, affected individuals, authorities and others as necessary.

The Coordinator serves as a member of the Incident Response Team.

X. Roles and Responsibilities

Deans, Director, Department Heads and other Managers. The Dean, Department Head, Program Director or other manager responsible for managing employees with access to "covered data" will designate a responsible contact to work with the Coordinator to assist in implementing this program. The designated contact will ensure that risk assessments are carried out for that unit and that monitoring based upon those risks takes place. The designated responsible contact will report the status of the Information Security Program for covered data accessible in that unit to the Coordinator at least annually, and more frequently where appropriate.

Data Governance Council. Cross-functional team comprised of critical data owners and led by the Director of Institutional Research that helps operationalize the directives of executive leadership, provides recommendation to executive leadership on needed efforts, leads data change management efforts, establishes policy and procedures for effective data management, and collaborates to ensure common understanding, security, and responsible usage of institutional data.

Employees with Access to Covered Data. Employees with access to covered data must abide by College policies and procedures governing covered data, as well as any additional practices or procedures established by their unit heads or directors.

Security Program Coordinator. The Security Program Coordinator is responsible for implementing the provisions of this Information Security Plan.

XI. Policies, Standards and Guidelines

The College has adopted policies, standards, and guidelines relating to information security. They are incorporated by reference into this Information Security Plan, and include:

A. Policies

  • 3.6 – Records Management
  • 3.10 - DRAFT Data Governance Policy
  • 6.18 – Acceptable Use of Technology
  • 15.1 – Personally Identifiable Information
  • 15.3 – Web & Digital Content

B. Standards and Guidelines

In addition to the policies referenced above, a list of applicable internal standards and guidelines is maintained within the IT Division. Additional information regarding internal standards and guidelines may be obtained by contacting the Office of the Chief Information Officer

Transfer