GLBA mandates that the Institute appoint an Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.
Information Security Program Coordinator(s)
The Associate Vice President of Financial Services and the Associate Vice President / Associate Vice Provost for Information Technology (CIO) have been appointed as the coordinators of this Program at Georgia Tech. They are responsible for assessing the risks associated with unauthorized transfers of covered data and information, and implementing procedures to minimize those risks to the Institute. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that all departments comply with the requirements of the security polices and practices delineated in this program.
Identification and Assessment of Risks to Customer Information
Georgia Tech recognizes that it is exposed to both internal and external risks, including but not limited to:
- Unauthorized access of covered data and information by someone other than the owner of the covered data and information
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of covered data and information by employees
- Unauthorized requests for covered data and information
- Unauthorized access through hardcopy files or reports
- Unauthorized transfer of covered data and information through third parties
Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, the Information Security Office within OIT will actively participate and monitor appropriate advisory groups such as the EDUCAUSE Security Institute, the Internet2 Security Working Group, the SANS Top Twenty risks list, and the National Institute of Standards and Technology (NIST) Computer Security Resource Center for identification of risks.
Current safeguards implemented, monitored and maintained by the OIT Information Security Office are reasonable, and in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information maintained by the Institute. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.
Employee Management and Training
References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g. Cashier‚Äôs Office, Financial Aid) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts should help minimize risk and safeguard covered data and information.
Georgia Tech has addressed the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to Georgia Tech employees with an appropriate business need for such information. Furthermore, each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.
Access to covered data and information via Georgia Tech‚Äôs computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. The Institute has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to Georgia Tech‚Äôs information systems. These policies and procedures, listed in Section 3 below, are available upon request from the Director, OIT Information Security.
Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA). As such, Georgia Tech has discontinued the use of social security numbers as student identifiers in favor of the gtID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.
Management of System Failures
The Information Security Office within OIT has developed written plans and procedures to detect any actual or attempted attacks on Georgia Tech systems and has an Incident Response Plan which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information. This document is available upon request from the Director, OIT Information Security.
Oversight of Service Providers
GLB requires the Institute to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Security Program Coordinator(s) will identify service providers who have or will have access to covered data, and will work with the Office of Legal Affairs and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of covered data.
Continuing Evaluation and Adjustment
This Information Security Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Program Coordinator(s), who will assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Program Coordinator(s), in consultation with the Office of Legal Affairs, will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.