Union Theological Seminary is required by the Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations at 16 CFR Part 314, to implement and maintain a comprehensive written Information Security Program (“ISP”) and to appoint a coordinator for the program. The objectives of the ISP are to (1) insure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers.
This ISP is in addition to existing Union Theological Seminary policies and procedures that address various aspects of information privacy and security, including but not limited to, the Student Privacy Rights Policy (Family Educational Rights and Privacy Act Policy), the Information Security Policy, and the Computing Policy.
Union Theological Seminary has designated the Director of Information Technology as its ISP Coordinator. The ISP Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP.
“Covered information” means nonpublic personal information about a student or other third party who has a continuing relationship with UTS, where such information is obtained in connection with the provision of a financial service or product by UTS, and that is maintained by UTS or on UTS’s behalf. Nonpublic personal information includes students’ names, addresses and social security numbers as well as students’ and parents’ financial information. Covered information does not include records obtained in connection with single or isolated financial transactions such as ATM transactions or credit card purchases.
Elements of the ISP
1. Risk Identification and Assessment.
UTS’s ISP identifies and assesses external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The ISP Coordinator will provide guidance to appropriate personnel in the central administration, academic units, and other university units in evaluating their current practices and procedures and in assessing reasonably anticipated risks to covered information in their respective areas. The ISP Coordinator will work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:
- Employee Training and Management. The ISP Coordinator will coordinate with the appropriate personnel to evaluate the effectiveness of current employee training and management procedures relating to the access and use of covered information.
- Information Systems. The ISP Coordinator will coordinate with the appropriate personnel to assess the risks to covered information associated with the university’s information systems, including network and software design as well as information processing, storage, transmission and disposal.
- Detecting, Preventing and Responding to Attacks and System Failures The ISP Coordinator will coordinate with the appropriate personnel or consulting group to evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures.
2. Designing and Implementing Safeguards.
The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
3. Overseeing Service Providers.
The ISP Coordinator, in conjunction with Vice President for Finance and Operations, and appropriate contractors, will assist in instituting methods for selecting and retaining service providers that are capable of maintaining appropriate safeguards for covered information. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA.
4. Adjustments to Program.
The ISP Coordinator will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to UTS’s operations or other circumstances that may have a material impact on the ISP.