Information Security Program

1.0 Overview

To protect critical information and data, and to comply with Federal Law and specifically GLB (16 CFR Part 314), the Office of Information Technology requires specific practices in the University information environment and institutional information security procedures.  These practices apply to all areas of the University and all third party contractors having access to University owned data, including food services and the book store.

2.0 Purpose

The objective of the Information Security Program is to (1) insure the security and confidentiality of customer [University] information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to any customer[1].

3.0 Scope

This security program is intended to comply with a number of federal and state laws.  Each of these laws has specific requirements which are satisfied by this security program.

16 CFR 314 –

16 CFR 314, also known as Gramm-Leach-Bliley Act, sets forth several required elements for our security program.  These include:

  1. 16 CFR 314.4.a:  “Designate an employee or employees to coordinate your information security program.”  This employee will be the Director of Network Services.
  2. 16 CFR 314.4.b:  “Identify reasonable foreseeable internal or external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.  At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:  (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other system failures.”  This risk assessment is covered by section six of the Information Security Program.
  3. 16 CFR 314.4.c:  “Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguard’s key controls, systems and procedures.”  These safeguards are delineated as sections one through five of the program.  Section six outlines the auditing that will take place to satisfy the regular testing requirement.
  4. 16 CFR 314.4.d:  “Oversee service providers, by:  (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) requiring your service providers by contract to implement and maintain such safeguards.”  ***HOW DO WE ADDRESS THIS***
  5. 16 CFR 314.4.e:  “Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program.”  Section six of the program includes a clause requiring annual reviews of this program.

DMCA –

In accordance with the Digital Millennium Copyright Act, ClarksonUniversity has designated an agent to receive notifications of alleged copyright infringement occurring on the ClarksonUniversity computer network.  ClarksonUniversity’s response to notices of alleged infringement that comply with the DMCA [Title 17, United States Code, Section 512(c)(3)(A)] will include removal of or blocked access to the material named in the infringement notification.  All other procedures outlined in the Copyright Policy will be followed.

NYS Information Security Breach and Notification Act (NYSISBNA) –

In accordance with the requirements set forth in the NYSISBNA, the University will disclose any breach of the security of a system containing private information[2] following discovery or notification of the breach to any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.  The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.  In accordance with the NYSISBNA, the required notification may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation.  If such a determination has been made, then notification shall take place after such law enforcement agency determines that such notification does not compromise such investigation.  Additionally, notification of the breach will be made to the New York State Consumer Protection Board, NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), and the New York State Attorney General using the methods outlined by the NYS Office of CSCIC.

 Family Educational Rights and Privacy Act (FERPA) –

The Family Educational Rights and Privacy Act (FERPA) (20 USC 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records.  This law gives parents certain rights with respect to their children’s education records.  These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.  Students to whom the rights have transferred are “eligible students.”  The rights of eligible students are outlined as part of the Clarkson University Student Regulations (VIII-I).

Technology, Education and Copyright Harmonization Act (TEACH) –

TEACH says that is is not copyright infringement for teachers and students at an accredited, nonprofit education institution to transmit performances and displays of copyrighted works as part of a course if certain conditions are met.  If these conditions are not met or cannot be met, use of the material will have to qualify as fair use or permission from the copyright holder(s) must be obtained.  The guidelines for University compliance in this aspect are outlined as part of the Copyright Policy

4.0 Program Structure

There are a number of steps that should be taken to maintain the security of University computing resources.  For an overview of the program, please see the Clarkson University Information Security Program Framework diagram.

4.1 Physical Layer

A vital component of an effective computer and data security plan involves preventing unauthorized persons from physically accessing the data or computer in question.  This component will frequently involve locked doors, security cables for equipment, etc.  All guidelines set forth in the Physical Security Policy shall be followed at all times.

4.2 Network Layer

Once physical access to the computer or data is secured, it is equally important to prevent intrusions from the network.  This component will include directives relating to desktops, servers and communications equipment.  All guidelines set forth in the Network Security Policy shall be followed at all times.

4.3 Application Layer

This component of the security plan includes details regard email retention, patching procedures, and required software settings.  All guidelines set forth in the Application Security Policy shall be followed at all times.

4.4 User Layer

Without effective user education and password policies, most other security things are done in vain.  With this in mind, all guidelines set forth in the User Security Policy shall be followed at all times.

4.5 Data Layer

4.6 Auditing

A regular audit should be performed by the Security Engineer to ensure compliance with the items listed in this policy.  This audit may include network scans for vulnerable machines, random spot-checks of servers, etc.  It should be performed no less than once per year.

5.0 Enforcement

Failure to follow this policy will result in the offender(s) being subject to disciplinary action up to and including dismissal.

6.0 Definitions

7.0 Revision History

Draft Policy v0.1 – 19 April 2005 – jfiske

Draft Policy v0.2 – 21 April 2005 – jfiske

Draft Policy v0.3 – 05 July 2005 – jfiske

Draft Policy v0.4 – 02 Aug 2005 – jfiske

Draft Policy v0.5 – 06 Jan 2006 – jfiske

Draft policy v0.6 – 03 Feb 2006 – jfiske

Draft policy v0.7 – 18 Apr 2006 – jfiske


[1] 16 CFR Part § 314.3

[2]NYSISBNA defines private information as “personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or data element is not encrypted, or encrypted with an encryption key that has also been acquired:  (1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account”