Update: September 2019

Reason for Policy: 

This Information Security Plan (“Plan”) describes safeguards implemented by Clayton State University to protect information and the information systems in compliance with the FTC’s Safeguards Rule promulgated under the Gramm Leach Bliley Act (GLBA). These safeguards are provided to:

  • Ensure the security and confidentiality of the information and the information systems;
  • Protect against anticipated threats or hazards to the security or integrity of such information and the information systems; and
  • Protect against unauthorized access to or use of information and the information systems that could result in substantial harm or inconvenience to any customer.

This Information Security Program also identifies mechanisms to:

  • Identify and assess the risks that may threaten information and the information systems maintained by Clayton State University;
  • Develop written policies and procedures to manage and control these risks;
  • Implement and review the program; and
  • Adjust the program to reflect changes in technology, the sensitivity of covered data and information, and internal or external threats to information security.

Policy Statement: 

GLBA mandates that the Institution appoint an Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to information and the information systems, obtain security assessments from service providers and vendors, and evaluate and adjust the Information Security Program periodically.

Information Security Program Coordinator(s)

Chief Data Officer, Jim Flowers has been appointed as the coordinator of this Program at Clayton State University. The coordinator is responsible for assessing the risks associated with unauthorized transfers of information and the information systems and implementing procedures to minimize those risks to the Institution. University System of Georgia (USG) Audit personnel will also conduct reviews of areas that have access to information and the information systems to assess the internal control structure put in place by the administration and to verify that all departments comply with the requirements of the security policies and practices delineated in this program.

Identification and Assessment of Risks to Customer Information

Clayton State University recognizes that it is exposed to both internal and external risks, including but not limited to:

  • Unauthorized access of covered data and information by someone other than the owner of the information and the information systems
  • Compromised system security as a result of system access by an unauthorized person
  • Interception of information during transmission
  • Loss of information integrity
  • Physical loss of information in a disaster
  • Errors introduced into the information systems
  • Corruption of information and the information systems
  • Unauthorized access to information and the information systems by employees
  • Unauthorized requests for information and the information systems
  • Unauthorized access through hard-copy files or reports
  • Unauthorized transfer of information and the information systems through third parties

Recognizing that this may not represent a complete list of the risks associated with the protection of information and the information systems and that new risks are created regularly, Clayton State Information Security will actively participate and monitor appropriate cybersecurity advisory groups (if applicable) for the identification of risks.

Current safeguards implemented, monitored, and maintained by Clayton State Information Security are reasonable, and in light of current risk assessments are sufficient to provide security and confidentiality to Information and information systems maintained by the Institution. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information and the information systems.

Employee Management and Training

References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with information and the information systems (e.g. Registrar‚ Admissions Office, Financial Aid, or Bursars) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other information and the information systems. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts should help minimize risk and safeguard information and the information systems.

Physical Security:

Clayton State University has addressed the physical security of information and the information systems by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances, and transactional information are available only to Clayton State employees with an appropriate business need for such information. Furthermore, each department responsible for maintaining information and the information systems is instructed to take steps to protect the information from destruction, loss, or damage due to environmental hazards, such as fire and water damage or technical failures.

Information Systems:

Access to information via the information system is limited to those employees and faculty who have a legitimate business reason to access such information. The Institution has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to Clayton State University’s information systems. These policies and procedures are listed in the Policy Terms and Procedures below.

Social security numbers are considered protected information under both the Gramm-Leach-Bliley-Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA). As such, Clayton State University has discontinued the use of social security numbers as student identifiers in favor of the Laker-ID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.

Management of System Failures

Clayton State Information Security has developed written plans and procedures to detect any actual or attempted attacks on Clayton State University information systems and has an Incident Response Plan, which outlines procedures for responding to an actual or attempted unauthorized access to information and the information systems. This document is available upon request from the Information Security Officer.

Oversight of Service Providers

GLBA requires the Institution to take reasonable steps to select and retain service providers who maintain appropriate safeguards for information and the information systems. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Information Security Program Coordinator(s) will identify service providers who have or will have access to information and the information systems and will work with the Office of Information Technology Services, Office of Business and Operations, and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of the information.

Continuing Evaluation and Adjustment

This Information Security Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation, and maintenance of the program will be the responsibility of the designated Information Security Officer (ISO), who will assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Officer, in consultation with the Office of Information Technology Services and Office of Business and Operations, will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.

Policy Terms: 

Covered data and information
for the purpose of this program includes student financial information (defined below) that is protected under the GLBA. In addition to this coverage, which is required under federal law, Clayton State University chooses as a matter of policy to include in this definition any and all sensitive data, including credit card information and checking/banking account information received in the course of business by the Institution, whether or not such information is covered by GLBA. Information and the information systems include both paper and electronic records.

Pretext calling
occurs when individual(s) attempt to improperly obtain personal information of Clayton State customers so as to be able to commit identity theft. It is accomplished by contacting the Institution, posing as a customer or someone authorized to have the customer’s information, and through the use of trickery and deceit (sometimes referred to as ‚social engineering), convincing an employee of the Institution to release customer-identifying information.

Student financial information
Student financial information is that information that Clayton State University has obtained from a student or customer in the process of offering a financial product or service, or such information provided to the Institution by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student‚ or parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers, in both paper and electronic format.

Procedures: 

Related Policies, Standards, and Guidelines

Clayton State University has adopted comprehensive policies, standards, and guidelines relating to information security, which are incorporated by reference into this Information Security Program. They include:

Policies

Standards

Upon approval, this policy shall be published on the Clayton State University website. The following offices and individuals shall be notified via email and/or in writing upon approval of the program and upon any subsequent revisions or amendments made to the original document:

  • Cabinet Members
  • Data Governance Committee
  • Functional Governance Committee
  • Technical Governance Committee

Related Information:

Gramm-Leach-Bliley Act
FTC: Rule–Standards for Safeguarding Customer Information (16 CFR Part 314)
FTC: Rule–Privacy of Consumer Financial Information (16 CFR Part 313)
FTC Guidance: Financial Institutions and Customer Information–Complying with the Safeguards Rule
FTC: Privacy Protection for customer information of financial institutions