CARNEGIE MELLON UNIVERSITY
Information Security Program Outline
Carnegie Mellon is required by the Gramm-Leach-Bliley Act ("GLBA") and its implementing regulations at 16 CFR Part 314, to implement and maintain a comprehensive written Information Security Program ("ISP") and to appoint a coordinator for the program. The objectives of the ISP are to (1) insure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers.
This ISP is in addition to existing Carnegie Mellon policies and procedures that address various aspects of information privacy and security, including but not limited to, the Student Privacy Rights Policy (Family Educational Rights and Privacy Act Policy), the Data and Computer Security Policy, and the Computing Policy.
Carnegie Mellon has designated the Vice Provost for Computing Services as its ISP Coordinator. The ISP Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP.
"Covered information" means nonpublic personal information about a student or other third party who has a continuing relationship with Carnegie Mellon, where such information is obtained in connection with the provision of a financial service or product by Carnegie Mellon, and that is maintained by Carnegie Mellon or on Carnegie Mellon's behalf. Nonpublic personal information includes students' names, addresses and social security numbers as well as students' and parents' financial information. Covered information does not include records obtained in connection with single or isolated financial transactions such as ATM transactions or credit card purchases.
Elements of the ISP
1. Risk Identification and Assessment. Carnegie Mellon intends through its ISP to identify and assess external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The ISP Coordinator will provide guidance to appropriate personnel in the central administration, academic units, and other university units in evaluating their current practices and procedures and in assessing reasonably anticipated risks to covered information in their respective areas. The ISP Coordinator will work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:
- Employee Training and Management. The ISP Coordinator will coordinate with the appropriate personnel to evaluate the effectiveness of current employee training and management procedures relating to the access and use of covered information.
- Information Systems. The ISP Coordinator will coordinate with the appropriate personnel to assess the risks to covered information associated with the university's information systems, including network and software design as well as information processing, storage, transmission and disposal.
- Detecting, Preventing and Responding to Attacks and System Failures The ISP Coordinator will coordinate with the appropriate personnel to evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures.
2. Designing and Implementing Safeguards. The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
3. Overseeing Service Providers. The ISP Coordinator, in conjunction with the Office of the General Counsel and with Carnegie Mellon Purchasing Services & Supplier Management, will assist in instituting methods for selecting and retaining service providers that are capable of maintaining appropriate safeguards for covered information. The ISP Coordinator will work with the Office of the General Counsel to develop and incorporate standard, contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA, provided that amendments to contracts entered into prior to June 24, 2002 are not required to be effective until May 2004.
4. Adjustments to Program. The ISP Coordinator will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to Carnegie Mellon's operations or other circumstances that may have a material impact on the ISP.