*
*
Rensselaer Polytechnic Institute
Rensselaer Polytechnic Institute
About RPIAcademicsResearchStudent LifeAdmissionsNewsTour
The Graduate School, Rensselaer Polytechnic Institute

Division of Finance

*
*
*

Gramm Leach Bliley Act

Statement of Policy and Procedures

Rensselaer Polytechnic Institute

Troy, New York 12180

CONTENTS

A. Introduction

B. Definitions

C. Designation of Representatives

D. Scope of Program

E. Elements of the Program

A. INTRODUCTION

This document summarizes Rensselaer Polytechnic Institute’s (the Institute) comprehensive written policies and procedures mandated by the FTC’s Gramm-Leach-Bliley Act (16 CFR part 314). Reference to the Institute in this document shall include both the Troy and Hartford campuses. In particular, this document describes the policies pursuant to which the Institute intends to (1) ensure the security and confidentiality of covered records, (2) protect against any anticipated threats or hazards to the security of such records, and (3) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.

These policies are in addition to those required by other federal and state laws and regulations, including the Family Educational Rights and Privacy Act (FERPA).


B. DEFINITIONS

For the purposes of this policy, Rensselaer has used the following definitions of terms.

Student – An individual who is receiving or has received instruction in any program on or off campus, including any activity which is evaluated towards a grade. The term does not apply to an individual prior to or subsequent to that individual’s period of attendance at the university such as a candidate for admission or an alumnus or alumna.

Covered Data – All information required to be protected under the Gramm-Leach-Bliley Act (“GLB Act”). “Covered data” also refers to financial information that the Institute, as a matter of policy, has included within the scope of these policies. Covered data includes information obtained from a student in the course of offering a financial product or service, or such information provided to the Institute from another institution. “Offering a financial product or service” includes offering student loans, receiving income tax information from a current or prospective student’s parents as part of a financial aid application, offering credit or interest bearing loans, and other miscellaneous financial services as defined in 12 CFR 225.28. Examples of student financial information relating to such products or services are addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers. “Covered data” consists of both paper and electronic records that are handled by the Institute and its affiliates.

Service Providers – Refers to all third parties who, in the ordinary course of Institute business, are provided access to covered data. Service providers may include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers, loan servicers, lock box handlers, installment plan providers and consultants.

Personal Identifier – Any data or information that relates a record to an individual student. This includes name, the name of parents or other family members, address, social security number, any other number or symbol which identifies the student, a list of personal characteristics, or any other information which would make the student’s identity known and can be used to label a record as the individual student’s.

C. DESIGNATION OF REPRESENTATIVES

The Institute’s Bursar is designated as the Program Officer who shall be responsible for coordinating and overseeing the Program. The Program Officer or designee will work closely with the Division of the Chief Information Officer, Student Records and Financial Services, Division of Human Resources, General Counsel and other offices and units to implement and maintain this program.

The Program Officer will consult with the responsible offices to identify units and areas of the Institute with access to covered data. As part of this Information Security Program, the Officer has identified units and areas of RPI with access to covered data. The Officer will conduct a survey, or utilize other reasonable measures, to confirm that all areas with covered information are included within the scope of this program. The Officer will maintain a list of areas and units of RPI with access to covered data.

The Officer will ensure that risk assessments and monitoring, as set forth in sections of this document, are carried out for each unit or area that has covered data and that appropriate controls are in place for the identified risks. The Officer may require units with substantial access to covered data to further develop and implement comprehensive security plans specific to those units and to provide copies of the plan documents. The Officer may designate as appropriate, responsible parties in each area or unit to carryout activities necessary to implement this program.

The Officer will work with the responsible parties to ensure adequate training and education is developed and delivered for all employees with access to covered data. The Officer will, in consultation with other Institute offices, verify that existing policies, standards and guidelines that provide for the security of covered data are reviewed and adequate. The officer will make recommendations for revisions to policy, or the development of new policy as appropriate.

D. SCOPE OF PROGRAM

The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institute, whether in paper, electronic or other form that is handled or maintained by or on behalf of the Institute or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (1) a student or other third party provides in order to obtain financial service from the Institute, (2) about a student or other third party resulting from any transaction with the Institute involving a financial service, or (3) otherwise obtained about a student or other third party in connection with providing a financial service to that person.

E. ELEMENTS OF THE PROGRAM

1. Risk Identification and Assessment

The Program Officer will work with all relevant departments to identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise such information, and assess the sufficiency of any safeguards in place to mitigate these risks. Risk assessment will include, but not be limited to, consideration of employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.

The Program Officer will work with relevant departments to carry out comprehensive risk assessments. Risk assessments will include system wide risks, as well as risks unique to each area with covered data. The Program Officer will ensure that risks assessments are conducted at least annually, more frequently where required. The Program Officer may identify a responsible party from the Division of the Chief Information Officer to conduct the system-wide risk assessment. The Program Officer may identify a responsible party in each unit with access to covered data to conduct the risk assessment considering the factors set forth above, or employ other reasonable means to identify risks to security, confidentiality and integrity of covered date in each area of the Institute with covered data.

The Program Officer will provide copies of complete and current risk assessments for Institute wide and unit specific risks at least annually.

2. Designing and Implementing Safeguards.

The Program Officer will, on a regular basis, implement safeguards to control the risks identified and to regularly test or otherwise monitor the effectiveness of such safeguards. This testing and monitoring may be accomplished through existing network monitoring and procedures. The Information Security Program will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above. The Program Officer will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data.

Such safeguards and monitoring will include the following:

2.1 Employees Management and Training

Safeguards for security will include management and training of those individuals with authorized access to covered data. RPI has adopted comprehensive policy standards and guidelines setting forth the procedures and recommendations for preserving the security of private information, including covered data.

The Program Officer will work with other responsible offices and units, identify categories of employees, or others who have access to covered data. The Officer will ensure that appropriate training and education is provided to all employees who have access to covered data. Such training will include education on relevant policies and procedures and other safeguards in place or developed to protect covered data. Training and education may also include newsletters, promotions or other programs to increase awareness of the importance of preserving the confidentiality and security of confidential data.

Other safeguards will also be used, as appropriate, including job specific training on maintaining security and confidentiality, requiring user specific passwords and required periodic changes to those passwords, limiting access to covered data to those with a business need for access to information, requiring signed certification of responsibilities prior to authorizing access to systems with covered data, requiring signed released for disclosure of covered data, establishing methods for prompt reporting of loss or theft of covered data or media upon which covered data may be stored and other measures that provide reasonable safeguards based on the risks identified.

2.2 Information systems

Information systems include network and software design, as well as information processing storage transmission retrieval and disposal.

Network and software systems will be reasonable, designed to limit the risk of unauthorized access to data. This may include designing limitations to access and maintaining appropriate screening programs to detect computer hackers and viruses and the implementation of security patches.

Safeguards for information processing storage transmission retrieval and disposals may include: requiring electronic covered data be entered into a secure password protected system; using secure connections to transmit data outside RPI; using secure servers; ensuring covered data is not stored on transportable media such as floppy or zip drives; permanently erasing covered data on computers, disks, magnetic tapes, hard drives or other electronic media before re-selling, transferring, recycling or disposing of them; storing physical records in a secure area and limiting access to that area; providing safeguards to protect covered data and systems from physical hazards such as fire or water damage; disposing of outdated records under a document disposal policy; shredding confidential paper records before disposal; maintaining an inventory of servers or computers with covered data; and other reasonable measures to secure covered data during the life cycle of RPI’s possession or control.

2.3 Managing System Failures

RPI will maintain effective systems to prevent, detect and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software, checking with software vendors and others to regularly obtain and install patches to correct software vulnerabilities, maintaining appropriate filtering or firewall technologies, altering those with access to covered data of threat to security, imaging documents and shredding paper copies, backing up data regularly and storing back up information off site, as well as other reasonable measures to protect the integrity and safety of information systems.

2.4 Monitoring and Testing

Monitoring systems will be implemented to regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed, and to swiftly detect and correct any breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include sampling, system checks, reports to access to systems, reviews of logs, audits and any other reasonable measures adequate to verify that Information Security Program controls, systems and procedures are working.

3. Overseeing Service Providers.

The Program Officer shall coordinate with those responsible for the third party service procurement activities to raise awareness of and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they have access. In addition, the Program Officer will work with General Counsel or other designated Institute officials to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. These standards shall apply to all existing and future contracts entered into with such third party service providers, provided that amendments to contracts entered into prior to June 24, 2002 are not required to be effective until May 2004.

4. Adjustments to the Program.

The Program Officer is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the Institution’s operations or other circumstances that may have a material impact on the Program.

5. Roles and Responsibilities

Program Officer. The Program Officer is responsible for implementing and monitoring the provisions of this Information Security Plan.

Deans, Directors, Department Heads and other Manager. The dean, department head, director or other managers responsible for managing employees with access to covered data will designate a responsible contact to work with the Program Officer to assist in implementing this program. The designated contact will ensure that risk assessments are carried out for that unit and that monitoring based upon those risks take place. The designated responsible contact will report the status of the Information Security Program for covered data accessible in that unit to the Program Officer at least annually and more frequent as appropriate.

Employees with access to covered data. Employees with access to covered data must abide by RPI policies and procedures governing data, as well as any additional practices or procedures established by their unit heads or directors.

Chief Information Officer (CIO).
The CIO acts as the liaison for the President and the Cabinet to the Institute community and is responsible for overseeing the management of Institute information resources and security.

6. Policies Standards and guidelines

The Institute has adopted comprehensive standards and guidelines relating to information and security. They are incorporated by reference at the following web sites:

Data Warehouse Data:
http://www.rpi.edu/datawarehouse/docs/DW-Data-Policy-20030110.pdf

Electronic Citizenship Policy:
http://www.rpi.edu/web/comec/

RCS Conditions of Use:
http://www.rpi.edu/dept/sipp/Public/RCSconditionsofuse.html

Strategic Information Policy and Planning (SIPP):
http://www.rpi.edu/dept/sipp/