1611 Program for the Security of Customer Financial and Related Data

Responsible Official: 
Chief Information Security Officer
Responsible Office: 
Information Technology Services and Office of the General Counsel
Effective Date: 
November 1, 2011
Revision Date: 
January 31, 2014

Scope

This policy applies to all Yale faculty and staff members with access to information that Yale obtains from students or others in the course of offering a financial product or service.

Reason for the Policy

In order to continue to protect private information and comply with federal law, the University has adopted an Information Security Program (“the Program”) for certain financial and related information. The Program applies to customer financial information the University receives in the course of business and other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope (“covered data”). This Program document provides an outline of the safeguards that apply to covered data.

Definitions

“Covered data” means information protected by the Gramm-Leach-Bliley Act (“GLBA”) and financial information that the University, as a matter of policy, has included within the scope of the Program. Covered data includes information obtained from a student or other customer of the University in the course of offering a financial product or service, or such information provided to the University from another institution.

“Offering a financial product or service” includes offering student loans, receiving income tax information from a current or prospective student’s parents as a part of a financial aid application, offering credit or interest bearing loans, and other financial services as defined in 12 CFR § 225.28.

Examples of financial information relating to such products or services are addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers. “Covered data” consists of both paper and electronic records that are handled by the University or its affiliates.

“Service Providers” refers to all third parties to which the University offers access to covered data in the ordinary course of business. For example, service providers may include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers.

Policy Sections

1611.1 Security Program Components

The Gram-Leach-Bliley Act (GLBA) requires the University to develop, implement and maintain an information security program containing the administrative, technical and physical safeguards that are appropriate based upon the University’s size, complexity and the nature of its activities. The Program has five components:

  1. designating an employee or office responsible for coordinating the program;
  2.  conducting risk assessments to identify reasonably foreseeable security and privacy risks;
  3.  ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored;
  4.  overseeing service providers, and
  5.  maintaining and adjusting the Program based upon the results of testing and monitoring and changes in operations or operating systems.

1611.2 Customer Information Security Officer

The Customer Information Security Officer (“CISO”) is responsible for implementing this Information Security Program. The CISO is presently the Chief Information Security Officer. The CISO, or designee, will work with the Office of the General Counsel, Information Technology Services, Student Financial Services, and other offices and units as necessary to implement the Program.

The CISO will consult with responsible offices to identify units and areas of the University with access to covered data. The CISO will conduct a survey or utilize other reasonable measures to confirm that areas with covered data are included within the scope of the Program. The CISO will maintain a list of areas and units of the University with access to covered data.

The CISO will ensure that risk assessments and monitoring, as set forth in sections V and VI below, are carried out for each unit or area that has covered data and that appropriate controls are in place for the identified risks. The CISO may require units with substantial access to covered data to further develop and implement comprehensive security plans specific to those units and to provide copies of the plan documents. The CISO may designate responsible parties in each area or unit to carry out activities necessary to implement the Program.

The CISO will work with responsible parties to ensure that all employees with access to covered data are adequately trained. The CISO will, in consultation with other University offices, verify that policies, standards and guidelines that provide for the security of covered data are adequate. The CISO will make recommendations for revisions to policy, or the development of new policy, as appropriate.

The CISO will provide an annual report on the status of the Program to the Chief Information Officer, University Audit, and the Office of the General Counsel. These reports may include copies of any unit-specific security plans, current risk assessments for each unit with access to covered data, a statement on the controls in place to mitigate those risks and the effectiveness of those controls, summaries of monitoring activities, actions taken or to be taken to correct any security concerns identified through monitoring, and such other information as required to provide assurance that the Program is implemented and maintained.

The CISO will update the Program, including this and related documents, from time to time. The CISO will maintain a written security plan containing the elements set forth above in Section III at all times and make the plan available to the University community.

1611.3 Risk Assessment

The Program will identify reasonably foreseeable risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, or destruction of covered data and assess the sufficiency of any safeguards in place to control these risks. Risk assessments will include consideration of risks in each area that has access to covered information. Risk assessments will include, but not be limited to, consideration of employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.

1611.4 Information Safeguards and Monitoring

The Program will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above in Section V. The CISO will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data.

A. Information Systems

Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal.

Network and software systems will be reasonably designed to limit the risk of unauthorized access to covered data. This may include designing limitations to access, and maintaining appropriate screening programs to detect computer hackers and viruses and implementing security patches.

B. Managing System Failures

The University will maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures.

C. Monitoring and Testing

The University will regularly test and monitor the effectiveness of information security safeguards to reasonably ensure that safeguards are being followed and to detect and correct breakdowns in security. The level of monitoring will be appropriate to the potential impact and probability of the risks identified, as well as the sensitivity of the covered data.

D. Reporting

The CISO will provide a report on the status of the information safeguards and monitoring implemented for covered data as described in Section IV.

1611.5 Service Providers

In the course of business, the University may from time to time share covered data with third parties. Such activities may include collection activities, transmission of documents, destruction of documents or equipment, or similar services. The Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the covered data at issue and to require service providers by contract to implement and maintain such safeguards.

The CISO, by survey or other reasonable means, will identify service providers who are provided access to covered data. The CISO will work with the Office of the General Counsel and other offices to ensure that service provider contracts contain appropriate terms to protect the security of covered data.

1611.6 Program Maintenance

The CISO, working with responsible units and offices, will evaluate and adjust the Program in light of the results of the testing and monitoring described in Section VI, as well as any material changes to operations or business arrangements, and any other circumstances which may reasonably have an impact on the Program.

This Program document will be reviewed at least annually by the CISO and the Office of the General Counsel.

1611.7 Roles and Responsibilities

Deans, Director, Department Heads and other Managers: The dean, department head, director or other manager responsible for managing employees with access to covered data will designate a contact to work with the CISO to assist in implementing the Program. The designated contact will ensure that risk assessments are carried out for that unit and that monitoring based upon those risks takes place. The designated contact will report at least annually to the CISO on the status of the Program for covered data accessible in that unit.

Employees with Access to Covered Data: Employees with access to covered data must abide by University policies and procedures governing covered data, as well as any additional practices or procedures established by their unit heads or directors.

Customer Information Security Officer: The CISO is responsible for implementing the Program.

Chief Information Officer: The Chief Information Officer will designate individuals who have the responsibility and authority for information technology resources; establish and disseminate enforceable rules regarding access to and acceptable use of information technology resources; establish reasonable security policies and measures to protect data and systems; monitor and manage system resource usage; investigate problems and alleged violations of University information technology policies; and refer violations to appropriate University offices such as the Office of the General Counsel and the University Police Department for resolution or disciplinary action.