Introduction:

Rockhurst University recognizes the importance of safeguarding nonpublic personal information (NPI) in compliance with the Gramm-Leach-Bliley Act (GLBA), Federal Trade Commission (FTC) Safeguard requirements, and the Family Educational Rights and Privacy Act (FERPA). This Information Security Program outlines the framework for establishing and maintaining an effective information security posture within the university while adhering to GLBA, FTC, and FERPA guidelines. The program encompasses policies, procedures, guidelines, and controls designed to mitigate information security risks and ensure the protection of NPI and student educational records.

Scope:

This program applies to all individuals and entities associated with Rockhurst University who handle or have access to nonpublic personal information or student educational records, including faculty, staff, students, contractors, and any external parties with access to university systems, networks, or sensitive data.

Objectives:

The primary objectives of Rockhurst University's GLBA, FTC Safeguard, and FERPA compliant Information Security Program are as follows:

  1. Protect the confidentiality, integrity, and availability of nonpublic personal information and student educational records.
  2. Ensure compliance with GLBA, FTC Safeguard, and FERPA requirements.
  3. Minimize the risk of unauthorized access, disclosure, alteration, or destruction of NPI and student educational records.
  4. Promote awareness and education regarding information security best practices related to NPI and student data.
  5. Establish incident response procedures to address and mitigate security incidents involving NPI and student educational records promptly.

Information Security Governance:

Rockhurst University's information security governance framework incorporates GLBA, FTC Safeguard, and FERPA requirements and includes the following elements:

  1. Information Security Steering Committee: A committee comprising key stakeholders responsible for overseeing and guiding the university's GLBA, FTC Safeguard, and FERPA compliance initiatives.
  2. Information Security Officer (ISO): A designated individual responsible for implementing and managing the GLBA, FTC Safeguard, and FERPA compliant information security program. This role is assigned to the Associate Vice President & CIO of Information Technology.
  3. Risk Management: Regular assessment and management of information security risks associated with NPI and student educational records through risk identification, analysis, evaluation, and treatment processes.
  4. Compliance Monitoring: Ongoing monitoring of compliance with GLBA, FTC Safeguard, and FERPA requirements and associated policies, procedures, and controls.

Information Security Policies and Procedures:

Rockhurst University has established comprehensive policies and procedures to guide information security practices in compliance with GLBA, FTC Safeguard, and FERPA requirements. These policies cover areas such as:

  1. Privacy Policy: A policy outlining the university's commitment to protecting the privacy of individuals' NPI, student educational records, and their rights regarding the collection, use, and disclosure of such information.
  2. Risk Assessment and Management: Procedures for conducting risk assessments to identify and evaluate the risks to the security, confidentiality, and integrity of NPI and student educational records.
  3. Access Control: Procedures for granting, modifying, and revoking access privileges to systems and data containing NPI and student educational records based on job roles and responsibilities.
  4. Data Encryption: Requirements for encryption of NPI and student educational records in transit and at rest to protect against unauthorized disclosure.
  5. Incident Response: Procedures for detecting, reporting, assessing, and responding to security incidents involving NPI and student educational records promptly.
  6. Vendor Management: Procedures for evaluating and managing the security of third-party vendors and service providers who handle NPI or have access to student educational records.
  7. Employee Training and Awareness: Initiatives to educate employees about GLBA, FTC Safeguard, and FERPA requirements, information security risks, and their responsibilities for protecting NPI and student data.

Information Security Controls:

Rockhurst University employs a range of technical and administrative controls to protect NPI and student educational records in compliance with GLBA, FTC Safeguard, and FERPA requirements. These controls include but are not limited to:

  1. Access Controls: Implementing strong authentication mechanisms, least privilege principles, and regular access reviews to restrict access to NPI and student educational records.
  2. Data Classification and Handling: Clearly defining the classification of NPI and student data and implementing appropriate security measures based on the sensitivity of the information.
  3. Network Security: Utilizing firewalls, intrusion detection and prevention systems, and secure network configurations to protect against unauthorized access and network-based attacks.
  4. System Monitoring and Logging: Implementing robust monitoring and logging mechanisms to detect and respond to unauthorized access or suspicious activities involving NPI and student educational records.
  5. Physical Security: Implementing measures to safeguard physical access to facilities, data centers, and systems containing NPI and student data.
  6. Incident Response: Defining procedures for responding to security incidents involving NPI and student educational records, including containment, investigation, recovery, and reporting.
  7. Vendor Due Diligence: Conducting thorough assessments of third-party vendors' security controls to ensure they meet GLBA, FTC Safeguard, and FERPA requirements.

Compliance and Audit:

Rockhurst University is committed to ongoing compliance with GLBA, FTC Safeguard, and FERPA requirements. Regular audits and assessments are conducted to evaluate the effectiveness of the information security program and ensure compliance with these regulations.

Security Incident Reporting:

All members of the Rockhurst University community are encouraged to promptly report any suspected or confirmed security incidents or breaches involving NPI or student educational records to the ISO or the designated incident response team.

Program Review and Improvement:

This Information Security Program is subject to periodic review and updates to address evolving threats, technologies, GLBA, FTC Safeguard, and FERPA requirements, and other regulatory changes. Feedback and suggestions from the university community are essential for the continuous improvement of the program.

By implementing this GLBA, FTC Safeguard, and FERPA compliant Information Security Program, Rockhurst University aims to protect the confidentiality, integrity, and availability of nonpublic personal information, student educational records, and fulfill its obligations under these regulations.