Gramm Leach Bliley Act (GLBA) Information Security Plan

This Information Security Plan (“Plan”) describes Maricopa Community College District’s safeguards to protect information and data in compliance (“Protected Information”) with the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. Section 6801. These safeguards are provided to:

• Protect the security and confidentiality of Protected Information;
• Protect against anticipated threats or hazards to the security or integrity of such information; and
• Protect against unauthorized access to or use of Protected Information that could result in substantial harm or inconvenience to any customer.

This Information Security Plan also provides for mechanisms to:

• Identify and assess the risks that may threaten Protected Information maintained by Maricopa Community Colleges;
• Designate employees responsible for coordinating the program;
• Design and implement a safeguards program;
• Manage the selection of appropriate service providers;
• Adjust the plan to reflect changes in technology, the sensitivity of protected Information, and internal or external threats to information security; and
• Reference related policies, standards, and guidelines.

Identification and Assessment of Risks to Customer Information

Maricopa Community Colleges recognizes that it has both internal and external risks. These risks include, but are not limited to:

• Unauthorized access of Protected Information by someone other than the owner of the covered data and information
• Compromised system security as a result of system access by an unauthorized person
• Interception of data during transmission
• Loss of data integrity
• Physical loss of data in a disaster
• Errors introduced into the system
• Corruption of data or systems
• Unauthorized access of covered data and information by employees
• Unauthorized requests for covered data and information
• Unauthorized access through hardcopy files or reports
• Unauthorized transfer of covered data and information through third parties

Maricopa Community Colleges recognizes that this may not be a complete list of the risks associated with the security of Protected Information. Since technology growth is not static, new risks are created regularly. Accordingly, the District Information Technology Services (ITS), the Office of Student Affairs, and other designated stakeholders will actively participate with and seek advice from district office, colleges, and community representatives for identification of new risks. Risk assessments include advisory review for mitigation, acceptance of risk, gap analysis, or other appropriate review based on outcomes of the risk assessment on an annual basis. Maricopa Community Colleges believe current safeguards used by the District’s Security and Technology Office are reasonable and, in light of current risk assessments, are sufficient to provide security and confidentiality to Protected Information maintained by the colleges and district.

Information Security Plan Coordinators

An advisory committee is responsible for the maintenance of information security and privacy. The advisory committee will include representatives from the departments primarily responsible for safeguarding Protected Information. Each department responsible for safeguarding Protected Information will provide an annual update report indicating the status of its safeguarding procedures. The advisory committee is responsible for assessing the risks associated with unauthorized transfers of Protected Information and implementing procedures to minimize those risks that are appropriate based upon severity, complexity, and the nature and scope of its activities.

Design and Implementation of Safeguards Program

Employee Management and Training

In accordance with MCCCD policies, standards, and guidelines, reference checking and background reviews are conducted for all new hires. During employee orientation, each new employee in departments that handle Protected Information are required to participate in several training sessions on the importance of confidentiality of Protected Information. Each new employee will also be trained in the proper use of computer information and passwords. Further, each department responsible for maintaining Protected Information will provide ongoing updates to respective staff. These training efforts should help minimize risk and safeguard covered data and information security.

Physical Security

Maricopa Community Colleges have addressed the physical security of Protected Information by limiting access to only those employees who have a business reason to know such information and requiring signed acknowledgement of the requirement to keep Protected Information private. Existing policies establish a procedure for the prompt reporting of the loss or theft of Protected Information. Offices and storage facilities that maintain Protected Information limit customer access and are appropriately secured. Paper documents that contain Protected Information are shredded at time of disposal.

Information Systems

Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal. Maricopa Community Colleges has policies, standards, and guidelines governing the use of electronic resources and firewall and wireless policies. Maricopa Community Colleges will take reasonable and appropriate steps consistent with current technological developments to make sure that all Protected Information is secure and to safeguard the integrity of records in storage and transmission. Maricopa Community Colleges will follow current policies for all electronic Protected Information by encrypting it for transit.

Management of System Failures

MCCCD will maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with software vendors and others to regularly obtain and install patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents and shredding paper copies; backing up data regularly and storing back-up information off site, as well as other reasonable measures to protect the integrity and safety of information systems.

Selection of Appropriate Service Providers

Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that Maricopa Community Colleges determine not to provide on its own. In the process of choosing a service provider that will maintain or regularly access Protected Information, the evaluation process shall include the ability of the service provider to safeguard Protected Information. Contracts with service providers may include the following provisions:

• A requirement that the Protected Information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
• A requirement that the service provider have documented appropriate safeguards and controls (e.g. SOC2) to protect the Protected Information it receives, and that it must promptly report any security incidents that may affect MCCCD protected information;
• Where appropriate, a requirement that the service provider maintain certain types of insurance to cover potential liability in the event of a security incident;
• Where appropriate, a requirement that the service provider submit to audits of its information security and privacy policies, procedures and controls.

Continuing Evaluation and Adjustment

This Information Security Plan will be subject to periodic review and adjustment, especially when due to the constantly changing technology and evolving risks. The Coordinators, in consultation with the Office of General Counsel, will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.

Policies, Standards and Guidelines (GLBA Audit Requirements)

MCCCD Written Information Security Plan

Information Security and Privacy Incident Response Plan

Policies

• MCCCD District Office Information Security
• Student Data and Data Handling
• Privacy Rights of Students
• Release of Student Information
• Fraud Prevention and Suspected Identity Theft
• Data Governance
• Use of Computer Software

Guidelines

• Student Educational Records – FERPA
• MCCCD Statement on Privacy
• Networking and Security
• Phishing
• Telecommuting and Best Practice
• Computer Software
• Security Terms
• FERPA and College Records