This Information Security Plan (“Plan”) describes Arizona State University’s safeguards to protect information and data in compliance (“Protected Information”) with the Financial Services Modernization Act of 1999, also known as the Gramm Leach Bliley Act, 15 U.S.C. Section 6801. These safeguards are provided to:
This Information Security Plan also provides for mechanisms to:
Arizona State University recognizes that it has both internal and external risks. These risks include, but are not limited to:
Arizona State University recognizes that this may not be a complete list of the risks associated with the protection of Protected Information. Since technology growth is not static, new risks are created regularly. Accordingly, the University Technology Office and the Office of Student Affairs will actively participate with and seek advice from an advisory committee made up of university representatives for identification of new risks. Arizona State University believes current safeguards used by the University Technology Office are reasonable and, in light of current risk assessments are sufficient to provide security and confidentiality to Protected Information maintained by the University.
The University Technology Officer, in consultation with an advisory committee, is responsible for the maintenance of information security and privacy. The advisory committee will include representatives from the departments primarily responsible for safeguarding Protected Information. Each department responsible for safeguarding Protected Information will provide an annual update report indicating the status of its safeguarding procedures. The Coordinators, in conjunction with the advisory committee, are responsible for assessing the risks associated with unauthorized transfers of Protected Information and implementing procedures to minimize those risks that are appropriate based upon the University’s size, complexity and the nature and scope of its activities.
In accordance with University policies, standards, and guidelines, reference checking and background reviews will be conducted when deemed appropriate. During employee orientation, each new employee in departments that handle Protected Information will receive proper training on the importance of confidentiality of Protected Information. Each new employee will also be trained in the proper use of computer information and passwords. Further, each department responsible for maintaining Protected Information will provide ongoing updates to its staff. These training efforts should help minimize risk and safeguard covered data and information security.
Arizona State University has addressed the physical security of Protected Information by limiting access to only those employees who have a business reason to know such information and requiring signed acknowledgement of the requirement to keep Protected Information private. Existing policies establish a procedure for the prompt reporting of the loss or theft of Protected Information. Offices and storage facilities that maintain Protected Information limit customer access and are appropriately secured. Paper documents that contain Protected Information are shredded at time of disposal.
Information systems include network and software design, as well
as information processing, storage, transmission, retrieval, and
disposal. Arizona State University has policies, standards, and
guidelines governing the use of electronic resources and firewall
and wireless policies. Arizona State University will take reasonable
and appropriate steps consistent with current technological developments
to make sure that all Protected Information is secure and to safeguard
the integrity of records in storage and transmission. Arizona State
University will develop a plan to protect all electronic Protected
Information by encrypting it for transit.
Management of System Failures
The University will maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with software vendors and others to regularly obtain and install patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents and shredding paper copies; backing up data regularly and storing back-up information off site, as well as other reasonable measures to protect the integrity and safety of information systems.
Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that Arizona State University determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access Protected Information, the evaluation process shall include the ability of the service provider to safeguard Protected Information. Contracts with service providers may include the following provisions:
This Information Security Plan will be subject to periodic review and adjustment, especially when due to the constantly changing technology and evolving risks. The Coordinators, in consultation with the Office of General Counsel, will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.