Rhode Island College Information Security Program Summary
Rhode Island College (“RIC”) is mandated by the Gramm-Leach-Bliley Act (“GLBA”) and the Federal Trade Commission’s Safeguards Rule, to implement and maintain a comprehensive written Information Security Program ("ISP") and to appoint a program coordinator.
- Ensure the security and confidentiality of covered information;
- protect against anticipated threats or hazards to the security and integrity of such information; and
- protect against unauthorized access or use of such information.
This ISP is in addition to RIC’s existing policies and procedures that address aspects of information security and privacy, including but not limited to, the Family Educational Rights and Privacy Act Policy, the Information Security Policy, and the Responsible Computing Policy.
RIC has designated the Assistant Vice President for Information Services/Chief Information Officer as its ISP Coordinator. The ISP Coordinator may designate other individuals to coordinate elements of the ISP.
“Covered information” means any non-public financial or personally identifiable information about a student or other third party who has a continuing relationship with the college where such information is obtained in connection with the provision of a financial service by RIC, and that is maintained by RIC or by a third party on RIC’s behalf. Covered information does not include records obtained in connection with a single financial transaction, for example an ATM or credit card transaction. Personally identifiable information is any data that could potentially be used to identify a particular individual.
Elements of the ISP
- Risk Identification and Assessment.
RIC intends, as part of this ISP, to identify and assess external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The ISP Coordinator or designee will work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:
Designing and Implementing Safeguards.
- Employee Training and Management - The ISP Coordinator or designee will coordinate with the appropriate personnel in the relevant business offices, including but not limited to the Admissions Office, Financial Aid Office, Records Office and Office of the Bursar to evaluate the effectiveness of current employee training and management procedures relating to the access and use of covered information.
- Information Systems and Information Processing and Disposal - The ISP Coordinator or designee will coordinate with the appropriate personnel of the Information Technology Services Office to assess the risks to covered information associated with the college’s information systems, including network and software design as well as information processing, storage, transmission and disposal.
- Detecting, Preventing and Responding to Attacks and System Failures - The ISP Coordinator or designee will coordinate with the appropriate personnel of the of the Information Technology Services Office to evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures. Additionally, the coordinator will evaluate procedure and practices regarding existing network access policies and procedures, and procedures for coordinating responses to network attacks and developing incident response policies and procedures.
The ISP Coordinator or designee will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
Overseeing Service Providers.
The ISP Coordinator or designee will coordinate with the Purchasing Office, and other offices responsible for the third party service procurements, to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. All service providers will be required by contract, to implement and maintain such safeguards.
Adjustments to Program.
The ISP Coordinator or designee will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to RIC’s operations or other circumstances that may have a material impact on the ISP.