Administrative Regulation Title:  Information Security Program Procedures

Regulation Number:   6.10.1

_____________________________________________________________________________________

Designation of Representative: The Vice President of Administrative Services is hereby designated as the Program Officer who shall be responsible for coordinating and overseeing the Program. The Program Officer may designate other employees at EWC to oversee and coordinate particular elements of the Program. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the Program Officer.

Scope of Program: The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with EWC, whether in paper, electronic, or other form that is handled or maintained by or on behalf of EWC. For these purposes, the term nonpublic financial information shall mean any information:

  1. a student or other third party provides in order to obtain a financial service from EWC;
  2. about a student or other third party resulting from any transaction with EWC involving a financial service, or;
  3. otherwise obtained about a student or other third party in connection with providing a financial service to that person.

Program Elements:

  1. Risk Identification and Assessment. EWC intends, as part of the Program, to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. In implementing the Program, the Program Officer will establish procedures for identifying and assessing such risks in each relevant area of EWC’s operations, including:
    1. Employee Training and Management: The Program officer will coordinate with representatives of EWC’s Human Resources Department, Business Office, and Financial Aid Office to evaluate the effectiveness of EWC’s procedures and practices relating to access to and use of student records, including nonpublic financial information. This evaluation will include assessing the effectiveness of EWC’s current policies and procedures in this area.
    2. Information Systems and Information Processing: The Program Officer will coordinate with representatives of Computer Services Department by and through the Vice President of Student and Academic Services to assess the risks to nonpublic financial information associated with EWC’s information systems. This evaluation will include assessing EWC’s current policies and procedures relating to the use of the network and network security. The Program Officer will also coordinate with the Vice President of Student and Academic Services to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
    3. Detecting, Preventing, and Responding to Attacks: The Program Officer will coordinate with EWC’s Vice President of Student and Academic Services to evaluate procedures for and methods of detecting, preventing, and responding to attacks or other system failures, and existing network access responses to network attacks and developing incident response teams and policies. In this regard, the Program Officer may elect to delegate to a representative of the Vice President of Student and Academic Services that responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by EWC.
    4. Document Retention, Security, and Disposal: The Program Officer will assess file management practices wherever nonpublic financial information is found to ensure that adequate systems are in place to protect sensitive documents from unauthorized use and provide archive and/or disposal plans for documents and files that are no longer needed.
  2. Designing and Implementing Safeguards. The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper, or other form. The Program Officer will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards.
  3. Overseeing Service Providers. The Program Officer shall coordinate with those responsible for the third-party service procurement activities the information/computer services and other affected departments to raise awareness of, and to institute methods for selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the Program Officer will work with the college attorney to develop and incorporate standard, contractual protections applicable to   third party services providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the College Board after review by the college attorney.
  1. Adjustments to Program. The Program Officer is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the Institution’s operations or other circumstances that may have a material impact on the Program.

 

Original Adoption Date: 12/09/03

Revision Date(s): 11/8/05 (RF) (RF), 2/11/14, 10/10/17

Date reviewed, no change: