DRAFT
Cornell University
Financial Modernization Act of 1999 (GLBA)
Information Security Program

Purpose

This document establishes the Cornell University information security program. This program sets forth a collection of policies, procedures and responsibilities for the protection and control of financial data in response for compliance with the [Financial Modernization Act of 1999] GLBA. The information security program is focused on ensuring the security and confidentiality of financial records and related computing resources, the protection against anticipated threats and hazards that might jeopardize the security or integrity of financial data and the protection of unauthorized access to information or computer resources associated with protected financial data.

Data Covered by the Information Security Program

The GLBA Information Security Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with Cornell University. This data may be in paper, electronic or other form and is handled or maintained by or on behalf of Cornell University or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from Cornell University, (ii) about a student or other third party resulting from any transaction with Cornell University involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.

Information Security Program Responsibilities

The Director of IT Security is designated as the Information Security Program Officer ("Program Officer") responsible for coordinating and overseeing the Information Security Program. The Program Officer may designate other representatives of the University to oversee and coordinate portions of the program. Any questions regarding the implementation of this program or the interpretation of this document should be directed to the Program Officer or her or his designees.

Information Security Program Overview

The GLBA requires the University to develop, implement and maintain a comprehensive information security program containing the administrative, technical and physical safeguards that are appropriate based upon the University's size, complexity and the nature of its activities. This Information Security Program has five components: (1) designating an employee or office responsible for coordinating the program; (2) conducting risk assessments to identify reasonably foreseeable security and privacy risks; (3) ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored; (4) overseeing service providers, and (5) maintaining and adjusting this Information Security Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.

The Cornell University information security program was developed for the purpose of protecting the university¹s computer and information resources, nonpublic financial information about a student, employee or third party, academic records, healthcare records and any other information that the university deems sensitive.

The implementation of the information security program at Cornell involves centralized and distributed elements. The centralized elements include such functions as university security policy implementation, security incident response, and security awareness and training. Distributed elements include local network and system management, local user support and local incident response. Leadership for the centralized elements and security coordination across the distributed elements are the responsibility of the Director of IT Security.

Information Security Program Elements

This section will provide additional detail of the individual program elements.

1. Security Responsibility and Authority. The Director of IT Security is hereby designated as the Information Security Program Officer ("Program Officer") responsible for coordinating and overseeing the Information Security Program. The Program Officer may designate other representatives of the University to oversee and coordinate portions of the program. Any questions regarding the implementation of this program or the interpretation of this document should be directed to the Program Officer or her or his designees.

   The Director of IT Security will work closely with the Financial Aid offices, the IT Policy Office, the Office of University Counsel, Internal Audit and other offices and units to implement this program. The Program Officer will consult with responsible offices to identify units and areas of the University with access to covered data. The Program Officer will conduct a survey, or utilize other reasonable measures, to confirm that all areas with covered information are included within the scope of this Information Security Program. The Program Officer will maintain a list of areas and units of the University with access to covered data. The Program Officer will periodically conduct vulnerability assessments of units to ensure compliance. The Program Officer may require units with substantial access to covered data to further develop and implement comprehensive security plans specific to those units and to provide copies of the plan documents. The Program Officer may designate, as appropriate, responsible parties in each area or unit to carry out activities necessary to implement this Information Security Program.

   The Program Officer will work with responsible parties to ensure that the departmental training and education plans are developed and delivered for all employees with access to covered data. The Program Officer will, in consultation with other University offices, verify that existing policies, standards and guidelines that provide for the security of covered data are reviewed and adequate. The Program Officer will make recommendations for revisions to policy, or the development of new policy, as appropriate.

2. Risk Assessment and Audit. The Program Officer shall conduct periodic risk assessments for departments that manage and/or process sensitive or regulated information. These risk assessments will identify and assess both internal and external risks to the confidentiality, integrity and availability of sensitive information and IT devices that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of the information. Sensitive information includes, but is not limited to, nonpublic customer information and other categories of information protected by law and/or University policy, and information relating to the IT devices that process such information.

   Risk assessments will include, but are not limited to, assessments of access and handling procedures of both electronic and non-electronic information, penetration testing of IT resources, network assessments, appropriate incident reporting, and proper information storage.

3. Develop Safeguards and Operations to Respond and Mitigate Identified Risks to Protected Data. To address and mitigate risks identified in the assessment and audit effort of this program the Program Officer will lead the development of physical and IT safeguards and security operations to appropriately address and minimize the affects of security incidents. These are further described below.
   
   
   1. Security Architecture. The security architecture is comprised of all the interdependent components that lead to the confidentiality, integrity and availability of information that is processed, stored or transmitted by Cornell University. Further, the security architecture uses administrative, technical and physical safeguards to enforce existing University policies, protect against anticipated threats or hazards to data, and protect against unauthorized use or access to protected information.

      Components that can comprise a security architecture include physical access controls, data access auditing, network and personal firewalls, network and system monitoring applications (intrusion detection systems), specific network and system configurations, security applications (virus protection, system audit, etc.), user authentication and data backup mechanisms.

      Privacy requirements of the data, criticality of the resources (e.g. database server, web server or personal computer) and federal state or local law influence the particulars of the Cornell security architecture. For this reason, it is not possible to create a single security architecture that meets the security needs for all sensitive data. The Program Officer will oversee the development of security architectures tailored to meet the specific confidentiality, integrity and availability requirements of the data and resources as required by law under the Gramm-Leach-Bliley Act.

      The security architecture will be developed in response to the security assessment and audit component of this security plan for the purpose of managing perceived risks and protecting identified assets. The Program Officer will periodically assess the security architecture to determine overall effectiveness and to aid in the continual adjustment to account for changes in technology, the sensitivity of customer and university information, and internal/external threats to information security.

   2. Security Operations. Security operations are developed to ensure proper facilities control, system maintenance, efficient incident reporting and response, and data protection procedures. As with the security architecture, security operations must be developed to be commensurate with the sensitivity of the data and the criticality of the resources for which the operations are supporting.

      Security operations may include data backup and recovery procedures, business continuity plans, monitoring and audit of facilities access, daily monitoring of data access (both electronic and non electronic), and security incident procedures. The Program Officer will lead or participate in the development of the necessary security operations to meet the specific confidentiality, integrity and availability requirements of the data and resources as required by law.

      The security operations will be developed in response to the security assessment and audit component of this security plan for the purpose of managing perceived risks and protecting identified assets. The security operations model will be periodically assessed to determine overall effectiveness and to aid in the continual adjustment to accommodate changes in technology, the sensitivity of customer or university data, and internal/external threats to information security.

4. Security Education and Training. Security education and training is conducted regularly across the university to apprise individuals of their rights and responsibilities with respect to data security. The objectives of this component of the security program are to educate individuals about security specific University policies, inform of them of data and resource protection responsibilities, and train them to recognize, respond and report potential security incidents.

   The Program Officer will oversee the periodic evaluation of the university security education and training. This evaluation will include an indication of the overall effectiveness, identification of required additional components and assessment of necessary modernization plans.

5. Security Oversight of University Service Providers. The Program Officer shall coordinate with those responsible for the third party service procurement activities (Cornell Information Technologies and other affected units or departments) to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for proper information handling and protection. In addition, the Program Officer will work with the Cornell Office of University Counsel, Cornell Information Technologies, and any other affected units or departments to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the Office of University Counsel. These standards shall apply to all existing and future contract entered into with such third party service providers, provided that amendments to contracts entered into prior to June 24, 2002 are not required to be effective until May 2004.

Adjustments to the Information Security Program

The Program Officer is responsible for evaluating and adjusting the Information Security Program based on the risk identification and assessment activities undertaken pursuant to this program, as well as any material changes to the Institution's operations or other circumstances that may have a material impact on this program.

______________________________________

Cornell's IT Security Office
More about IT Security at Cornell
Send us feedback about this web page
Last modified: June 04, 2007