Tulane University Information Security Plan

I. Preamble

In order to protect critical information and data, and to comply with Federal Law, Technology Services (TS), in alliance with the Office of General Counsel (OGC) proposes certain practices in the University information environment and institutional information security procedures. While these practices mostly affect TS, some of them will impact diverse areas of the University, including but not limited to the Controller, Treasurer, Office of the Registrar, Institutional Advancement, Student Affairs, the Library, Athletics, Admissions and Financial Aid, and many third party contractors, including food services and the book store. The goal of this document is to define the University's Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to position the University for likely future privacy and security regulations.

II. Gramm Leach Bliley (GLB) Requirements

GLB mandates that the University appoint an Information Security Plan Coordinator; conduct a risk assessment of likely security and privacy risks; institute a training program for all employees who have access to covered data and information; oversee service providers and contracts; and evaluate and adjust the Information Security Program periodically.

III. Information Security Plan Coordinator

In order to comply with GLB, TS has designated the Information Security Officer (ISO) to act as the Information Security Plan Coordinator for the GLB Act. This individual must work closely with the General Counsel's office and Technology Services, as well as all relevant academic and administrative Schools and Departments throughout the University. The ISO is presently Leo Tran

IV. Risk Assessment and Safeguards

The ISO must work with all relevant areas of the University to identify potential and actual risks to security and privacy of information. Each School or Department head, or his/her designee, will conduct an annual data security review, with guidance from the ISO. Department Heads will be asked to identify any employees in their respective areas that work with covered data and information. In addition, the relevant departments of TS will conduct a quarterly review of procedures, incidents, and responses, and will publish all relevant materials except in those cases where publication may likely lead to breaches of security or privacy. Publication of these materials is for the purpose of educating the University community on network security and privacy issues. TS will assure that procedures and responses are appropriately reflective of those widely practiced at other national research Universities, as measured by four advisory groups: The Educause Security Institute, The Internet2 security working group, the SANS Top Twenty risks list, and the Federal NIST Computer Security Resource Center.

In order to protect the security and integrity of the University network and its data, TS will develop and maintain a registry of all computers attached to the University network. This registry will include, where relevant, IP address or subnet, MAC address, and operating system.

TS assumes the responsibility of assuring that patches for operating systems or software environments are reasonably up to date, and will keep records of patching activity for all computers administered by TS. Computers and systems that are not administered by TS must be maintained to the standards published by TS and/or otherwise identified security patches from the manufacturer. TS will review its procedures for patches to operating systems and software, and will keep current on potential threats to the network and its data. Risk assessments will be updated quarterly.

TS bears primary responsibility for the identification of internal and external risk assessment for TS administered systems. All members of the University community are involved in risk assessment for their individual systems.

TS, working in cooperation with relevant University departments, will develop and maintain a data handbook, listing those persons or offices responsible for each covered data field in relevant software systems (financial, student administration, development, etc.). TS and the relevant departments will conduct ongoing audits of activity, and will report any significant questionable activities.

TS will work with the relevant offices to develop and maintain a registry of those members of the University community who have access to covered data and information. TS in cooperation with Human Resources will work to keep this registry rigorously up to date.

TS will assure the physical security of all centralized servers which contain or have access to covered data and information. TS will work with other relevant areas of the university to develop guidelines for physical security of any covered servers in locations outside the central server area. The University will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, and other procedures which may expose the University to risks.

Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA). By necessity, student social security numbers still remain in the University student information system. The University will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are still used, and in what instances students are inappropriately being asked to provide a social security number. This assessment will cover university employees as well as subcontractors such as the bookstore and food services, and consortiums.

TS will develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks.

TS will develop written plans and procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.

The Information Security Officer will periodically review the University's computer security, disaster recovery program and data-retention policies and present a report to the CIO and the President's Cabinet.

V. Employee training and education

While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, TS and the OGC will work in cooperation with the Office of Human Resources to develop training and education programs for all employees who have access to covered data.

VI. Oversight of Service Providers and Contracts

GLB requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. The Office of General Counsel will develop and send form letters to all identified covered contractors requesting assurances of GLB compliance. While contracts entered into prior to June 24, 2002 are grandfathered until May 2004, the Office of General Counsel will take steps to ensure that all relevant future contracts include a privacy clause in compliance with GLB.

VII. Evaluation and Revision of the Information Security Plan

GLB mandates that this Information Security Plan be subject to periodic review and adjustment. The most frequent of these reviews will occur within TS. Processes in other relevant offices of the University such as data access procedures and the training program should undergo regular review. The plan itself as well as the related data retention policy may be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.

VIII. Definitions

Covered data and information for the purpose of this policy includes student financial information required to be protected under the Gramm Leach Bliley Act (GLB). Covered data and information includes both paper and electronic records.

Student financial information is that information the university has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR - 225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Directory Information is information the university has collected about students that may be released for any purpose at the discretion of Tulane: name, addresses (including e-mail), phone numbers, dates of attendance, classification, major, awards, honors, degrees conferred and dates, school, full/part time status, past and present participation in officially sanctioned sports and activities, physical factors (height, weight of athletes), photographs, and date and place of birth.

Under the provisions of the Family Education Rights and Privacy Act of 1974, students have the right to withhold disclosure to such Directory Information. Such requests are valid only when a written request to rescind is received by the Office of the Registrar by 5:00 p.m. on the last day to add classes as listed in the Academic Calendar.