Information Security Program

Overview

The Gramm-Leach-Bliley Act (GLBA) addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for postsecondary educational institutions. As a result, educational institutions that engage in financial activities, such as processing student loans, are required to comply. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both electronic and physical (employee, student, customer, alumni, etc.). Therefore, AIMS Education has adopted the following Information Security Program for all student and/or third-party records containing nonpublic personal information.

Federal regulations state that any institution of higher education that complies with the Family Educational Rights and Privacy Act (FERPA), and that is also a financial institution subject to the requirements of GLBA, shall be deemed to be in compliance with the Privacy Rule of GLBA. All institutions of higher education are still subject to the Safeguards Rule.

Purpose and Scope

This security program applies to customer financial information that AIMS receives in the course of business as required by GLBA, as well as other confidential financial information the Institution has voluntarily chosen as a matter of policy to include within its scope. This program is in addition to any other institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including FERPA.

The purposes of this document are to:

  • Establish a comprehensive information security program for AIMS Education with policies designed to safeguard sensitive data that is maintained by the Institution, in compliance with federal and state laws and regulations.
  • Establish employee responsibilities in safeguarding data according to its classification level; and
  • Establish administrative, technical, and physical safeguards to ensure the security of sensitive data.

Roles and Responsibilities

  • Designating A qualified individual to oversee and implement the ISP.
  • Data stewards of respective departments are designated to oversee the approval process of access to PII data. 
  • The department head along with its team members as authorized, shares joint responsibility for securing the data.
  • All employees of AIMS Education is responsible for maintaining the privacy and integrity of all sensitive data and must protect the data from unauthorized use, access, disclosure, or alteration.
  • All employees of AIMS Education are required to access, store, and maintain records containing sensitive data in compliance with this Program.
  • All concerned parties within AIMS Education including third parties wherein there would be an exchange of PII data for taking any financial services as defined under GLB Act and FERPA policy should sign a written consent or agreement. 
  • Any change in employee’s status such as termination, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s access to the PII data should be promptly communicated by HR to the concerned parties.
  • The Security Team oversees maintaining, updating, and implementing this Program. 

Definitions

Data

Data refers to any information stored, accessed, or collected at the Institution about students and employees of AIMS Education.

Data Steward

A data steward acts as a liaison between the IT and other departments within AIMS Education and is responsible for the data content and authorizing access to the data.

PII Data

All information that must be protected under GLBA. This includes the financial information that the Institution has included within the scope of this Information Security Program. PII data also includes any information collected from a student in the course of offering a financial product or service (e.g. student loans), or such information provided from another institution. Examples include mailing addresses, phone numbers, bank and credit card account numbers, and social security numbers. PII data consists of both paper and electronic records that are handled by the Institution or its affiliates.

Nonpublic personal information (NPI)

Any “personally identifiable financial information" that the Institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available." Examples of NPI include name, address, income, social security number, or other information on an application.

Information Security Program Coordinator

In order to comply with GLBA, AIMS Education has designated an Information Security Program Coordinator. This individual must work closely with the President’s Office, the Information Security Committee, the Information Technology team, and all relevant academic and administrative departments throughout the Institution. 

The Coordinator is responsible for assisting all department supervisors in identifying internal and external risks to the security, confidentiality, and integrity of covered/ PII data; evaluate the effectiveness of current safeguards; design and implement a safeguards program, and regularly monitor and test the program.

Risk Assessment

The Information Security Program will identify internal and external risks to the security, confidentiality, and integrity of PII data that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise such information, and assess the sufficiency of any safeguards in place to control these risks. Risk assessments will include consideration of risks in each area that has access to PII data. Risk assessments will include, but not be limited to, consideration of employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.

The Coordinator will work with the Information Security Committee, and all department supervisors, to carry out comprehensive risk assessments. Risk assessments will include institution-wide risks, as well as risks unique to each department with PII data. The Coordinator will ensure that risk assessments are conducted at least annually, and more frequently where required. The Coordinator may identify a responsible party from the Information Technology team to conduct a system-wide risk assessment. The Coordinator may identify a responsible party in each department with access to PII data to conduct the risk assessment considering the factors set forth above, or employ other reasonable means to identify risks to the security, confidentiality and integrity of PII data in each area of the Institution with PII data.

The Coordinator will provide copies of complete and current risk assessments for institution-wide and department-specific risks at least annually with the Coordinator’s report to the President’s Office.

Information Safeguards and Monitoring

The Information Security Program will verify that safeguards are in place to control the risks identified in the risk assessments. The Coordinator will ensure that reasonable safeguards and monitoring are implemented and cover each department that has access to PII data. 

These safeguards will include the following:

Employee Awareness, Management and Training

Safeguards for security will include the management and training of all employees with authorized access to PII data. The Coordinator will, work with the Information Security Committee, identify which employees have access to PII data. The Coordinator will ensure that appropriate training and education is provided to all employees who have access to PII data. The training will include education on relevant policies and procedures, and other safeguards used to protect PII data.

Additional safeguards will include the following:

  • Background checks before hiring employees who will have access to PII data.
  • Requiring new employees to sign an agreement that they will abide by the institution’s security and confidentiality standards.
  • Job-specific training on maintaining security and confidentiality.
  • Periodic training on security awareness, phishing emails and FERPA to be conducted.
  • Requiring “strong” user-specific passwords that must be changed every 90 days.
  • Passwords, if compromised should be promptly changed and any incident should be reported to IT Support Team.
  • Limiting access to PII data to employees with a legitimate business need to see it.
  • Preventing former employees from accessing customer information by deactivating their usernames and passwords.
  • Other measures that provide reasonable safeguards based upon the risks identified.

Vulnerability Management 

A vulnerability is a security weakness in one of the Information technology (IT) servers that hackers can exploit. It may result in a denial of service or another kind of cyberattack, injection of malware into the servers, a data breach that steals valuable personal data, or a ransomware attack. The vulnerability management process is a continuous cycle of detection, remediation, and verification. This continuous process is called the vulnerability management lifecycle.

Financial Records Management

IT department Asset Management (ITAM) enables organizations to manage their IT assets on an ongoing basis. It enables businesses to establish controls, gain visibility into their environment, optimize costs and maintain license compliance. ITAM joins the financial, inventory, contractual and risk management responsibilities to manage the overall lifecycle of these assets including tactical and strategic decision making. ITAM encompasses Hardware Asset Management (HAM), Software Asset Management (SAM) and Software as a Service (SaaS) management. This is something related to the management of all the assets whether it is physical, software or anything else. It includes everything from their use, renewal on time, updating, control to use it etc.

Information Systems

Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal.

Network and software systems will be designed to limit the risk of unauthorized access to PII data. This may include designing limitations to access and maintaining appropriate screening programs to detect computer hackers and viruses and implementing security patches.

Safeguards for information processing, storage, transmission, retrieval, and disposal may include the following:

  • Requiring electronic PII data to be entered into a secure, password-protected system.
  • Using secure connections to transmit data outside the Institution by the process of Encryption.
  • Using secure servers.
  • Ensuring PII data is not stored on transportable media (USB drives, portable hard drives, etc.).
  • Permanently erase PII data from computers, hard drives, or other electronic media before transferring, recycling, or disposing of them.
  • Storing physical records in a secure area and limiting access to that area.
  • Providing safeguards to protect PII data and systems from physical hazards such as fire or water damage.
  • Shredding confidential paper records before disposal.
  • Maintaining an inventory of servers or computers with PII data.
  • Enable multi-factor authentication in applicable softwares.
  • Mandating creation of passwords by following the below guidelines: 
    • Has at least 8 characters
    • Contains a combination of at least three of the four character types: uppercase and lowercase letters, numbers, and special characters (e.g., @ $ # !)
    • Does not contain words in any language, slang, dialect, jargon, etc., even if they are separated by numbers or special character (e.g., Wel67come)
    • Does not contain repeated characters or a sequence of keyboard letters (e.g., qwerty, 12345, or yyy99)
    • Does not contain any part of the user’s name, username, birthday, or social security or those of friends and family (e.g., Miss1030)
    • For password resets, the new password cannot be the one of the last three passwords as a best practice.
    • Do not use the same / similar password as used in Social Media Apps
  • Other reasonable measures to secure PII data

Access to student record policies

Access to student record policy refers to a data that prevents unauthorized physical or remote access to student data. This technique aims to minimize the security risks to the physical and logical systems of an organization. Physical access control enables organizations to secure their physical file, while logical access control helps protect the software. 

Managing System Failures

The Institution will maintain effective systems to prevent, detect, and respond to attacks, intrusions, and other system failures. Such systems may include the following:

  • Maintaining and implementing current anti-virus software
  • Monitoring the websites of software vendors for news of software vulnerabilities and available security patches
  • Maintaining appropriate firewall technologies
  • Alerting those with access to PII data of threats to security
  • Backing up data regularly and storing back up information off site
  • Other reasonable measures to protect the integrity and safety of information systems

Business Continuity and Disaster recovery

A continuity plan details how we will continue operating and serving our student body, during a dramatic event like a natural disaster, major IT failure, or a cyberattack. The end goal is to preserve student and or company’s financial records viability, position, reputation, and future enrollments, even in the face of a crisis.

Disaster recovery will focus on how to bring systems back online after a disaster, andd to develop a proactive process that would keep the school operating even in the face of a major crisis. Accordingly, a disaster recovery plan is limited to ensuring data protection, preventing damage to systems, and recovering them as quickly as possible, while a continuity plan covers all aspects of the processes.

Disaster recovery plans are mandatory to overcome a difficult situation after any natural or cyberattack. With proper plans we can continue our day to day operations, and recover from the loss that happened due to that attack. For. Eg. Student payments, student ledgers, attendance. Etc.

Monitoring and Testing

The Coordinator, working with other designated personnel, will regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed, and to swiftly detect and correct breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include system checks, reports of access to systems, reviews of logs, audits, and any other reasonable measures to verify that the Information Security Program’s controls, systems, and procedures are working.

Service Providers

In the course of business, the Institution may share PII data with third parties. Such activities may include collection activities, transmission of documents, destruction of documents or equipment, or other similar services. This Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the PII data at issue and requiring service providers by contract to implement and maintain such safeguards.

The coordinator will identify service providers who are provided access to PII data. The coordinator will work with the President’s Office, and other departments as appropriate, to make certain that service provider contracts contain appropriate terms to protect the security of PII data. Our third party servicer has a comprehensive internal and an external security team in place to govern cyber security concerns to include GLBA guidelines, incident response, risk assessment and penetration testing. Multifactor is implemented in the application and network resources. 

Program Maintenance

The coordinator, working with the Information Security Committee, will evaluate and adjust the Information Security Program based on the results from regular monitoring and testing, as well as any material changes to operations or business arrangements, and any other circumstances which may reasonably have an impact on the Information Security Program. Our institution currently does not meet the criteria for student count to report the findings on a regular basis. However, we will do so to assure that the proper protocols are in place and resolved in a timely manner. 

Reporting Attempted or Actual Breaches of Security

The coordinator should be immediately informed of any incident of a breach or attempted breach of the information safeguards adopted under this Program. Appropriate actions in their response will be taken upon discussion with the ISC. All incidents and its responses are to be documented by the ISC.

Enforcement

Any willful accesses, discloses, misuses, alters, destroys, or otherwise compromise of PII data without authorization by any employee of AIMS Education or student, or who fails to comply with this Program in any other respect, will be subject to disciplinary action. The ISC will discuss and determine the course of action.

Audit and Log Management

Audit logging is the process of documenting activity within the software systems used across AIMS. Audit logs will document all occurrences of an event, time at which it occurred, responsible user or service, and the impacted area. All the devices in our network, cloud services, and applications to generate logs that may be used for auditing purposes. Whenever anyone opens, edit, save or do any alteration to any data it will be captured there and continue to follow the trail of the accessed file can and will be audited and documented. This is to eliminate any exposure from future occurrences and to re-train the responsible parties from making changes or alterations to any data.