Coordinating the Customer Information Security Program
Overview
The Customer Information Security Program (CISP) is established and defined in the Customer Information Security Program Policy / GLBA Policy. The program calls for components including the appointment of a coordinator, the selection and implementation of safeguards, ongoing risk assessments and management of service providers. Information on these program components and maintenance of the program are outlined in this document.
Coordinator
The Chief Information Security Officer has been appointed to coordinate this program.
Identifying Covered Data and Units
Covered data is outlined in the GLBA policy document and includes personal, non-public data received in the course of University business and pertaining to bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers.
Covered Units are identified and tracked annually in a process where units report information on systems that store or process covered data.
Department Contacts
Deans, department heads, etc. designate contacts called Departmental Network Liaisons (DNLs) to assist in implementation of the program. DNLs also report status of their units (e.g. systems that store covered data like SSNs) and assist in incident response activities.
Risk Assessments
Risk assessments are conducted quarterly to maintain a registry of foreseeable security and privacy risks and existing or potential mitigating safeguards. This registry is used to inform the selection and implementation of safeguards for this program.
Covered units are responsible for conducting unit-level risk assessments to identify risks that are unique to their area of operation and the covered data that they maintain. Risk assessments can be carried out independently, or units can request that the Office of Information Security coordinate, conduct, or provide assistance for a unit-level assessment.
Safeguards
Program safeguards encompass administration, training, network security, intrusion detection and response, and monitoring and testing.
Identification – measures for identifying risks and program requirements
- Inventory of sensitive and critical systems
- Information security policies
- Minimum security requirements for devices
- Vulnerability management
Prevention - measures that prevent data loss and security breaches
- New employee awareness training
- New employee background checks
- Identity theft protection (see Red Flags below)Network perimeter security with cloud-based zero-day threat protection
- Vulnerability management
- Penetration tests and network security audits
- Anti-virus
- Data loss prevention
- DNS threat protection
- Two-factor authentication service
- Restricted data VPN and VDI environment
Detection - measures to detect data loss and security breaches
- Intrusion detection
- Network security monitoring
- Anti-virus
- Data loss prevention
- Security event management, correlation and alerting
- Membership in industry Information Sharing and Analysis Centers (ISACs)
Response - measures for responding to attack or breach conditions
- Formal incident reporting, containment, and forensics procedures
Service Providers
The Office of Information Security and the Procurement Office ensure service providers implement appropriate safeguards for covered data and that contractual agreements detailing privacy and security requirements are in place via the CESS process. The Office of Information Security also coordinates directly with service providers to assess the security of systems that will store or process covered data.
Program Maintenance
This program is evaluated and adjusted continuously. Feedback from risk assessments, covered units and security operations inform the selection and implementation of program components and safeguards by the program coordinator.
Red Flags Rule Compliance and Identity Theft Protection
Most units with data covered by the GLBA policy will also be covered by the UGA Red Flags Rule policy.