Skip to Page Content
section image picture

Customer Information Security Program Policy and GLBA Policy

Coordinating the Customer Information Security Program

Overview

The Customer Information Security Program (CISP) is established and defined in the Customer Information Security Program Policy / GLBA Policy document. The program calls for components including the appointment of a coordinator, the selection and implementation of safeguards, ongoing risk assessments, etc. Information on these program components and maintenance of the program are outlined in this document.

Coordinator

The University Information Security Officer was appointed to coordinate this program.

Identifying Covered Data and Units

Covered data is outlined in the policy document and includes personal, non-public data received in the course of University business and pertaining to bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers.

Covered Units are identified and tracked annually in a process where units report information on systems that store or process covered data.

Department Contacts

Deans, department heads, etc. designate contacts to assist in implementation of the program. In practice, these individuals are referred to Unit Security Liaisons. Unit Security Liaisons also report status of their units (e.g. systems that store covered data like SSNs.)

Risk Assessments

University-level risk assessments are conducted monthly to maintain a registry of foreseeable security and privacy risks and existing or potential mitigating safeguards. These assessments are conducted using data collected from industry threat data sources, higher education communities of practice and observed threat and incident data. This registry is used to inform the selection and implementation of University-wide, centrally managed safeguards for this program.

Covered units are responsible for regularly conducting unit-level risk assessments to identify risks that are unique to their area of operation and the covered data that they maintain. Risk assessments can be carried out independently, or units can request that the Office of Information Security coordinate, conduct, or provide assistance for a unit-level assessment.

Safeguards

Safeguards that are implemented as part of this program cover areas as diverse as management, training, network security, intrusion detection and response, and monitoring and testing. Program safeguards details are not included in this document for security purposes, but we have elected to make the following high-level information about the current program safeguards broadly available to the UGA community:

Prevention - measures that prevent loss of data security and privacy

  • Privacy and security policies
  • SecureUGA awareness training
  • Background checks
  • Identity theft protection (see Red Flags below)
  • Minimum security requirements for devices
  • Network perimeter security
  • Penetration tests and network security audits
  • Anti-virus
  • Data loss prevention

Detection - measures to detect data loss and security breaches

  • Intrusion detection
  • Network security monitoring for covered units
  • Anti-virus
  • Data loss prevention
  • Security event correlation and management

Response - measures for reacting to loss of data security and privacy

  • Formal incident reporting, containment, and forensics procedures

Service Providers

The Office of Information Security works with the Procurement Office to ensure service providers implement appropriate safeguards for covered data and that contractual agreements detailing privacy and security requirements are in place.  The Office of Information Security also coordinates with service providers to assess the security of systems that will store or process covered data.

Program Maintenance

This program is evaluated and adjusted continuously. Feedback from risk assessments, covered units, security operations, the University Security Committee, and the University units that are responsible for this program are incorporated and considered in the selection and implementation of program components and safeguards by the program coordinator.

Red Flags Rule Compliance and Identity Theft Protection

Most units with data covered by the GLBA policy will also be covered by the UGA Red Flags Rule policy. Information on the Red Flags Policy is not included here, because Red Flags Policy compliance efforts are being coordinated by the Internal Audit Division.