The Customer Information Security Program (CISP) is established and defined in the Customer Information Security Program Policy / GLBA Policy. The program calls for components including the appointment of a coordinator, the selection and implementation of safeguards, ongoing risk assessments and management of service providers. Information on these program components and maintenance of the program are outlined in this document.
The Chief Information Security Officer has been appointed to coordinate this program.
Covered data is outlined in the GLBA policy document and includes personal, non-public data received in the course of University business and pertaining to bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers.
Covered Units are identified and tracked annually in a process where units report information on systems that store or process covered data.
Deans, department heads, etc. designate contacts called Departmental Network Liaisons (DNLs) to assist in implementation of the program. DNLs also report status of their units (e.g. systems that store covered data like SSNs) and assist in incident response activities.
Risk assessments are conducted quarterly to maintain a registry of foreseeable security and privacy risks and existing or potential mitigating safeguards. This registry is used to inform the selection and implementation of safeguards for this program.
Covered units are responsible for conducting unit-level risk assessments to identify risks that are unique to their area of operation and the covered data that they maintain. Risk assessments can be carried out independently, or units can request that the Office of Information Security coordinate, conduct, or provide assistance for a unit-level assessment.
Program safeguards encompass administration, training, network security, intrusion detection and response, and monitoring and testing.
Identification – measures for identifying risks and program requirements
Prevention - measures that prevent data loss and security breaches
Detection - measures to detect data loss and security breaches
Response - measures for responding to attack or breach conditions
The Office of Information Security and the Procurement Office ensure service providers implement appropriate safeguards for covered data and that contractual agreements detailing privacy and security requirements are in place via the CESS process. The Office of Information Security also coordinates directly with service providers to assess the security of systems that will store or process covered data.
This program is evaluated and adjusted continuously. Feedback from risk assessments, covered units and security operations inform the selection and implementation of program components and safeguards by the program coordinator.
Most units with data covered by the GLBA policy will also be covered by the UGA Red Flags Rule policy.