Information Protection Policy
Applies to: | Original Policy Date: | Date of Last Review: | Approved by: |
---|---|---|---|
Florida Tech Campus | August 2024 | August 2024 | Dr. John Nicklow, President |
Policy Owner: Chief Information Officer (CIO)
Policy Purpose
The purpose of the Information Protection Policy is to establish guidelines and supervision over people, processes, and technology used to safeguard the confidentiality, integrity, and availability of university information and Information Systems (IS). This policy supports the open sharing of information within the Florida Institute of Technology (Florida Tech) community while ensuring that security measures are implemented to protect against unauthorized access, use, disclosure, disruption, alteration, or destruction of information and IS.
Policy Scope
This policy applies to:
- All information and Information Systems owned, leased, operated, or under the custodial care of the University.
- All information and Information Systems managed by third parties on behalf of the University.
- All individuals accessing, using, holding, or managing University information or Information Systems.
Policy Statement
Florida Tech requires that all actions related to the handling of information and Information Systems must adhere to the University's IT Information Security Policy and comply with all relevant laws, University policies, and contractual obligations. The policy mandates the implementation of administrative, technical, and physical safeguards to protect University information and IS. Compliance with this policy will be monitored through regular audits and assessment to ensure effectiveness and adherence.
Procedures/Guidelines
- Information Classification and Access Control:
- Information Owners must classify, handle, and secure University information.
- Authentication and access control measures must be implemented to verify identities and manage access to university information.
- IT Security Program Management:
- Florida Tech’s IT department must establish baseline configuration requirements for Information Systems, monitor compliance, and control the flow of University information.
- Supervision and regulation of connections to external Information Systems are required.
- Risk Management and Compliance:
- The IT department must identify applicable laws and regulations, develop an information security program, and ensure third-party vendors comply with the University’s security requirements through incorporating security requirements in contracts and Data Processing Agreements (DPAs).
- Data Security and Maintenance:
- Encryption and other protective measures must be used to secure University information, especially on mobile devices and during transmission.
- Backup and secure disposal of storage media must be ensured.
- Awareness and Training:
- Mandatory information security training for all users and agreements outlining security roles and responsibilities must be signed before granting access.
- Incident Response and Vulnerability Management:
- An Incident Response Plan and a Vulnerability Management Plan must be established to handle and report security incidents and system flaws.
- Audit and Monitoring:
- Florida Tech IT must generate and retain audit records and monitor communications at internal and external boundaries of Information Systems.
Definitions
- Information Systems (IS): Systems used to store, process, or transmit University information, including hardware, software, networks, and data.
- Information Owner: The individual responsible for the management and security of University information.
Compliance Reference
This policy ensures compliance with key regulatory frameworks and standards that mandate the protection of sensitive information and the implementation of security measures. These include:
- Family Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records. This policy mandates controls to ensure that only authorized individuals have access to such records, thereby safeguarding student privacy.
- Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. This policy establishes administrative, technical, and physical safeguards to protect personally identifiable financial information.
- Health Insurance Portability and Accountability Act (HIPAA): Establishes standards for the protection of health information. This policy includes measures to protect the confidentiality and integrity of electronic health information.
- Payment Card Industry Data Security Standards (PCI DSS): Sets requirements for securing cardholder data. The policy mandates encryption and access controls to protect payment card information from unauthorized access.
By adhering to these standards and regulations, the policy not only protects University information but also helps the University avoid legal liabilities and potential penalties associated with non-compliance. The policy will be reviewed and updated regularly to adapt to changes in laws and best practices, ensuring ongoing compliance and effectiveness.
Responsibilities
- Chief Information Officer (CIO): Oversees the enforcement of this policy.
- Florida Tech IT: Responsible for the implementation and monitoring of information security measures, and for ensuring compliance with laws and regulations.
- Information Owners and System Administrators: Responsible for classifying, managing, and securing University information and IS.
Enforcement
This policy is enforced by the CIO, and non-compliance may result in the suspension or revocation of access to information systems on which sensitive information is stored.