Information Security Plan
Policy Category: Information System and Technology Policies
Subject: Data security and protection policy/procedures
Division/Office Responsible for this Policy: Office of Digital Learner Experience
Effective Date: April 2020
Last Reviewed: October 2022
Procedures link(s):
Related University Policies/Documents: Background Check Policy; Data Governance Policy; FERPA; Email Policy; HIPPA; Information Security Plan; Minimum Security for Computing Devices; Records Document Retention Policy; Red Flag Identity Theft Protection; Social Media Policy; University Technology and Network Use Violations
1. Purpose and Objective
The purpose of this Information Security Plan (“ISP”) is to describe how Maryville University (“MARYVILLE,” “we,” or “our”) implements and maintains appropriate administrative, technical, and physical safeguards to protect Restricted and Highly Restricted Data (as defined below) that we access, collect, distribute, process, store, use, transmit, dispose, or otherwise handle.
We take seriously our responsibility to safeguard and protect Restricted and Highly Restricted Data and to comply with applicable federal and state privacy and data security laws and regulations or contractual obligations. To that end, we have implemented a number of policies, procedures, plans, and documents that make up our Comprehensive Information Security Program (“CISP”). This document is one component of our CISP and should be read in conjunction with such other materials, protocols, and procedures.
2. Definition of Restricted / Highly Restricted Data
Restricted Data Classification – Restricted data is data that contains non-public data elements about individuals and should be kept confidential, with access requiring authorization or a legitimate need to have access to the data. Restricted data includes any individually identifiable information that is related to past, present, or future educational data. Restricted data also includes data protected by federal and/or state regulations, confidentiality agreements, or other contractual obligations.
Examples of Restricted data include data commonly considered FERPA-protected information (grades, GPA, race/gender or other data that would make a student’s identity easily traceable).
Highly Restricted Data Classification – Highly Restricted data is sensitive data that is highly confidential business information and/or non-public data elements about individuals that could lead to harm from unauthorized access. Highly restricted data may require the university to notify individuals and/or governmental agencies if the data is inappropriately accessed, acquired, and/or disclosed.
Examples include Social Security numbers, date of birth, government-issued driver’s license or passport numbers, information collected from the Free Application for Federal Student Aid (FAFSA) and other information protected by the Higher Education Act, credit card numbers (PCI), other forms of personally identified information (PII) as defined by applicable privacy laws, protected health information (PHI), data subject to import and export controls, FISMA regulated data, login credentials, and information protected by non-disclosure agreements or other third-party contracts.
3. Scope
This ISP applies to any Restricted or Highly Restricted data, whether in paper, electronic, or other form, that is accessed, collected, distributed, processed, protected, stored, used, transmitted, disposed, or otherwise handled by or on behalf of MARYVILLE or its affiliates. All MARYVILLE faculty, staff, students, and all others granted access to Restricted or Highly Restricted data (“Authorized Users”) are subject to and have responsibilities under this ISP and MARYVILLE’s CISP. This ISP is not intended to supersede any existing MARYVILLE policy that provides more specific requirements for safeguarding certain types of data (See Additional Security Policies referenced below).
4. Risk Assessment
MARYVILLE recognizes that there are both internal and external risks to the security, confidentiality, and integrity of Restricted and Highly Restricted data that could result in unauthorized disclosure, misuse, alteration, destruction, or other compromise of such data.
Internal and external risks to Restricted and Highly Restricted data may occur in the following areas of operation:
- Internal Risks: Employee training and management
- Operational Risks: Information systems, including network and software design, information processing, storage, transmission, and disposal; and
- External Risks: Security breaches, attacks, intrusions, and other system failures, especially as it relates to detecting, preventing, and responding to attacks or other system failures.
Maryville recognizes that risks change and new risks emerge periodically. Maryville will regularly test or otherwise monitor the implementation and effectiveness of the CISP. Maryville will conduct risk assessments periodically or whenever there is a need based on any material changes to our operations or business arrangements, or any other circumstances that we know or have reason to know may have a material impact on our information security program.
5. Chief Information Security Officer
Maryville has designated Scott Obermeyer as the Chief Information Security Officer (“CISO”) to coordinate our ISP and CISP. The CISO may designate other Maryville representatives to oversee and coordinate particular elements of the ISP and CISP.
Any questions or concerns regarding this ISP or CISP or Maryville Information Security should be addressed to the CISO at:
Maryville University
650 Maryville University Drive
St. Louis MO 63141.
Email: ciso@maryville.edu
Office: Gander Hall 139B
Mobile: 314-637-8900
The CISO will be responsible for implementing, supervising, and maintaining the ISP. These responsibilities include:
- Coordinating on-going training of Authorized Users regarding their responsibilities and duties under the ISP and CISP;
- Coordinating risk assessments of reasonably foreseeable internal and external risks to Restricted and Highly Restricted Information and assessing the sufficiency of existing safeguards to control identified risks;
- Coordinating regular testing and monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
- Coordinating regular evaluations and adjustments to the CISP in light of the results of tests and monitoring; any material changes to operations or business arrangements; or any other circumstances that may have a material impact on the CISP;
- Oversee incident response procedures;
- Establish and manage enforcement policies and procedures for this ISP, in collaboration with the human resources department and management; and
- Assist Maryville employees to evaluate the ability of Maryville’s third-party service providers to implement and maintain appropriate safeguards and contractually require third party service providers to implement and maintain appropriate safeguards.
6. Service Providers
Maryville will oversee service providers by:
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for Restricted and/or Highly Restricted data; and/li>
- Contractually requiring service providers to implement and maintain appropriate safeguards.
7. Breach Response Instructions
Any possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of Restricted or Highly Restricted data, or a violation or attempted violation of the information safeguards described herein, must be reported immediately to the Maryville IT Security Team. A member of the Team will document all reported or detected breaches and subsequent responsive action.
In the event of an actual breach of Restricted or Highly Restricted data, Maryville will:
- Take immediate action to secure any Restricted and/or Highly Restricted data that has or may have been compromised.
- Preserve and review files or programs that may indicate how the breach occurred; and take other appropriate steps as may be necessary.
- Maryville will review and implement appropriate safeguards to mitigate the reoccurrence of such a breach.
Maryville will comply with applicable federal and state laws and regulations with respect to breach notification.
In the event of an actual security breach, MARYVILLE will review and implement appropriate safeguards to mitigate the reoccurrence of such a breach.
8. Identity Theft Program
Maryville has developed and implemented a written program to detect, prevent, and mitigate identity theft. The program includes policies and procedures to:
- Identify the red flags of identity theft that may occur in day-to-day operations;
- Detect red flags;
- Prevent, mitigate, and respond to red flags; and
- Update the program.