University of Pittsburgh
Customer Information Security Plan
Purpose.
This customer information security plan describes the University of Pittsburgh’s ongoing efforts to secure customer information related to students and other customers of the University. The University is required by law, specifically the Gramm-Leach-Bliley Act, to:
1) maintain, monitor, and test this plan;
2) designate a security officer to coordinate the safeguarding
of customer information;
3) identify and assess risks to customer information;
and
4) evaluate, improve, and implement safeguards to protect
customer information.
The security plan also makes good business sense. This plan ensures that the University’s “customers” are confident that the University is taking adequate steps to protect their information and to minimize loss in the event of a security breach. The plan also serves to deter an increasingly common crime nationwide– identity theft.
Scope.
The security plan protects customer information University-wide in any office, department, school, or responsibility center that is significantly engaged in financial activities. When in doubt as to whether a school, department, responsibility center, or office is ‘significantly engaged’ in financial activities, the unit should err on the side of applicability.
“Customer information” means any paper or electronic record containing non-public personal information about a customer that the University, or its affiliates, handle and maintain. Customer information includes any personally identifiable information provided by students or others in order to obtain a financial product or service from the University such as loan applications, credit card numbers, account histories, and related consumer information.
University Unit Responsibilities.
A. Securing Information.
Units must immediately assess the safeguards they have in place to protect not only customer information– but all confidential University data. Heads of units should appoint a trusted and knowledgeable employee to oversee their individual safeguarding programs. Specific safeguarding practices that units must assess, and if necessary, implement, include:
1. Maintaining physical security by locking rooms and file cabinets where customer and sensitive information is stored. Ensuring windows are locked and using safes when practicable for especially sensitive data such as credit card information, checks, and currency;
2. Maintaining adequate key control and limiting access to sensitive areas to those individuals with appropriate clearance who require access to those areas as result of their job;
3. Using and frequently changing passwords to access automated systems that process sensitive information;
4. Using firewalls and encrypting information when feasible;
5. Referring calls and mail requesting customer information to those individuals who have been trained in safeguarding information;
6. Shredding and erasing customer information when no longer needed in accordance with unit policy;
7. Encouraging employees to report suspicious activity to supervisors and law enforcement authorities; and
8. Ensuring that agreements with third-party contractors contain safeguarding provisions and monitoring those agreements to oversee compliance.
B. Training.
1. Units should ensure that all new and existing employees who are involved in activities covered under the Act receive safeguarding training. A written agreement containing the new employee’s signature, and attesting to the fact that he or she received training, is aware of University and Unit information policies and guidelines, and is aware of the importance the University places on safeguarding information, is suggested.
2. Training should, at a minimum, encompass the eight “Securing Information” items listed above in A (1-8).
C. Monitoring and Detection.
Units must continually assess the vulnerabilities of their systems. University consultants are available to assist in assessing the efficacy of their existing safeguards and in proposing improvements. The University Police, who have qualified security specialists on staff, are available to discuss physical security issues. CSSD will also provide a cyber-security analysis for your unit.
D. Managing System Failures.
The University acknowledges that no system is flawless. Nevertheless, immediate steps should be taken to correct any security breach. Units must immediately report significant failures of their safeguarding system to the University Police, CSSD if the problem involves computer security, and to the Designated Customer Information Security Officer. Affected customers may also need to be notified after the unit consults with University Police and the Office of General Counsel. Examples of significant failures would include a successful hacking effort, a burglary, or impersonations leading to the defrauding of customers.
E. No Third-Party Rights.
While this plan is intended to promote the security of information, it does not create any consumer, customer, or other third-party rights or remedies, or establish or increase any standards of care that would otherwise not be applicable.
University Policies and Guidelines that Protect Customer Information.
The following policies and guidelines supplement and help to create a comprehensive information security plan. Referral and adherence to these documents is imperative to overall protection of customer information. The following documents are incorporated by reference into the plan.
A. University Policy and Procedure 09-08-01 govern “Access
to Student Records.” The policy and procedure outline the University’s
implementation of the Family Educational Rights and Privacy Act (FERPA).
They can be found at: http://www.pitt.edu/HOME/PP/policies/09/09-08-01.html
and
http://www.pitt.edu/HOME/PP/procedures/09/09-08-01.html
.
B. The University’s Registrar maintains an easy to read
interpretation of FERPA as it applies to student accounts at:
http://www.pitt.edu/~srfsweb/frpaPgFERPA.htm
.
C. University policy delineates the requirements and implementation
of the Health Insurance Portability and Accountability Act (HIPAA).
This policy bolsters patient privacy in regard to health care and payment
for health care, and can be found at:
http://www.pitt.edu/hipaa/
.
D. The University stresses information technology security in the following policies and guidelines.
University Policy 10-02-04 governs access to data: http://www.pitt.edu/HOME/PP/policies/10/10-02-04.html
and
UP Procedure 10-02-04 provides a form for request for data access that
employees must complete:
http://www.pitt.edu/HOME/PP/procedures/10/10-02-04.html
.
University Policy 10-02-06 governs the security and privacy of University
data and provides for disciplinary action against violators of the policy:
http://www.pitt.edu/HOME/PP/policies/10/10-02-06.html
.
The following guidelines also indicate how the University protects computer-based information.
General Computer Security and Tutorials:
http://www.technology.pitt.edu/security/index.html
.
E-Business Security Guidelines: http://www.bc.pitt.edu/ebusiness/securityreview.htm
E. The University’s Staff Handbook, in the Staff Responsibility
section, emphasizes the protection and confidentiality of University proprietary
information. It also specifically prohibits the misuse of information
for personal gain or the gain of others in the Misuse of Information section.
The Handbook is located at:
http://www.hr.pitt.edu/empreledu/staffhb/section10.htm#gpg
.
F. The University’s Faculty Handbook, in the Misuse of Information section, prohibits faculty from unauthorized access to information for the purposes of personal gain or the gain of others. The Handbook also stresses “IT” security and is located at: http://www.pitt.edu/~provost/handbook.html .
Designated Customer Information Security Officer.
The designated customer information security officer is Robert
F. Pack, the Vice Provost for Academic Planning and Resources Management,
who is responsible for coordinating the safeguarding of customer information
throughout the University.