Skip to main content

Search

Written Information Security Program (WISP)

Written Information Security Program

 

Responsible Executive/UWA System Officer: Director, Office of Information Technology

Responsible Office: Office of Information Technology

Approved Distribution:

StatusEffective Date: 4/30/2024

1      Introduction

The University of West Alabama (UWA) is required to protect student financial aid information provided to them by the Department of Education or otherwise obtained in support of the administration of the Federal student financial aid programs (Title IV programs).  UWA participates in the Title IV program, and as such, has agreed in its Program Participation Agreement (PPA) to comply with the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule under 16 C.F.R. Part 314.

 

To comply, UWA must ensure that all Federal Student Aid applicant information is protected from access by, or disclosure to, unauthorized personnel, and that they are aware of and will comply with all of the requirements to protect and secure data obtained from the Department’s systems for the purposes of administering the Title IV programs.

 

2      Objective

To achieve the GLBA objectives, UWA is required to develop, implement, and maintain a written, comprehensive information security program (WISP). The GLBA regulations require that the information security program contains administrative, technical, and physical safeguards for the protection of Confidential Information maintained by the UWA, this includes:

  • Ensuring the security and confidentiality of student information;
  • Protecting against any anticipated threats or hazards to the security or integrity of such information;
  • Protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student
  • Define an information security program that is appropriate to UWA’s size, scope, and business, its available resources, and the amount of personal and other sensitive information that UWA owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.

 

 

3      Scope of the WISP & Key Program Design and Implementation Features

The WISP provides for, and was designed and developed, and will be implemented, to include the following key features, requirements, and components:

  • Identification of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records, or other UWA Information, containing Confidential Information;
  • Assessment of the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Confidential Information;
  • Evaluation of the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;
  • Design and implementation of safeguards to minimize those risks; and
  • Regular monitoring of the effectiveness of those safeguards.

 

This WISP applies to all UWA faculty and staff, whether full-time or part-time, paid or unpaid, temporary or permanent, as well as all agents and representatives of the UWA, including any Third Party Provider providing services to the UWA (“UWA Users”), who create, use or otherwise access or interact with any UWA Information or UWA Information Resource.

 

This WISP applies to all UWA Information, including all information collected, stored or used by or on behalf of any operational unit, department and person within the UWA community in connection with UWA operations. In the event that any particular information at UWA is governed by more specific requirements under other UWA policies or procedures, the more specific requirements shall take precedence over this WISP to the extent there is any conflict.

 

 

4      Related Laws, Regulations, Policies and Procedures

UWA will maintain all Cybersecurity standards established to protect institutional data using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security controls.  UWAs implementation of these controls are documented in the UWA Enterprise Security Plan (see appendix B).

 

UWA will ensure its policies and standards are in alignment with the following applicable federal, state, and local regulations (see Appendix A for more information);

  • Family Educational Rights and Privacy Act (FERPA)
  • General Data Protection Regulation (GDPR)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Higher Education Opportunity Act (HEOA)
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Red Flag Rules (Fair and Accurate Credit Transactions Act, Federal Trade Commission)
  • Consumer protection, Alabama Data Breach Notification Act 2018 SB 318

 

As part of this WISP, UWA will develop, maintain, and distribute information security policies and standards in accordance with applicable laws and regulations.  (16 C.F.R. 314.4(e)).  UWA will establish and maintain the following policies:

  • UWA Acceptable Use Policy
  • UWA Information Security Policy
  • UWA Information Classification Policy
  • UWA Privacy Policy

 

5      Administrative Oversight & Roles Responsibilities

UWA has designated a qualified individual responsible for overseeing, implementing, and enforcing the WISP (16 C.F.R. 314.4(a)). 

 

The UWA’s Director of the Office of Information Technology (Director) will create and oversee the WISP and review with the Chief Information Security Officer (CISO) and to the extent needed, with the designated Department Information Security Coordinator (DISC) in each academic and administrative department at least annually or whenever there is a material change in business practices related to the WISP.

 

The Director will also oversee (and the CISO will implement) information security training in connection with the WISP to ensure that faculty, staff and administrators are aware of their responsibilities.

 

The designated qualified individual will at least annually provide to the management and its Board of Trustees (or an appropriate committee of the Board) a written report regarding the status of the information security program and UWA's safeguards to protect personal information, including the program’s overall status, compliance with applicable laws and regulations, material matters related to the program, such as risk assessment, risk management and control decisions, service provider arrangements, testing results, security events or policy violations and management’s responses, and recommendations for program changes.  (16 C.F.R. 314.4(i))

 

6      Identification and Assessment of Risks to UWA

As a part of developing and implementing this WISP, UWA will conduct and base its information security program on a periodic, documented risk assessment, at least annually, or whenever there is a material change in UWA’s business practices.  (16 C.F.R. 314.4(b))

 

The Director and the CISO will identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.

 

The written risk assessment shall include:

  • Criteria for the evaluation and categorization of identified security risks or threats UWA faces;
  • Criteria for the assessment of the confidentiality, integrity, and availability of UWA’s information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats UWA faces; and
  • Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

 

7      Information Security Safeguards

To control the risks identified through risk assessments, UWA has implemented the NIST SP 800-171 security controls which provide reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of personal or other sensitive information that UWA owns or maintains on behalf of others.

 

The following are the current minimum set of safeguards as identified in 16 C.F.R. 314.4(c)(1) through (8).

 

7.1    Access Controls

UWA implements and periodically reviews access controls, including technical and physical controls to:

  • Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and
  • Limit authorized users' access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information.

 

7.2    Identification and Authentication

UWA employs a comprehensive Identification and Authentication system to identify and manage the data, personnel, devices, systems, and facilities that enable UWA to achieve business purposes in accordance with relative importance to business objectives and your risk strategy.

 

7.3    Data Safeguards

UWA will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of personal or other sensitive information that UWA owns or maintains on behalf of others.

7.3.1    Data Classifications

UWA employs a comprehensive data classification schema that leverages four levels of classification. Each category denotes a unique level of sensitivity. Data classification is as follows: 1. Public, 2. Internal, 3. Confidential.

 

Once data is classified, departments must ensure that the appropriate levels of security controls are applied to the data.

7.3.2    Data Encryption

UWA requires that all users employ UWA Cybersecurity approved encryption solutions to all sensitive UWA data to preserve the confidentiality and integrity of and control the accessibility to, where this data is processed, stored or transmitted.

7.3.3    Data Access & Storage

Access to UWA data and systems is granted through authorized access controls established by UWA. Access is reviewed on a periodic basis to ensure access is appropriate.

7.3.4    Data Destruction

UWA develops, implements, and maintains procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.  

7.3.5    Data Safeguards Policy Review

UWA will periodically review its data retention policy to minimize the unnecessary retention of data.

 

7.4    Secure Software Development

The UWA Director working in collaboration with the CISO will help ensure that software applications and solutions developed in-house by UWA, including modifications to third-party programs, meet the safeguard standards of this Policy. The Director, CISO and other appropriate UWA leaders will also coordinate to raise awareness of, and to institute methods for, selecting and retaining only those service providers that can maintain appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access.

 

UWA applies industry best practices to maintaining the confidentiality, availability, and integrity of information systems by maintaining up-to-date firewall protection, operating system security patches, and malware protection. The most current security updates are applied regularly. UWA performs regular Intrusion Detection monitoring and logging to prevent unauthorized access.

 

7.5    Multifactor-Authentication

UWA implements multi-factor authentication for all individuals accessing any information system, unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls.  All users and members authenticate with an unique ID and password to access systems and data. Passwords must adhere to the UWA Password Policy.

 

7.6    Employee training

All employees and (as applicable) contractors, volunteers, vendors, and other third parties, are required to complete annual security and awareness training, periodic training regarding this WISP, training pertaining to UWA’s safeguards, and relevant information security policies and procedures.  Training requirements are updated as necessary or indicated by UWA’s risk assessment activities.  All users are required to follow standards and guidelines in conjunction with any training to ensure secure data handling.

 

Employees and (as applicable) contractors, volunteers, vendors, and other third parties responsible for carrying out implementing the information security program are required to complete specialized training that assists them in performing their duties securely. 

 

7.7    Change Management

UWA incorporates change management policies and procedures into the information security program to evaluate changes that could undermine existing security measures. 

 

7.8    Auditing and Logging

UWA implements policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.

 

8      Third Party Agreements

UWA will assess each of its service providers that may have access to or otherwise create, collect, use, or maintain personal or other sensitive information on its behalf by evaluating the service provider’s ability to implement and maintain appropriate security measures, consistent with this WISP and all applicable laws and UWA’s obligations, requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this WISP and all applicable laws and UWA’s obligations.

 

Data owners / stewards are responsible for confirming third-party service providers are maintaining appropriate security measures and data handling procedures to protect UWA data consistent with this program.

 

9      Continuous Monitoring

UWA regularly tests or otherwise monitors the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. (16 C.F.R. 314.4(d))

 

UWA annually conducts penetration testing of information systems based on relevant identified risks in accordance with the risk assessment.

 

UWA conducts vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to:

  • identify publicly known security vulnerabilities in information systems based on the risk assessment, at least every six months;
  • whenever there are material changes to UWA operations or business arrangements;
  • whenever there are circumstances known that may have a material impact on the information security program.

 

10  Incident Response and Reporting

Incidents that raise concerns about the privacy or security of Personal Information must be reported promptly upon discovery to UWA Cybersecurity (16 C.F.R. 314.4(h)).

 

The Cybersecurity Incident Response Team (IRT) shall investigate all reported security incidents and Breaches. Led by the Cybersecurity Operations Directory, the Cybersecurity Incident Response Team is responsible for:

  • Development and maintenance of the UWA information security incident response plan.
  • Coordination and response to incidents in accordance with the requirements of federal, state and local laws.
  • Minimize the potential negative impact to UWA, client and 3rd party as a result of such incidents.
  • Restore services to a normalized and secure state of operation.
  • Provide clear and timely communication to all interested parties.

 

 

11  Enforcement

Any employee who willfully accesses, discloses, misuses, alters, destroys, or otherwise compromises Confidential or Restricted data without authorization, or who fails to comply with this Program in any other respect, will be subject to disciplinary action, which may include termination.

 

12  Document History

 

Effective Date:  

Drafted:

Reviewed by: UWA Cybersecurity Committee

Approved by:

 

Appendix A

 

Family Educational Rights and Privacy Act (FERPA)

A federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."

 

General Data Protection Regulation (GDPR)

Aregulation in the European Union (EU) law for data protection and privacy. This policy sets forth a standard for any organization involved with the transferring or collecting of data and information from the citizens of the European Union. In the UWA setting, schools must follow the privacy guidelines in order to protect the data of international students.

 

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions or companies that offer consumers financial products or services like loans, financial or investment advice, or insurance to explain their information sharing practices to their customers and to safeguard sensitive data.

 

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act requires that any medical institution or UWA protect and maintaining the privacy of a patients or students electronic medical records.

 

Higher Education Opportunity Act (HEOA)

The Higher Education Opportunity Act of 2008 (HEOA) is federal legislation designed to strengthen the educational resources of colleges and universities and to provide financial assistance for students in post-secondary education.

 

Payment Card Industry (PCI)

The PCI is a set of technical and operational standards set forth to protect a cardholder’s financial data and information that organizations must follow. These standards ensure that organizations use secure and best practice methods to accept, transmit or store

card data.

 

Red Flags Rule

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or red flags of identity theft in their day-to-day operations.

 

Consumer Protection, Alabama Data Breach Notification Act of 2018 SB 318

The Alabama Data Breach Notification Act of 2018 defines sensitive personally identifying information as knowing a specific individual's first name or first initial and last name in combination with their: Social Security number or tax identification number.

 

Powered by Zendesk