Information Security Plan

I. Purpose

This document summarizes the West Virginia School of Osteopathic Medicine’s Information Security Plan mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm – Leach – Bliley Act (“GLBA”). In particular, this document describes the Plan elements pursuant to which the Institution intends to (i) ensure the security and confidentiality of covered data/records, (ii) protect against any anticipated threats or hazards to the security of such data/records, and (iii) protect against the unauthorized access or use of such data/records or information in ways that could result in substantial harm or inconvenience to customers. The Plan incorporates Institutional Policy GA-31 Acceptable Use of Information Technology Resources, Policy GA-11 Record Retention, and applicable departmental procedures, and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA.

II. Scope of plan

This Information Security Plan has five components: (1) designating an employee or office responsible for coordinating the plan; (2) conducting risk assessments to identify reasonably foreseeable security and privacy risks; (3) ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored; (4) overseeing service providers, and (5) maintaining and adjusting this Information Security Plan based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.

III. Definitions

Covered data/records

All information required to be protected under GLBA. It also refers to financial information that WVSOM, as a matter of policy, has included within the scope of this Information Security Plan. Covered data/records include information obtained from a student/employee in the course of offering a financial product or service, or such information provided to WVSOM from another institution.

Offering a financial product or service

Includes offering student loans, receiving income tax information from a current or prospective student/student’s parents as a part of a financial aid application, offering credit or interest bearing loans, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information relating to such products or services are addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers. Covered data/records consists of both paper and electronic records that are handled by WVSOM or its affiliates.

Service Providers

Refers to all third parties who, in the ordinary course of WVSOM business, are provided access to covered data/records. Service providers may include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers, for example.

IV. Designees

In order to comply with GLBA, WVSOM has appointed the Chief Technology Officer (CTO), as the designated Plan Officer who shall be responsible for coordinating and overseeing the Plan. In addition, the CTO will collaborate closely with the Certified Information Security Analyst (CISA) that serves as WVSOM’s Technology Security Officer. The Plan Officer may designate other representatives within the Information Technology Department to assist in the implementation of the Plan. Additionally, the CTO will work with departmental leads designated by the respective Vice Presidents who have identified employees working with covered data, and the Office of Legal Counsel for privacy matters. The Plan Officer will assist relevant departments to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information; evaluate the effectiveness of the safeguards for controlling the risks; implement an annual review process with departments to insure ongoing security is maintained. Any questions or interpretation of this document should be directed to the Plan Officer or his/her IT Department designees.

V. Risk Assessments

The Plan Officer will work with all relevant areas of WVSOM to identify potential and actual risks to security and privacy of information. Each department lead designated by the respective Vice President will review their Standard Operating Procedures and confer with the Plan Officer to insure covered data/records continue to be secured appropriately at least once annually. The Information Technology Department will conduct an annual internal risk assessment in December with the CISA performing an independent risk assessment/penetration test annually April-June and recommend remediation activities, including requirements of GLBA compliance. During the risk assessments performed by IT staff and the CISA, procedures, incidents, and responses will be reviewed. Outcome reports will be provided to attest to these activities with the exception of materials that may lead to a likely breach of security or privacy issues. The Information Technology Department will adhere closely to the Federal NIST procedures in managing the security and privacy of covered data/records.

In order to protect the security and integrity of WVSOM’s network and its data, the IT Department will maintain inventory in the TeamDynamix system to identify ownership of hardware for staff and students, including relevant encryption, MAC address, IP address/subnet, physical location, operating system, intended use of the device (server, end user device, network equipment etc.). The IT Department is responsible for patching operating systems, databases, and software applications to keep current on potential threats to the network and its data. The IT Department will be responsible for physical access to information systems, and the respective department leads will insure departmental physical security. As part of the onboarding of new employees, and off boarding of retired/terminated/transferred employees, the IT Department and respective department leads will insure that confidential data access is maintained appropriately. The Human Resources Department is responsible for performing appropriate background checks for new employees, with employees and WVSOM affiliates required to complete a confidentiality statement. All new employees and students are required to take the Acceptable Use of Information Technology Resources course and associated exam. All employees are required to take an annual cybersecurity review course to reinforce the most current security and privacy protocols.

While WVSOM does not use social security numbers as student or employee identifiers, one of the largest security risks may be the possible non-standard practices concerning social security numbers by some employee reliance on social security numbers in their daily work flow. Social security numbers are considered protected information under GLBA and FERPA. By necessity, student and employee social security numbers still remain in WVSOM’s Banner student information system. WVSOM will have appropriate standard operating procedures in place that allow access based on an employee’s position/role. The IT Department has insured appropriate encryption of end user devices, and has advised employees of the appropriate methods to encrypt email. WVSOM requires a minimum Advanced Encryption Standard (AES) key of 128 bits, with preference for 256 bits going forward.

WVSOM intends, as part of the Information Security Plan, to have risk assessments with analysis, performed to identify internal and external risks to security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alternation, destruction or other compromise of covered data. The Plan Officer will establish procedures within the Information Technology Department and provide guidance to departmental leads in their respective standard operating procedures, to identify and assess security issues in conjunction with the CISA used to provide the annual risk assessment including the following:

Employee training and management

The Plan Officer and CISA will coordinate with representatives in Human Resources, Office of Business Affairs, Admissions, Registrar and Financial Aid to evaluate the effectiveness of the procedures and practices relating to access to and use of student/employee records, including financial aid information. This evaluation will occur annually and include the respective departmental standard operating procedures and manuals as they align with institutional policies GA-11 Record Retention and GA-31 Acceptable Use of Information Technology Resources. WVSOM employees will receive frequent security reminders and be required to take an annual cybersecurity course which includes GLBA specific training information.

Information Systems and Information Processing and Disposal

The Plan Officer and CISA will coordinate with the IT Managers for networking, server, and help desk services to assess the risks to nonpublic financial information associated with WVSOM’s information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic financial information. This evaluation and internal review will occur each December and will include the alignment of GA-11 Record Retention and GA-31 Acceptable Use of Information Technology Resources with the standard operating procedures for the network/network security, server administration, database administration, device management, document retention and destruction within new/surplus inventory control, The Plan Officer and CISA will also coordinate with IT Managers to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.

Detecting, Preventing and Responding to Attacks

The Plan Officer and CISA will coordinate with the IT Managers to evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response reporting and follow up forensics, including necessary Disaster Recovery processes. The Plan Officer, CTO collaborating with the CISA, may elect to delegate to a representative of the Information Technology Department the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by WVSOM. The WVSOM community has an Incident Reporting Form available to them.

VI. Designing and Implementing Safeguards

The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The Plan Officer and CISA will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.

VII. Overseeing Service Providers

The Plan Officer shall coordinate with the Director of Contracts and the Contracts Associate and Software Compliance Specialist (CASCS) for the third party service procurement activities among the IT Managers and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students/employees and other third parties to which they will have access. In addition, the Plan Officer will work with the Office of Legal Counsel to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the Chief Procurement Officer of the institution in consultation with the Office of Legal Counsel. The position of Vice President of Finance and Facilities serves as the Chief Procurement Officer. These standards shall apply to all existing and future contracts entered into with such third party service providers as applicable by the Chief Procurement Officer.

VIII. Adjustments to Information Security Plan

The Plan Officer is responsible for evaluating and adjusting the Plan based on the risk identification and assessment activities undertaken pursuant to the Plan, as well as any material changes to the WVSOM’s operations or other circumstances that may have a material impact on the Plan.