Bradley University Skip repetative navigation
Attending Bradley Apply Online Student Life Our Community Visit Us A to Z Index Search Home
 
 
 
 
 
 
 

Computing Services
Policies

Bradley University
Information Security Plan


This Information Security Plan ("Plan") describes Bradley University's safeguards to protect covered data and information.[1] These safeguards are provided to:

  • Ensure the security and confidentiality of covered data and information;
  • Protect against anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.

This Information Security Plan also provides for mechanisms to:

  • Identify and assess the risks that may threaten covered data and information maintained by Bradley University;
  • Develop written policies and procedures to manage and control these risks;
  • Implement and review the plan; and
  • Adjust the plan to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.

Identification and Assessment of Risks to Customer Information

Bradley University recognizes that it has both internal and external risks. These risks include, but are not limited to:

  • Unauthorized access of covered data and information by someone other than the owner of the covered data and information
  • Compromised system security as a result of system access by an unauthorized person
  • Interception of data during transmission
  • Loss of data integrity
  • Physical loss of data in a disaster
  • Errors introduced into the system
  • Corruption of data or systems
  • Unauthorized access of covered data and information by employees
  • Unauthorized requests for covered data and information
  • Unauthorized access through hardcopy files or reports
  • Unauthorized transfer of covered data and information through third parties

Bradley University recognizes that this may not be a complete list of the risks associated with the protection of covered data and information. Since technology growth is not static, new risks are created regularly. Accordingly, the department responsible for centralized information technology functions, Computing Services will actively participate and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks.

Bradley University believes Computing Services' current safeguards are reasonable and, in light of Computing Services' current risk assessments are sufficient to provide security and confidentiality to covered data and information maintained by the University. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

Information Security Plan Coordinator

Stephen Patrick, Executive Director of Computing Services, has been appointed as the Information Security plan coordinator. He is responsible for assessing the risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to Bradley University. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that Bradley University departments comply with the requirements of this policy.

Design and Implementation of Safeguards Program

Employee Management and Training

References of new employees working in areas that regularly work with covered data and information (Controller's Office, Registrar, Development and Financial Aid) are checked. During employee orientation, each new employee in these departments will receive proper training on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training also includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including "pretext calling"[2] and how to properly dispose of documents that contain covered data and information. Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information should coordinate with the Information Security plan coordinator on an annual basis for the coordination and review of additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information security.

Physical Security

Bradley University has addressed the physical security of Computing Services covered data and information by limiting access to only those employees who have a business reason to know such information. For example, personal customer information, accounts, balances and transactional information are available only to Bradley University employees with an appropriate business need for such information.

Loan files, account information and other paper documents are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys. Paper documents that contain covered data and information are shredded at time of disposal.

Information Systems

Access to covered data and information via Bradley University's computer information system is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and password. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to Bradley University employees in appropriate departments and positions.

The Login Request Policy, http://www.bradley.edu/irt/cs/policies/loginrequestpol.html, documents the process for managers to request computer accounts and access for staff members.

The Computer Password Selection Policy, http://www.bradley.edu/irt/cs/policies/password.html, documents requirements on selecting appropriate passwords.

The Departing Employee Account policy, http://www.bradley.edu/irt/cs/policies/EmpAcctPol.html, documents the removal of accounts and privileges for departing staff members.

Bradley University will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. Computing Services requires that all servers must be registered before being allowed through Bradley's firewall, thereby allowing Computing Services to verify that the system meets necessary security requirements as defined by Bradley University. These requirements include maintaining the operating system and applications, including application of appropriate patches and updates in a timely fashion. User and system passwords are also required to comply with the Bradley University Password Policy. In addition, an intrusion detection system has been implemented to detect and stop certain external threats, along with an Intrusion Detection Incident Response Policy for occasions where intrusions do occur.

When commercially reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind Bradley University's firewall. All firewall software and hardware maintained by Computing Services will be kept current. Computing Services has a number of policies and procedures in place to provide security to Bradley University's information systems. These policies are documented at Computing Services policies web site, http://www.bradley.edu/irt/cs/policies/.

While the University has discontinued usage of social security numbers as student identifiers, one of the largest security risks may be the possible non-standard practices concerning social security numbers, e.g. continued reliance by some University employees on the use of social security numbers. Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA). By necessity, student social security numbers still remain in the University student information system. The University will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are still used, and in what instances students are being asked to provide a social security number.

Management of System Failures

Computing Services has developed written plans and procedures to detect any actual or attempted attacks on Bradley University systems and has an Incident Response Policy which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information.

Selection of Appropriate Service Providers

Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that Bradley University determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard confidential financial information. Contracts with service providers may include the following provisions:

  • An explicit acknowledgement that the contract allows the contract partner access to confidential information;
  • A specific definition or description of the confidential information being provided;
  • A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
  • An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects Computing Services own confidential information;
  • A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
  • An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles Bradley University to terminate the contract without penalty; and
  • A provision ensuring that the contract's confidentiality requirements shall survive any termination agreement.

Continuing Evaluation and Adjustment

This Information Security Plan will be subject to periodic review and adjustment. The most frequent of these reviews will occur within Computing Services, where constantly changing technology and evolving risks mandate increased vigilance. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the Information Security Plan Coordinators, in consultation with the financial, legal and administrative offices of the University will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.

----------------------------------------------------------------------------------------------------------------------------

[1] Covered data and information for the purpose of this policy includes student financial information (defined below) required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required under federal law, Bradley University chooses as a matter of policy to also include in this definition any credit card information received in the course of business by the University, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information that Bradley University has obtained from a customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

[2] "Pretext calling" occurs when an individual improperly obtains personal information of university customers so as to be able to commit identity theft. It is accomplished by contacting the University, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit, convincing an employee of the University to release customer identifying information.


Go back to the top of the page
 Go back
© 2006 Bradley University • 1501 W. Bradley Avenue • Peoria, Illinois 61625 • 309/676-7611 • AccessibilityDisclaimer