Introduction: University departments must act
Importance of protecting SSNs and other PNPI
Guidelines for protecting PNPI
PNPI software tools
For more information
Questions or comments
Copyright © 2005, University of Delaware
Last updated: 10/25/05
This document summarizes the University of
Delaware's written information security program mandated by the
Federal Trade Commission's Safeguards Rule and the
Gramm-Leach-Bliley Act (GLBA).
- Designation of Representatives:
The Institution's Director
for Billing and Collection is designated as the Program Officer
who shall be responsible for coordinating and overseeing the
Program with the appropriate unit heads and the Information
Systems Auditor. The Program Officer may designate other
representatives of the Institution to oversee and coordinate
particular elements of the Program. Any questions regarding the
implementation of the Program or the interpretation of this
document should be directed to the Program Officer or his or her
- Scope of Program:
The Program applies to any record
containing nonpublic financial information about a
student or other third party who has a relationship with the
Institution, whether in paper, electronic or other form that is
handled or maintained by or on behalf of the University or its
affiliates. For these purposes, the term nonpublic financial
information is any information a student or other third party
provides in order to obtain a financial service from the
Institution; information about a student or other third party
resulting from any transaction with the Institution involving a
financial service; or, information otherwise obtained about a
student or other third party in connection with providing a
financial service to that person.
- Elements of the Program:
- Risk Identification and Assessment.
Risk assessments and
associated action plans have been established for the external
and internal risks to the security, confidentiality, and
integrity of nonpublic financial information that could result
in the unauthorized disclosure, misuse, alteration, destruction
or other compromise of such information. Risk assessments and
compliance plans are in effect for the departments/units
- Employee Training and Management.
Human Resources and
the Office of Information Technologies provide training for new
employees and existing employees through a program segment at
new employee orientation and on-going annual training programs
for faculty and staff.
- Information Systems and Information Processing and Disposal.
Management Information Services and Network and System Services
have assessed the risks to nonpublic financial information
associated with information systems, including network and
software design, information processing, and the storage,
transmission and disposal of nonpublic financial information.
Current archiving and destruction processes are in place for all
paper, non-public financial information.
- Detecting, Preventing and Responding to Attacks.
Information Services and Network and System Services have
procedures for and methods of detecting, preventing and
responding to attacks or other system failures. They also have
network access and security policies and procedures.
- Designing and Implementing Safeguards.
The risk assessment
and analysis described above shall apply to all methods of
handling or disposing of nonpublic financial information,
whether in electronic, paper or other form. An annual audit of
safeguard compliance will be done through the Internal Auditor's
Office. Evaluation of risk of new or changed business
arrangements will be coordinated by the Program Officer and the
appropriate unit head.
- Overseeing Service Providers.
The University may
appropriately share covered data with third parties. Such
activities may include collection activities, transmission of
documents, destruction of documents or other similar services.
Reasonable steps are taken to select and retain service
providers that are capable of maintaining appropriate safeguards
for the customer information at issue and requiring service
providers by contract to implement, and maintain such
safeguards. The Associate Director for Procurement Services
ensures that all such third party contracts include language
requiring the vendor to comply with the Federal Trade Commission
(FTC) Standards for Safeguarding Customer Data.
- Adjustments to Program.
This information security plan
shall be evaluated and adjusted for any changes in the
University's business arrangements, or in light of future
guidance from the National Association of College and University
Business Officers and/or the Federal Trade Commission.