I. Introduction

The University of Alabama has adopted the following Information Security Plan (Plan) for safeguarding confidential and private financial and related information as defined in this Plan. This Plan applies to covered data and information1 the University receives in the course of business as required by law as well as certain other confidential information which the University has chosen to include within the scope of this Plan (said data and information being hereafter collectively referred to as “Covered Information”). This document describes many of the activities the University currently undertakes, and will undertake, to maintain Covered Information according to legal and University requirements. This Plan provides an outline of the safeguards that apply to Covered Information that will be carried out by, and impact, diverse areas of the University.
The Plan is intended to promote the protection of the confidentiality, integrity, availability, and accountability of Covered Information. In addition to this Plan, other University policies on data confidentiality and safeguarding may apply to specific data, computers, computer systems, or networks provided or operated by University departments. This Plan applies to everyone who uses, maintains or manages University business processes which involve Covered Information.
The Plan applies wherever Covered Information is located, whether on campus or from remote locations. The Plan will be evaluated periodically and adjusted as necessary in light of relevant circumstances, including changes in the University’s business arrangements or operations, or as a result of testing and monitoring the safeguards. Periodic auditing of each relevant unit’s compliance will be done per the internal auditing schedule. The Internal Audit Office will conduct annual risk assessments and in conjunction with the Office of Counsel will evaluate the risk associated with new or changed business arrangements.

II. Plan Coordination

The University employees designated for the coordination and execution of the Plan are the Information Security Officer for the Office of Information Technology and the Director of Receivables and Collections (hereafter referred to as the “Plan Coordinators”). Persons having questions or correspondence regarding technical issues should contact the Office of Information Technology; questions or correspondence regarding functional issues should be directed to the Office of Student Receivables. These two offices will coordinate with the relevant University business units, the Office of Counsel, and Internal Audit in order to maintain the Plan.

III. General Guidelines

The Office of Information Technology (OIT) will set electronic guidelines for the safeguarding of Covered Information that is in electronic format. OIT will maintain and provide access to policies and procedures that are designed to safeguard against anticipated threats to the security or integrity of Covered Information, in either electronic or other formats, and to guard against the unauthorized use of Covered Information. Each relevant University business unit is responsible for securing Covered Information in accordance with this Plan and all other University policies and applicable laws. Each relevant University business unit must develop and maintain a written security plan that details the safeguards and security procedures for Covered Information located in its unit. Each relevant University business unit will make its security plan available to OIT and Internal Audit upon request.
The Registrar’s office will provide guidance in complying with privacy requirements established for educational records in accordance with the Family Educational Rights and Privacy Act of 1974, as amended, (“FERPA”) and other applicable federal and state laws and regulations. Each relevant University business unit is responsible for securing protected student and educational records located in its unit in accordance with applicable University policies and law.

IV. Identification and Assessment of Risks to Covered Information

The University recognizes that risks of unauthorized use of or access to Covered Information exist, including, but not limited to:

Unauthorized access of Covered Information by someone other than the owner of the Covered Information
Compromised system security as a result of system access by an unauthorized person
Interception of Covered Information during transmission
Loss of Covered Information integrity
Physical loss of Covered Information in a disaster
Errors introduced into the system
Corruption of Covered Information or systems
Unauthorized access of Covered Information by employees
Unauthorized requests for Covered Information
Unauthorized access to Covered Information through hardcopy files or reports
Unauthorized transfer of Covered Information through third parties

The University recognizes that this list of the risks associated with the protection of Covered Information is not exhaustive. New risks of unauthorized use or access to Covered Information are created regularly because technology growth is not static. Accordingly, OIT will actively participate in and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks to safeguarding Covered Information.

V. Employee Management and Training

During new employee orientation, each new employee will receive training on the importance of confidentiality of customer records, financial information, and other types of data and information that comprise Covered Information. Each new employee also will receive training in the proper use of computer information and passwords, controls and procedures to prevent employees from providing Covered Information to an unauthorized individual, and how to properly dispose of documents that contain Covered Information. Each relevant University business unit responsible for maintaining Covered Information must implement steps to protect the Covered Information from destruction, loss or damage due to environmental hazards, such as fire and water damage or due to technical failures.

VI. Service Providers

When a non-University service provider will have access to Covered Information, the service provider must agree to provide and maintain adequate safeguards for the University’s Covered Information. Relevant University business units contracting with service providers that will have access to Covered Information will forward the service contract accompanied by a summary of the service and the type of Covered Information involved to the Office of Counsel for review and if required, modification to include safeguard provisions.
In the process of selecting a service provider that will have access to Covered Information, the relevant University business unit should evaluate the ability of the service provider to safeguard the Covered Information. Examples of the types of safeguarding provisions for inclusion in contracts with service providers include the following:
An explicit acknowledgement that the contract allows the service provider access to Covered Information

A specific definition of the Covered Information to which the service provider will have access

A stipulation by the service provider that it will hold the Covered Information in strict confidence and access it only for the explicit business purpose of the contract

A representation by the service provider that it will comply with the safeguards for Covered Information outlined in the contract

A representation by the service provider that it will protect the Covered Information it accesses according to commercially acceptable standards and no less rigorously than it protects it own Covered Information

A provision requiring the service provider to return or destroy of all Covered Information received by it upon completion of the contract

An agreement by the service provider to allow the entry of injunctive relief without posting bond in order to prevent or remedy the breach of the confidentiality obligations of the contract

A provision that any violation of the contract’s safeguard conditions amounts to a material breach of contract and entitles the University to immediately terminate the contract without penalty

A provision that permits the University to audit the service provider’s compliance with the contract safeguard requirements

A provision ensuring that the contract’s safeguard requirements will survive any termination of the contract

VII. Departmental Security Coordinators (DSC)

Each relevant University business unit affected by this Plan must appoint a Departmental Security Coordinator (DSC) for its unit. At a minimum, a DSC must be named at the division or college level. This assignment is not necessarily seen as a full-time position, but is at the discretion of the business unit. Once the DSC is appointed, the relevant University business unit must notify the Plan Coordinators of the identity of and contact information for the DSC for contact and incident response purposes. The DSC will be responsible for coordinating security efforts within that business unit’s organization.

VIII. DSC Policies and Procedures

All relevant University business units must have written security plans and safeguarding procedures for Covered Information. The DSC is responsible for the coordination of the business unit’s Covered Information security plan and safeguarding procedures. Each relevant University business unit must make available its security plan and safeguarding procedures to the Plan Coordinators upon request. It is the responsibility of all relevant University business units to identify and document the Covered Information to be protected.
The relevant University business unit security plans and safeguarding procedures at a minimum must contain the following:

Physical Security

Document adequate physical security measures for the protection of physical and logical assets, sensitive applications and Covered Information.

Authentication, Authorization and Accountability

Establish criteria for issuing and revoking accounts.
Describe minimum authentication requirements such as password content and aging.
Implement and maintain, where possible, an audit trail and logs to account for activity on, or devices connected to, the campus network.

Security Awareness

Ensure that all business unit users are aware of, have access to, and comply with the University’s Acceptable Use Policy.
Ensure that all people who maintain or manage IT resources within the business unit comply with University and business unit IT policies.

Risk Assessment

Performance by the DSC of a risk analysis of potential security threats to IT resources at least once every three years and provide the results to the Plan Coordinators.

Incident Response

Require notification of the Plan Coordinators by the DSC of security incidents involving threats to Covered Information, such as, without limitation, unauthorized scanning activity and access violations, and full cooperation with the Information Security Officer by the DSC in security incidents.

Virus Protection

Ensure up-to-date versions of anti-virus software are installed by the DSC on all workstations in the DSC’s business unit.

Business Resumption Plan

Maintenance of a business resumption plan that includes procedures for various disaster scenarios, both natural and man made, based upon an initial risk assessment of the business unit’s operating environment.

1 Covered data and information for the purpose of this Plan includes personal non-public financial information (defined below) required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required under federal law, the University may choose as a matter of policy to also include in this definition any credit card information received in the course of business by the University, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Personal non-public financial information is that information that the University has obtained from a customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of personal non-public information could include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.