To protect critical information and data, and to comply with Federal Law and specifically GLB (16 CFR Part 314), the Office of Information Technology requires specific practices in the University information environment and institutional information security procedures. These practices apply to all areas of the University and all third party contractors having access to University owned data, including food services and the book store.
This security program is intended to comply with a number of federal and state laws. Each of these laws has specific requirements which are satisfied by this security program.
16 CFR 314 –
16 CFR 314, also known as Gramm-Leach-Bliley Act, sets forth several required elements for our security program. These include:
- 16 CFR 314.4.a: “Designate an employee or employees to coordinate your information security program.” This employee will be the Director of Network Services and Information Security.
- 16 CFR 314.4.b: “Identify reasonable foreseeable internal or external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including: (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other system failures.” This risk assessment is covered by section six of the Information Security Program.
- 16 CFR 314.4.c: “Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguard’s key controls, systems, and procedures.” These safeguards are delineated as sections one through five of the program. Section six outlines the auditing that will take place to satisfy the regular testing requirement.
- 16 CFR 314.4.d: “Oversee service providers, by: (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) requiring your service providers by contract to implement and maintain such safeguards.”
- 16 CFR 314.4.e: “Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program.” Section six of the program includes a clause requiring annual reviews of this program.
In accordance with the Digital Millennium Copyright Act, Clarkson University has designated an agent to receive notifications of alleged copyright infringement occurring on the Clarkson University computer network. Clarkson University’s response to notices of alleged infringement that comply with the DMCA [Title 17, United States Code, Section 512(c)(3)(A)] will include removal of or blocked access to the material named in the infringement notification. All other procedures outlined in the Copyright Policy will be followed.
NYS Information Security Breach and Notification Act (NYSISBNA) –
In accordance with the requirements set forth in the NYSISBNA, the University will disclose any breach of the security of a system containing private information following discovery or notification of the breach to any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. In accordance with the NYSISBNA, the required notification may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation. If such a determination has been made, then notification shall take place after such law enforcement agency determines that such notification does not compromise such investigation. Additionally, notification of the breach will be made to the New York State Consumer Protection Board, NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), and the New York State Attorney General using the methods outlined by the NYS Office of CSCIC at this website: http://www.cscic.state.ny.us/security/securitybreach/index.htm.
Family Educational Rights and Privacy Act (FERPA) –
The Family Educational Rights and Privacy Act (FERPA) (20 USC 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. This law gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” The rights of eligible students are outlined as part of the Clarkson University Student Regulations (VIII-I).
Technology, Education and Copyright Harmonization Act (TEACH) –
TEACH says that is is not copyright infringement for teachers and students at an accredited, nonprofit education institution to transmit performances and displays of copyrighted works as part of a course if certain conditions are met. If these conditions are not met or cannot be met, use of the material will have to qualify as fair use or permission from the copyright holder(s) must be obtained. The guidelines for University compliance in this aspect are outlined as part of the Copyright Policy
This policy applies to all faculty, staff and students of Clarkson University.
There are a number of steps that should be taken to maintain the security of University computing resources.
Failure to follow this policy will result in the offender(s) being subject to disciplinary action up to and including termination of employment.
private information — NYSISBNA defines private information as “personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account”