GLB

Select employees of Fairleigh Dickinson University may be required to engage with confidential University data.

The FDU Confidentiality Agreement and Security Policy defines your obligations under Federal and State guidelines to preserve the security and confidentiality of this information.

Confidentiality Agreement and Security Policy

Fairleigh Dickinson University regards the security and confidentiality of data and information to be of utmost importance. Each individual granted access to electronic and/or hard copy data holds a position of trust and must preserve the security and confidentiality of the information to which he/she is granted access to. Therefore, it is the intent of this policy to ensure that University data, in any format, is not divulged outside of Fairleigh Dickinson University without explicit approval to do so by an Associate Vice-President of the University or higher who has responsibility for the data in question. As such, the University requires all users of data to follow the procedures outlined below:

Policy on Confidential Information

Users of University data are required to abide by all applicable Federal and State guidelines and University policies regarding confidentiality of data, including the Family Education Rights and Privacy Act (“FERPA”) and, as applicable, The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For more information, see FERPA and HIPAA).

Confidential Information shall be defined as:

• regarding student, faculty or staff: any personally-identifiable records, financial records (including social security and credit card numbers), health records; contracts, research data; alumni and donor records; personnel records other than an individual’s own personnel record;

• regarding the University: University financial data; computer and system passwords, University issued PINS, University proprietary information/data; and

• any other information for which access, use, or disclosure is not authorized by: 1) federal, state, or local law; or 2) University policy.

The individual receiving the Confidential Information shall have no obligation under this Policy with respect to Confidential Information which:

• is or becomes publicly available without breach of this Policy by the recipient;
• is rightfully received by the recipient without obligations of confidentiality; or
• is developed by the recipient without breach of this Policy; provided, however, such Confidential Information shall not be disclosed until thirty (30) days after written notice of intent to disclose is given to the University officer who has responsibility for the data in question, along with the asserted grounds for disclosure;
• is disclosed in accordance with any “whistle blower” action as provided in the U.S. False Claims Act, the New Jersey Conscientious Employee Protection Act (“NJCEPA”), or similar legislation. (Brief overview of the NJCEPA is available at here.

Any individual with authorized access to the Confidential Information is given access solely for the business of the University and must not divulge the Confidential Information outside of the University except for University business requirements approved by the President of the University or the division head responsible for the data in question. Specifically, with respect to Confidential Information, individuals must:

1. Access Confidential Information solely in order to perform his/her job responsibilities.
2. Not seek personal benefit or permit others to benefit personally from any Confidential Information that has come to them throughout their work assignments.
3. Not make or permit unauthorized use of any Confidential Information in the University’s information system or other records.
4. Not enter, change, delete or add data to any information system or files outside of the scope of their job responsibilities.
5. Not include or cause to be included in any record or report, a false, inaccurate or misleading entry known to the user as such.
6. Not alter or delete or cause to be altered or deleted from any records, report or information system, a true and correct entry.
7. Not release Confidential Information other than what is required in completion of job responsibilities which is consistent with this Policy.
8. Not exhibit or divulge the contents of any record, file or information system to any person unless it is necessary for the completion of their job responsibilities.

It is the individual’s responsibility to immediately report, as outlined under “Information Security Breech and Violation Reporting” at the end of this Policy, if the individual has violated this Policy. Additionally, given the potential harm that the University may suffer with the release of any Confidential Information, all employees are strongly encouraged to report any suspected violation of this policy or any other action, which violates confidentiality of data, as outlined at the end of this policy.

Security Measures and Procedures

All users of University information systems, including Datatel, MS File shares and FDU Office 365 email accounts, are supplied with an individual user account to access the data or systems necessary for the completion of their job responsibilities. Users of the University information systems are required to follow the procedures outlined below:

1. All transactions, processed by a user ID and password, or PIN, are the responsibility of the person to whom the user ID was assigned. The user’s ID, password, and PIN must remain confidential and must not be shared with anyone.

• Using someone else’s user ID, password or PIN is a violation of policy, no matter how it was obtained.

• Your user ID, password or PIN provides access to information that has been granted specifically to you. To reduce the risk of shared passwords – remember not to post your password or PIN on or near your workstation or share your password or PIN with anyone.

• It is your responsibility to change your password immediately if you believe someone else has obtained it.

If you need your Password or PIN changed, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) immediately.

2. Access to any student or employee information (in any format) is to be determined based on specific job requirements. The appropriate Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President is responsible for ensuring that access is granted only to authorized individuals, based on their job responsibilities. Written authorization must be received by the Computer Center prior to granting system access.

You are prohibited from viewing or accessing additional information (in any format) unless you have been authorized to do so. Any access obtained without written authorization is considered unauthorized access.

In order to prevent unauthorized use, the user shall log off of all applications that provide access to confidential information, or lock their computer when leaving their workstation. This is especially important during breaks and lunch. Unless there is a specific business need, all workstations should be shut down at the end of the workday.

Note: If you require assistance in establishing your workstation password, please access the screensaver documentation or contact the Fairleigh Dickinson University Technical Assistance Center (UTAC).

3. If you have any reason to believe your password or PIN has been compromised or revealed inadvertently, you should change your password and immediately notify one of the individuals as outlined under “Information Security Breech and Violation Reporting” at the end of this policy.

Note: All University’s computer system will periodically prompt you to change your password.

4. Upon termination or transfer of an employee, Human Resources will notify University Systems and Security, who in turn will notify the appropriate areas in the Computer Center.

5. Generally, students, temporary employees and consultants should not have access to the University record system. Written approval by the Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President in charge of the respective area is required if it is determined that access is required. The student, temporary employee or consultant is to be held to the same standards as all University employees, and must be made aware of their responsibilities to protect student and employee privacy rights and data integrity. Written authorization must be received by the Computer Center prior to granting system access.

6. You agree to properly secure and dispose of any outputs or files you create in a manner that fully protects the Confidential Information.

Additionally, I understand that if granted access to process transactions via Datatel data entry screens, any information I enter or change will be effective immediately. Accordingly, I understand that I am responsible for any changes made using my ID.

I understand that my access to University data is for the sole purpose of carrying out my job responsibilities and Confidential Information is not to be divulged outside of The University, except as previously stated. Breach of confidentiality, including aiding, abetting, or acting in conspiracy with any other person to violate any part of this policy, may result in sanctions, civil or criminal prosecution and penalties, employment and/or University disciplinary action, and could lead to dismissal, suspension or revocation of all access privileges. I understand that misuse of University data and any violation of this policy or the FERPA, HIPAA or GLB policies are grounds for disciplinary action, up to and including dismissal. This Agreement shall not abridge nor supersede any rights afforded faculty members under the Faculty Handbook.

Information Security Breech and/or Policy Violation Reporting

If you suspect an Information Security Data Breech or a violation of this policy, report such an event to your department chair or staff supervisor and send an immediate email to violation@fdu.edu. If you do not have immediate access to email, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC); do not provide details but request a ticket be opened with University Systems & Security due to an information security data breech or policy violation requesting an immediate callback. When practical, also send an email to violation@fdu.edu.

---

As a member of our community, your FDU NetID is your passport to accessing many of Fairleigh Dickinson University’s IT services. Most important is your student, employee, or alumni FDU Email account. When using FDU Email, you are an ambassador for our institution and our expectation is that you will conduct yourself in an efficient, effective, ethical and lawful manner. Please review our Policy for Acceptable Use of Email to ensure that you are adhering to all security and decorum requirements.

Effective Date: 01/01/2018

1.0 Introduction

The purpose of this policy is to ensure the proper use of e-mail by all those assigned a Fairleigh Dickinson University (FDU) e-mail account. This policy applies to any e-mail system that FDU has or may install in the future. It also applies to employee use of personal e-mail accounts via browsers, as directed below. All users of FDU e-mail systems have the responsibility to use their e-mail in an efficient, effective, ethical and lawful manner. E-mail users must follow the same code of conduct expected in any other form of written or face-to-face business communication. FDU may supplement or modify this policy for specific employees in certain roles. This policy complements similar FDU policies such as the Acceptable Use Policy and the Written Information Security Program (WISP). Please read and follow those policies as well.

The University subscribes to the 1940 Statement of Principles on Academic Freedom and Tenure and the 1940 and 1970 Interpretive Comments issued thereon, formulated jointly by the Association of American Colleges and the American Association of University Professors. Nothing in this policy is intended to supersede those statements and principles.

2.0 Ownership of Email Data

The University owns all University email accounts in the fdu.edu domain, or any subsequent domains it may create (University Email Accounts). Subject to underlying copyright and other intellectual property rights under applicable laws and University policies , the University also owns data transmitted or stored using the University Email Accounts.

3.0 Employee Responsibilities

FDU only supports the installation and usage of approved e-mail clients.

Usernames will be assigned as part of the University’s e-mail registration process and reflect internally mandated e-mail naming conventions.

3.1 Acceptable Uses

• Communicating in a professional manner with other FDU associates about work-related matters.
• Communicating in a professional manner with parties outside FDU for business purposes.
• Personal communications that are brief and do not interfere with work responsibilities.
• Users are allowed to access personal e-mail accounts on a limited basis, without disrupting business responsibilities. Access can be gained only by using a browser. Use of e-mail-specific protocols, such as POP3 and IMAP4, is prohibited, since they require specific firewall ports to be open.
• Electronic messages are frequently inadequate in conveying mood and context. Users should carefully consider how the recipient might interpret a message before composing or sending the message.

3.2 Unacceptable Uses

• Creating and exchanging messages that can be interpreted as harassing, obscene, racist, sexist, ageist, pornographic or threatening, as defined by University policies.
• Creating and exchanging information that is in violation of copyright or any other law. FDU is not responsible for an associate’s use of e-mail that breaks laws.
• Personal communication that interferes with work responsibilities.
• Opening file attachments from an unknown or untrustworthy source, or with a suspicious or unexpected subject line.
• Sending unprotected healthcare data and personally identifiable consumer data or other confidential information to unauthorized people or in violation of FDU’s Acceptable Use Policy, or the Written Information Security Program (WISP). , Health Insurance Portability and Accountability Act and/or Gramm-Leach-Bliley Act regulations. Exceptions may be authorized by the University Chief Information Security Officer working with the employee’s supervisor. Communications that strain FDU’s network or other systems unduly, such as sending large files to large distribution lists.
• Communications to distribution lists of only marginal interest to members, and replying to the entire distribution list when a personal reply is effective.
• Communications with non-specific subject lines, inarticulate language, and without clear purpose.
• Auto-forwarding e-mail messages from your University e-mail account.
• Using any e-mail system, other than FDU’s e-mail system, for FDU-related communications.
• Circulating chain letters and/or commercial offerings.
• Circulating unprotected healthcare data and personally identifiable consumer data that would violate U.S. Federal HIPAA and GLB regulations. Exceptions may be authorized by the employee’s supervisor and in conjunction with use of a University-approved e-mail encryption service.
• Altering or forging the “From” line or any other attribution of origin contained in electronic mail or postings.
• Using any of the University systems for sending what is commonly referred to as “SPAM” mail (unsolicited bulk email)

4.0 Privacy Guidelines

The University typically does not review the content of electronic messages or other data, files, or records generated, stored, or maintained on its electronic information resources; however, it retains the right to inspect, review, or retain the content of such messages, data, files, and records at any time without prior notification. Any such action will be taken for reasons the University, within its discretion, deems to be legitimate. These legitimate reasons may include, but are not limited to,

• responding to lawful subpoenas or court orders;
• investigating misconduct (including research misconduct);
• determining compliance with University policies and the law; and
• locating electronic messages, data, files, or other records related to these purposes.

FDU maintains the right to monitor and review e-mail activity to ensure compliance with this policy, as well as to fulfill FDU’s responsibilities under the laws and regulations of the jurisdictions in which it operates. Users should have no expectation of privacy.

• Except as otherwise stipulated in this policy, on termination or separation from FDU, FDU will immediately deny access to e-mail, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient.
• Except as otherwise stipulated in this policy, employees who leave FDU will have their mailbox deleted within six months of their termination date. The employee’s manager may request that access be given to another employee who may remove any needed information within the same six month time frame.
• FDU reserves the right to intercept, monitor, review and/or disclose any and all messages composed, sent or received on the University e-mail system. Intercepting, monitoring and reviewing of messages may be performed with the assistance of content filtering software, or by designated FDU employees and/or designated external entities. Employees designated to review messages may include, but are not limited to, an employee’s supervisor or manager and/or representatives from the HR, legal or compliance departments.
• FDU reserves the right to alter, modify, re-route or block the delivery of messages as appropriate. This includes but is not limited to:
  • Rejecting, quarantining or removing attachments and/or malicious code from messages that may pose a threat to FDU resources.
  • Rejecting or quarantining messages with suspicious content.
  • Rejecting or quarantining messages containing offensive language or topics.
  • Re-routing messages with suspicious content to designated FDU employees for manual review.
  • Appending legal disclaimers to messages.
• Electronic messages are legally discoverable and permissible as evidence in a court of law.
• Users of the University’s computing and electronic communications resources must understand that electronic messages, data, files, and other records generated, stored, or maintained on University electronic information resources may be electronically accessed, reconstructed, or retrieved by the University even after they have been deleted.

5.0 Security

As with any other type of software that runs over a network, e-mail users have the responsibility to follow sound security practices.

• Users should not use the e-mail system to transfer sensitive data, except in accordance with FDU data protection policies. Refer to the Written Information Security Program (WISP). Sensitive data passed via e-mail over the Internet could be read by parties other than the intended recipients, particularly if it is clear text. Malicious third parties could potentially intercept and manipulate e-mail traffic.
• In an effort to combat propagation of e-mail viruses, certain attachment types may be stripped at the University e-mail gateway. Recipients will be notified via e-mail when this occurs. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).
• Attachments can contain viruses and other malware. User should only open attachments from known and trusted correspondents. Suspicious attachments should be reported to the University Technical Assistance Center (UTAC).
• Spam is automatically filtered at the University gateway in a highly efficient manner. Errors, whereby legitimate e-mail can be filtered as spam, while rare, can occur. If business-related mail messages are not delivered, users should check their local spam folder or the daily spam digest. If the message is not there, users should contact University Technical Assistance Center (UTAC).
• Users will not be asked by OIRT or any other FDU group by e-mail for personal information such as usernames or passwords. Any such requests should not be responded to and should be referred to the University Technical Assistance Center (UTAC). Such approaches – known as phishing – are fraudulent approaches carried out for the purpose of unlawful exploitation.

6.0 Operational Guidelines

FDU employs certain practices and procedures in order to maintain the health and efficiency of electronic messaging resources, to achieve FDU objectives and/or to meet various regulations. These practices and procedures are subject to change, as appropriate or required under the circumstances.

• For ongoing operations, audits, legal actions, or any other known purpose, FDU saves a copy of every e-mail message and attachment(s) to a secure location, where it can be protected and stored for three years. Recovery of messages from this store is prohibited for all but legal reasons.
• To deliver mail in a timely and efficient manner, message size must be less than 25MB. Messages larger than 25MB will be automatically blocked and users will be notified of non-delivery. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).

Access to the content of electronic mail, data, files, or other records generated, stored, or maintained by any user may be requested from the University’s Associate Vice President of Technology Infrastructure for the reasons set forth below and shall be authorized as follows:

1. by the Associate Vice President of Human Resources for all University employees;
2. by either Dean of Students for students; or
3. by the General Counsel for the purposes of complying with legal process and requirements or to preserve user electronic information for possible subsequent access in accordance with this policy.

In all cases, the Office of the General Counsel must be consulted prior to making a decision on whether to grant access. In the case of a time-critical matter, if the authorizing official is unavailable for a timely response, the General Counsel may authorize access.

All full-time faculty who retire from the University may keep their email address for life if they request to do so.

All full-time faculty who leave the University for reasons other than termination for cause, may request email forwarding for up to six months.

7.0 Governance and Enforcement

This policy was created with input from the University’s Data Security Incidence Response Team (DSIRT). At the request of the University’s Chief Information Security Officer (CISO), the DSIRT will review this policy annually to ensure that FDU is in compliance with internal or external requirements. FDU faces liability if users violate the terms of this policy. Therefore, willful or repeated violations of this Acceptable Use Policy for E-mail can result in informal or formal warnings, the loss of e-mail privileges, and other sanctions including termination. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted.

For assistance with this policy, please contact the University’s Chief Information Security Officer (CISO).

Exceptions to this policy may be authorized by the University Chief Information Security Officer working with the employee’s supervisor.

Policy violations should be reported immediately to the University’s Associate Vice President of Technology Infrastructure

The University reserves the right to suspend an e-mail account while investigating a complaint or troubleshooting a system or network problem.

This document will be reviewed semi-annually and is available both electronically and in printed form at each of the Campus Computing Centers.

It is the user’s responsibility to remain informed about the contents of this document.

Other Related and Applicable Policies

---

Revised Date: 11/22/2022

---

1. Purpose: This Policy sets the standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of information covered by applicable provisions of the Gramm-Leach-Bliley Act (“GLBA”) and associated regulations. In particular, this document describes various measures being taken by FDU to (i) ensure the security and confidentiality of covered information, (ii) protect against any anticipated threats or hazards to the security of these records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience (collectively, the “Program”). The practices described in this Policy are in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, the Family Educational Rights and Privacy Act (“FERPA”).
   
2. Scope of Program: The Program applies to any record containing “nonpublic personal information” about a student or other individual who has a continuing relationship with the University, whether the record is in paper, electronic, or other form, and which is handled or maintained by or on behalf of the University (“covered information”). [1] This includes any information that a student or other individual provides to FDU in connection with financial aid and tuition/fee collection efforts.

[1] Nonpublic personal information means: (i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. “Personally identifiable financial information” means any information that a consumer provides to FDU to obtain a financial product or service, any information about a consumer resulting from a transaction involving a financial product or service between FDU and that consumer, or information that FDU otherwise obtains about a consumer in connection with the provision of a financial product or service to that consumer. A “consumer” is an individual, including a student, who obtains or has obtained a financial product or service from FDU that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. Examples include information an individual provides to FDU on an application for financial aid, account balance information and payment history, the fact that a student has received financial aid from FDU, and any information that FDU collects through an internet “cookie” in connection with a financial product or service.

3. Roles and Responsibilities: Compliance and cooperation with this Policy is the responsibility of every employee at all levels within FDU. FDU’s Vice President and Chief Information Officer (CIO), assisted by the Chief Information Security Officer (the “CISO”), has the overall responsibility for coordinating information security pursuant to this Policy. The CIO or CISO may designate other representatives of FDU to help oversee and coordinate particular elements of the Program. The team will work closely with other members of the Office of Information Resources and Technology (OIRT), the Data Security & Incident Response Team (“DSIRT”), the University Risk Manager, the Vice President for Human Resources, and the General Counsel, as well as relevant academic and administrative units throughout the University to implement the Program.
   
4. Risk Assessment: The CIO and CISO will help the relevant offices of FDU to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the information; and to assess the sufficiency of the safeguards in place to controls these risks. This effort will be embodied in a risk assessment document.
   
   The risk assessment is a written document that includes:
   
   (i) Criteria for the evaluation and categorization of identified security risks or threats that FDU faces;
   
   (ii) Criteria for the assessment of the confidentiality, integrity, and availability of FDU’s information systems and covered information, including the adequacy of the existing controls in the context of the identified risks or threats that FDU faces; and
   
   (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

5. Access Controls: The Program includes implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to:
   
   (i) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of covered information; and
   
   (ii) Limit authorized users’ access only to covered information that they need to perform their duties and functions, or, in the case of third parties, to access their own information.
   
   The Program is designed to identify and help manage safeguards for the data, personnel, devices, systems, and facilities that enable FDU to achieve its mission – efforts are prioritized in accordance with our objectives and risk strategy.
   
   FDU has adopted authentication and access controls as needed to implement the “principle of least privilege” around accessing covered data, meaning that no user should have access greater than is necessary for legitimate FDU purposes Data owners within each applicable University unit approve and periodically review access. This includes a periodic review by the Office of Enrollment Services of all users who have access to Enrollment Services security tracks in the Colleague System and a periodic review by other administrative departments that maintain students’ financial aid information regarding user access to the information.
   
   These efforts also include employee training regarding these controls. The OIRT will coordinate with representatives in FDU’s Office of Finance, Office of Financial Aid, Enrollment Services and other offices to evaluate on a regular basis the effectiveness of the University’s training, procedures, and practices relating to access to and use of student records, including financial aid information as well as financial information. This evaluation will include assessing the effectiveness of the University’s current policies and procedures in this area. All employees are required to train in FDU’s Written Information Security Program (WISP) (training.fdu.edu), which program is incorporated by reference into this Policy.
   
6. Monitoring Unauthorized Users and Use: FDU has implemented policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, tampering with, covered information. Various specific measures are identified in Appendix 1.
   
   These measures will include assessing the University’s current policies and procedures relating to FDU’s Acceptable Use Policy for Computer Usage, Confidentiality Agreement and Security Policy, FDU Procedure on Handling Data on Separating Employees, Password Policy, Policy for Acceptable Use of Email, Software Compliance & Distribution Policy, and Written Information Security Program. The CISO will also coordinate with the CIO and the OIRT to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
   
7. Monitoring the Effectiveness of Safeguards: FDU periodically conducts penetration tests and vulnerability assessments on its network and key information systems. These measures are designed to test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, FDU’s information systems.
   
   For those systems where continuous monitoring (or other methods to detect, on an ongoing basis, changes in information systems that may create vulnerabilities), is not practical, FDU will conduct:
   
   (i) Annual penetration testing on FDU’s information systems identified by OIRT based on relevant identified risks under the risk assessment; and
   
   (ii) Vulnerability assessments of FDU’s information systems, including systemic scans or reviews of information systems designed to identify publicly known security vulnerabilities in FDU’s information systems based on the risk assessment, at least every six months; and whenever there are material changes to FDU’s operations or business arrangements; and whenever there are circumstances that OIRT knows (or has reason to know) may have a material impact on FDU’s information security program.
   
8. Detecting, Preventing and Responding to Attacks: The OIRT and University Risk Manager will on a regular basis evaluate procedures for and methods of detecting, preventing, and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. The FDU Data Security Incident & Response Team implements all aspects of, oversees other Departments’ adherence to, and documents all incident response activities. Upon determination by the CISO and General Counsel that a Security Incident triggers breach notification laws, the University will report the breach to relevant federal or state regulatory authorities by their designated methods; and, where applicable, the U.S. Department of Education, including details about date of breach (suspected or known); impact of breach (e.g. number of records); method of breach (e.g. hack, accidental disclosure); information security program point of contact – email and phone details; remediation status (e.g. complete, in process); and next steps (as needed).
   
   These measures will be documented in a comprehensive incident response plan that addresses:
   
   (i) The goals of the incident response plan;
   
   (ii) The internal processes for responding to a security event;
   
   (iii) The definition of clear roles, responsibilities, and levels of decision-making authority;
   
   (iv) External and internal communications and information sharing;
   
   (v) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
   
   (vi) Documentation and reporting regarding security events and related incident response activities; and
   
   (vii) The evaluation and revision as necessary of the incident response plan following a security event.

9. Overseeing In-House Developed Applications and External Service Providers: The OIRT leadership working in collaboration with the CISO will help ensure that software applications and solutions developed in-house by FDU, including modifications to third-party programs, meet the safeguard standards of this Policy. The CIO, CISO and other appropriate OIRT leaders will also coordinate with FDU’s contract review teams to raise awareness of, and to institute methods for, selecting and retaining only those service providers that can maintain appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the CIO and CISO will work with the General Counsel and the University Risk Manager to develop and incorporate standard, contractual protections applicable to third-party service providers, which will require the providers to implement and maintain appropriate safeguards.
   
   Utilizing a variety of automated risk assessment tools such as Bitsight, OIRT periodically assesses FDU’s service providers on the risk they present and the continued adequacy of their safeguards.
   
10. Encryption: FDU adopts methods to protect by encryption covered information held or transmitted by the University by encrypting both in transit over external networks and at rest. To the extent that encryption of covered information, either in transit over external networks or at rest, is infeasible, FDU secures the covered information using effective alternative compensating controls reviewed and approved by the CISO.
    
11. Multifactor authentication: FDU has implemented multi-factor authentication for any individual accessing the University’s information systems, except where the CISO has approved in writing the use of reasonably equivalent or more secure access controls.
    
    Multi-factor authentication is defined as authentication through verification of at least two of the following types of authentication factors:
    
    (1) Knowledge factors, such as a password;
    
    (2) Possession factors, such as a token; or
    
    (3) Inherence factors, such as biometric characteristics.
    
12. Data Retention and Disposal Controls: FDU has in place procedures for the secure disposal of covered information in any format, consistent with the University’s operations and other legitimate business purposes, except where required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Where information is not needed to be retained, the University will take reasonable measures to include processes for disposal of covered information no later than two years after the last date the information is used for legitimate University purposes. The Program includes periodic review of our data retention policy to minimize the unnecessary retention of data.
    
13. Adjustments to Program: Risk assessment activities will be periodically performed to reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and to reassess the sufficiency of any safeguards in place to control these risks. The CISO is responsible for evaluating and recommending adjustments to the program based on the undertaken risk identification and assessment activities, as well as any material changes to FDU’s operations or other circumstances that may have a material impact on the Program.
    
14. Reports to the Board. The Vice President of OIRT will submit written reports to the Board of Trustees at least once each calendar year. The report will include the following information:
    
    (1) The overall status of the Program and FDU’s compliance with the safeguard requirements under the GLBA;
    
    (2) Material matters related to the Program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.
    
    The CIO may approve deviations to the processes set forth in this Policy to meet changing conditions at the University, so long as such deviations are designed to achieve the safeguard goals set forth in this Policy and do not violate the GLBA and other applicable laws.

---

Appendix 1

Certain Additional Specific Safeguards

Periodically (generally at least once each year), leaders from applicable University departments and units are surveyed regarding their processes for safeguarding covered information, using a standard template. Results are compiled and conveyed to the CIO for review and follow-up, including adopting and incorporating results in the University-wide Risk Assessment.

The CIO will determine which departments and units should receive the assessment survey, based on their handling of covered information. Currently, the units are: OIRT, Office of Enrollment Services, Credits and Collections, Admissions, International Admissions, Financial Aid, Veteran Services, Accounts Payable, Management Information Systems, Conference & Summer Programs, School of Pharmacy, and the Controller’s Office.

The standard assessment template is as follows:

(A) Designate an employee or employees to coordinate the unit’s information security program.

(B) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:

• Unauthorized disclosure of sensitive information by employees through intentional or unintentional methods.
• Unauthorized access, disclosure, misuse, alteration or destruction of information on hosts.
• Detection and prevention of attacks on the systems.
• Unsecured transmission of data.
• Physical security of computer systems, network equipment, backups and paper materials.
• Managing data integrity and system failures.

(C) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

1. Unauthorized disclosure of sensitive information by employees through intentional or unintentional methods:
   
2. Unauthorized access, disclosure, misuse, alteration or destruction of information on hosts:
   
3. Detection and prevention of attacks on the systems:
   
4. Unsecured transmission of data:
   
5. Physical security of computer systems, network equipment, backups and paper materials:
   
6. Managing data integrity and system failures:

(D) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring FDU’s service providers by contract to implement and maintain such safeguards.

(E) Evaluate and adjust FDU’s information security program in light of the results of the testing and monitoring required by this Policy ; any material changes to FDU’s operations or business arrangements; or any other circumstances that are known or have reason to be known as having a material impact on FDU’s information security program.

---

The following PDF is an example of a completed assessment survey from OIRT:

---