Information Security Plan
Purpose:
The Pacifica Graduate Institute (“Pacifica”) Information Security Plan (“Plan”) outlines the privacy practices or information security measures of the school. The plan describes Pacifica’s safeguards to protect confidential information belonging to its students, faculty, and staff. The purpose of the plan’s procedures is to facilitate:
- The security and confidentiality of covered data and information;
- The protection of personal data against anticipated and unanticipated threats or hazards to the security or integrity of covered information;
- And, the protection against unauthorized access to or use of covered data and information.
The school continues to be diligent in providing safeguards to protect against unwanted intrusions with malicious or other intent, as well as to protect the information that the institution works with during the normal course of business. These safeguards address information that is stored centrally, as well as decentralized information that is stored in hardcopy and electronic format. Technological advances have enabled students, faculty, and staff to extract data from centrally maintained systems and store covered data on laptops, desktops, or on transportable storage devices. Policies and guidelines are continually being augmented to manage the decentralized nature of information security.
Scope:
The Plan addresses both network security and the security of the information the school maintains. The Plan is a general framework for information security. The Plan applies to institutional data assets, network infrastructure, data center facilities, and personal computers. The Plan applies to all Pacifica faculty, staff, students, consultants, vendors, and guests that have access to covered information in any form. The Plan assists Pacifica’s compliance with the following laws and regulations.
Federal/State Laws:
Family Education Rights and Privacy Act (FERPA)
One of the most significant, current risks under FERPA is that the number of electronic records created by or relating to students that are stored in educational databases on servers has increased exponentially, increasing in turn the number of potential “educational records” that must be protected. Deciding what constitutes an educational record subject to FERPA, therefore, is increasingly complex in the current technological environment. This ambiguity, combined with the proliferation of electronic records and the need to protect against unauthorized disclosure, threatens to significantly increase the costs and risks of exposure for security breaches.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Educational institutions that are affiliated with health care providers are considered covered entities and must provide written notice of their affiliated health care provider’s electronic information practices. Most employer-sponsored health plans also are considered to be “entities” subject to HIPAA. As a result, educational institutions may be obligated to comply with HIPAA in connection with a broad range of activities.
Electronic Communications Privacy Act (ECPA)
Unlike FERPA and HIPAA, which are specific to certain types of entities, the ECPA broadly prohibits the unauthorized use or interception by any person of the contents of any wire, oral or electronic communication. Protection of the “contents” of such communications, however, extends only to information concerning the “substance, purport, or meaning” of such communications. As a result, the monitoring by institutions of students’ network use or of network usage patterns, generally, would not be prohibited by the ECPA. Thus, an institution’s right to monitor electronic communications, or its obligation or ability to comply with a law enforcement request, may vary depending on whether the user in question is a student, an employee, or a member of the public.
Computer Fraud and Abuse Act (CFAA)
The CFAA criminalizes unauthorized access to a “protected computer” with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer. A “protected computer” is defined as a computer that is used in interstate or foreign commerce or communication by or for a financial institution or the government of the United States.
USA PATRIOT Act
The USA PATRIOT Act amends the portion of the national Education Statistics Act of 1994 (NESA) that specified that data collected by the National Center for Education Statistics (NCES) may only be used for statistical purposes. The amended NESA now permits the attorney general to petition a judge for an ex parte order requiring the Secretary of the Department of Education to provide data from the NCES that are identified as relevant to an authorized investigation or prosecution concerning national or international terrorism.
Another significant impact of the USA PATRIOT Act is its mandate to the INS requiring the INS to develop and implement the Student and Exchange Visitor Information System or “SEVIS”. SEVIS is an Internet-based system that will allow schools to transmit information on foreign students to the INS for purposes of tracking and monitoring. The system will compile students’ personally identifiable information including the admission at port of entry, academic information, and disciplinary information, which must be maintained and updated for the duration of a student’s stay in the United States.
Digital Millennium Copyright Act
Among other things, institutions may be confronted with claims under the Digital Millennium Copyright Act (DMCA) if their users attempt to defeat the technological restrictions employed by digital rights management tools. The DMCA makes it unlawful to circumvent technological measures that effectively control access to protected works.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is applicable to financial institutions, including colleges and universities, and creates obligations to protect customer financial information. The GLBA includes requirements to take steps to ensure the security of personally identifying information of financial institution customers, such as names, addresses, account and credit information, and Social Security numbers. The Federal Trade Commission’s (FTC’s) regulations implementing the GLBA specifically provide that colleges and universities will be deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with FERPA. Nevertheless, educational institutions likely remain subject to the security provisions under the GLBA and the FTC’s implementing rules.
California Civil Code §1798.82
Public and private organizations shall notify the owner or licensee of confidential information of any breach in the security of covered data and information immediately following discovery, if the information was, or is reasonably believed to have been, acquired by an unauthorized person.
Safeguards:
Physical
The school uses direct personal control or direct supervision to control access to and handling of all non-public customer and employee information. Whether the information is stored in paper form or any electronically accessible format, departmental non-public information is maintained, stored, transmitted and otherwise handled under the direct personal control of an authorized employee of the institution.
Departmental non-public information is collected, processed, transmitted, distributed and ultimately disposed of with careful attention to its privacy and security. Conversations concerning non-public information are held in private. Papers with non-public information are mailed via official campus mail, US mail, or private mail carrier. Departments are encouraged to password-protect electronic files of non-public information when transmitting electronically. When best practices permit the disposal of non-public information, it is destroyed; paper containing such information is routinely shredded or otherwise destroyed.
Confidential material is kept secure. Most offices have locked windows and locked doors with restricted access. For those that do not, materials are kept in locked filing cabinets or other locked storage areas. When offices are open, confidential information is kept out of sight from visitors, and computer screens are not visible to visitors. Offices and/or computers are locked when the office will be vacant for an extended length of time.
Key access is limited to authorized school employees only, in the context of the institutions key control governing the distribution of keys.
Departmental offsite storage and information processing generally conforms to the same practices as onsite storage, and is safeguarded under the provisions for outside service providers, as described below.
Electronic
The school relies on Pacifica’s Information Technology Department to provide network security and administrative software password access according to industry standards in order to protect non-public customer information that is accessed electronically but stored outside of a department.
Departmental desktop computers and other electronic devices storing non-public customer information are protected by physical safeguards.
The Pacifica Information Technology Department maintains its own written security policy which is incorporated within the overall student, faculty and staff Computer and Network Resource Acceptable Use Policy.
Employee Management and Training:
All school employees, including part-time and temporary employees, are given specific training by their supervisors about issues concerning the security of sensitive and confidential material used in their respective departments. Employees are held accountable to know that although they have access to non-public information in order to perform their job responsibilities for the school, they are not permitted to access it for unapproved purposes or disclose it to unauthorized persons. The Computer and Network Resource Acceptable Use Policy, which is provided to all employees, states that a violation of security policies may result in separation of employment and/or legal action.
Outside Service Providers:
Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be required to provide resources that the institution determines it cannot provide on its own. The school’s academic and administrative departments periodically review and exercise due diligence in safeguarding the access to non-public information. Contracts with service providers, who within their contracts have access to the institution’s non-public customer information, shall include the following provisions as appropriate:
- Explicit acknowledgment that the contract allows the vendor access to confidential information;
- Specific definition of the confidential information being provided;
- Stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
- Guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract;
- Guarantee from the contract partner that it will protect the confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers’ confidential information; and
- Allowance for auditing the contract partner’s compliance with the contract safeguard requirements.
Continuing Evaluation and Adjustment:
The information security program and its associated plan shall be periodically evaluated and revised in response to changing relevant circumstances, changes in the law, business practice changes, and ongoing assessment of security safeguards.