Introduction

Hope International University (HIU) Information Security Policy is intended as a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data maintained at the university to assist HIU in complying with applicable laws and regulations on the protection of personal information and nonpublic personal information, as well as in records and in systems owned by the university.

Overview and Purpose

HIU Information Security Policy is implemented to comply with the California Consumer Privacy Act of 2018 (CCPA), the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and the financial customer information security provisions of the Gramm-Leach-Bliley Act (GLBA) 15 USC § 6801(b) and 6805(b)(2).

In accordance with these laws and regulations, HIU is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the university to affected individuals and appropriate state agencies.

HIU is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the university. HIU has implemented policies to protect such information and should be read in conjunction with these policies that are cross-referenced at the end of this document.

GLBA

In compliance with Gramm-Leach-Bliley Act (GLBA) HIU documents and report our data protection policies and procedures. As part of GLBA, the Federal Trade Commission requires us to:

  • Establish a comprehensive information security program for HIU, with policies designed to safeguard sensitive data that is maintained by the University, in compliance with federal and state laws and regulations.
  • Establish employee responsibilities in safeguarding data according to its classification level.
  • Establish administrative, technical, and physical safeguards to ensure the security of sensitive data.
Scope

This program applies to all HIU employees, including faculty, staff, contract, and temporary workers, hired consultants, interns and student employees.

The data covered by this program includes any information stored, accessed, or collected by and for the university. HIU Information Security is not intended to supersede any existing policy that contains more specific requirements for safeguarding certain types of data.

Definitions

Data: Data refers to information stored, accessed, or collected, by and for the university.

Data custodian: A party responsible for maintaining the technology infrastructure that supports access to and safe custody, transport, and storage of the data, and which provides technical support for its use. A data custodian is also responsible for implementation of the business rules established by the data owner.

Data owner: A party responsible for the data content and development of associated business rules, including authorizing access to the data.

Personal information: As defined under the CCPA, personal information is information that identifies, relates to, or could reasonably be linked with you or your household.1

Nonpublic personal information: As defined by the GLBA 15 USC § 6809(4)(A), nonpublic personal information is personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.2

Data Classification

All data covered by this policy will be classified into one of three categories, based on the level of security required.

Confidential: Any data where unauthorized access, use, alteration, or disclosure could present a significant level of risk to HIU, its faculty, staff, or students. Confidential data should be treated with the highest level of security to ensure the privacy of that data, as well as to prevent any unauthorized access, use, alteration, or disclosure. Confidential data includes data that is protected by federal or state laws and regulations.

Restricted: All other personal and institutional data where the loss of such data could harm an individual's right to privacy or negatively impact the finances, operations, or reputation of HIU. Any non-public data that is not explicitly designated as confidential should be treated as restricted data.

The following University Information is classified as Restricted:

  • Social security number
  • Bank account number
  • Driver's license number
  • State identity card number
  • Credit card number
  • Protected health information (as defined by HIPAA)

Restricted data includes data protected by FERPA, referred to as student education records. This data also includes, but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), university financial and investment records, employee salary information, or information related to legal or disciplinary matters:

Access to restricted data should be limited to individuals who are employed by, or enrolled at HIU, and who have legitimate reasons for access as governed by FERPA or other applicable law or university policy:

Public: Any information for which there is no restriction to its distribution.

Policy

Responsibilities

All data at HIU is assigned to a data owner. Data owners are responsible for approval of all requests for access to such data.

Information Technology (IT) staff serve as the data custodians for all data stored centrally on HIU's servers and administrative systems, and they are responsible for the security of such data.

Human Resources will inform IT staff about an employee's change of status or termination as soon as is practicable but before an employee's departure date from HIU. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee's access to HIU data.

IT staff oversees maintaining, updating, and implementing the Information Security. The university's Director of Information Technology has overall responsibility for the Information Security.

All HIU personnel with access to university data are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure, or alteration. All personnel with access to university data are also required to access, store, and maintain records containing sensitive data in compliance with the HIU Information Security.

Safeguarding Confidential Data

To protect college data classified as confidential, the following policies and procedures were developed that relate to access, storage, transportation, and destruction of records:

  • Only those requiring access to confidential data in the regular course of their duties are granted access to this data, including both physical and electronic records.
  • To the extent possible, all electronic records containing confidential data should only be stored on on-campus secure network storage and not on local machines or unsecured servers.
  • Confidential data must not be stored on cloud-based storage solutions that are unsupported by HIU.
  • Confidential data should not be stored on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives). If it is necessary to transport confidential data electronically, the device containing the data must be encrypted.
  • Paper records containing confidential data must be kept in locked files or other secured areas when not in use.
  • Upon termination of employment or relationship with HIU, electronic and physical access to documents, systems or other network resources containing confidential data is immediately terminated.
  • Under no circumstances are documents, electronic devices or digital media containing confidential data to be left unattended in any unsecure location.
  • When there is a legitimate need to provide records containing confidential data to a third party outside HIU, electronic records shall be password-protected and/or encrypted, and paper records shall be marked "confidential" and securely sealed.
  • Records containing confidential data must be destroyed once they are no longer needed for business purposes, unless state or federal regulations require maintaining these records for a prescribed period.
  • Paper and electronic records containing confidential data must be destroyed in a manner that prevents recovery of the data.
Safeguarding Restricted Data

Access to restricted data should be limited to those who have a legitimate business need for the data. Additional safeguards are as follows:

  • Restricted data may be stored on cloud-based storage solutions that are unsupported by HIU if they are in compliance with the requirements of any laws governing the protection of such data (e.g., FERPA).
  • Documents containing restricted data should not be posted publicly.

1https://oag.ca.gov/privacy/ccpa

2https://www.govinfo.gov/content/pkg/USCODE-2011-title15/html/USCODE-2011-title15-chap94-subchapI-sec6809.htm