Identification and Assessment of Risks to Customer Information

Information Security Plan Coordinator

Design and Implementation of Safeguards Program

Information Systems

Selection of Appropriate Service Providers

Continuing Evaluation and Adjustment

Footnotes

Employees must have passwords on all accounts which are used to access data or services which are not public. Passwords are not required on accounts provided for services offered to the public. When accounts are created, Information Technology will provide initial passwords to enter the accounts. Employees must then log in and change their password and must not engage in activity outside the limits of access that have been authorized for them. Employees must change their passwords at least annually. To the extent that it is possible with numerous computer systems, Information Technology will create utilities to make it easy for individuals to change their account passwords.

NC State College will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. The Information Technology Division requires that all servers must be registered before being allowed through NC State College’s firewall, thereby allowing Information Technology to verify that the system meets necessary security requirements as defined by Information Technology policies. These requirements include maintaining the operating system and applications, including application of appropriate patches and updates in a timely fashion. User and system passwords are also required to comply with the North Central State College Password Policy. In addition, an intrusion detection system has been implemented to detect and stop certain external threats, along with an Incident Response Procedure for occasions where intrusions do occur.

When commercially reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind NC State College’s firewall. All firewall software and hardware maintained by Information Technology will be kept current. Information Technology has a number of policies and procedures in place to provide security to NC State College’s information systems. These policies and procedures are available upon request from the Executive Director – Information Technology.

One of the largest security risks facing colleges may be the possible nonstandard practices concerning the use of Social Security Numbers (“SSNs”) as student identifiers and the continued reliance by certain College processes on these SSNs. SSNs are specifically considered protected information under both the

Gramm Leach Bliley Act⁴ (“GLBA”) and the Family Educational Rights and Privacy Act⁵ (“FERPA”). SSNs still remain in the College’s student information system.⁶ The College will conduct an assessment to determine who has access to SSNs and in what systems the numbers are still used. This assessment will cover College employees as well as subcontractors such as the bookstore and other outside users potentially having access to Social Security Number Information.

Management of System Failures

Information Technology has developed written plans and procedures to detect any actual or attempted attacks on NC State College systems and has an Incident Response Procedure which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information. This procedure is available upon request from the Executive Director – Information Technology.

VI. Selection of Appropriate Service Providers