The Hope International University (HIU) Written Information Security Program (WISP) is intended as a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data maintained at the university to assist HIU in complying with applicable laws and regulations on the protection of personal information and nonpublic personal information, as well as in records and in systems owned by the university.
The WISP is implemented to comply with the California Consumer Privacy Act of 2018 (CCPA), the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and the financial customer information security provisions of the Gramm-Leach-Bliley Act (GLBA) 15 USC § 6801(b) and 6805(b)(2). In accordance with these laws and regulations, HIU is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the university to affected individuals and appropriate state agencies. HIU is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the university. HIU has implemented policies to protect such information, and the WISP should be read in conjunction with these policies that are cross-referenced at the end of this document.
The purposes of this document are to:Establish a comprehensive information security program for HIU, with policies designed to safeguard sensitive data that is maintained by the college, in compliance with federal and state laws and regulations.Establish employee responsibilities in safeguarding data according to its classification level.Establish administrative, technical and physical safeguards to ensure the security of sensitive data.
This program applies to all HIU employees, including faculty, staff, contract and temporary workers, hired consultants, interns and student employees. The data covered by this program includes any information stored, accessed, or collected by and for the university. The WISP is not intended to supersede any existing policy that contains more specific requirements for safeguarding certain types of data.
Data: Data refers to information stored, accessed or collected, by and for the university.
Data custodian: A party responsible for maintaining the technology infrastructure that supports access to and safe custody, transport and storage of the data, and which provides technical support for its use. A data custodian is also responsible for implementation of the business rules established by the data owner.
Data owner: A party responsible for the data content and development of associated business rules, including authorizing access to the data.
Personal information: As defined under the CCPA, personal information is information that identifies, relates to, or could reasonably be linked with you or your household.
Nonpublic personal information: As defined by the GLBA 15 USC § 6809(4)(A), nonpublic personal information is personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.
All data covered by this policy will be classified into one of three categories, based on the level of security required.
Confidential: Any data where unauthorized access, use, alteration or disclosure could present a significant level of risk to HIU, its faculty, staff or students. Confidential data should be treated with the highest level of security to ensure the privacy of that data, as well as to prevent any unauthorized access, use, alteration or disclosure. Confidential data includes data that is protected by federal or state laws and regulations.
Restricted: All other personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations or reputation of HIU. Any non-public data that is not explicitly designated as confidential should be treated as restricted data.
Restricted data includes data protected by FERPA, referred to as student education records. This data also includes, but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), university financial and investment records, employee salary information, or information related to legal or disciplinary matters.
Access to restricted data should be limited to individuals who are employed by, or enrolled at HIU, and who have legitimate reasons for access as governed by FERPA or other applicable law or university policy.
Public: Any information for which there is no restriction to its distribution.
All data at HIU is assigned to a data owner. Data owners are responsible for approval of all requests for access to such data.
Information Technology (IT) staff serve as the data custodians for all data stored centrally on HIU’s servers and administrative systems, and they are responsible for the security of such data.
Human Resources will inform IT staff about an employee’s change of status or termination as soon as is practicable but before an employee’s departure date from HIU. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee’s access to HIU data.
IT staff oversees maintaining, updating, and implementing the WISP. The university’s Director of Information Technology has overall responsibility for the WISP.
All personnel with access to university data are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure, or alteration. All personnel with access to university data are also required to access, store, and maintain records containing sensitive data in compliance with the WISP.
These tools are focused on helping you:
Below is a suite of resources for understanding and managing security risks at HIU.
Check this webpage frequently to make sure you are using the most recent version of risk management resources. The resources will continuously evolve.