The Catholic University of America

Responsibilities of the Information Security Officer

Payment Card Industry Data Security Standard

Summary of the Standard: Effective June 30th, 2005 VISA and Master Card put into effect a data security standard for any organization that processes credit card transactions accepting their card brand. Currently this program has expanded to include all major credit card brands. The credit card companies require that all members, service providers and merchants who store, process, or transmit cardholder data remain compliant with the PCI Standard. The Information Security Officer is responsible for monitoring PCI compliance.

Family Educational Rights to Privacy Act of 1974 (FERPA)

Summary of the Law: Regulates the keeping and dissemination of student records at all institutions that receive federal funds or who have students receiving federal funds. Procedures must be in place to allow a student access to student records. Consent must be obtained to release student records to a third party, with certain exceptions contained in the law.

Responsibilities: The Information Security Officer assists staff in encrypting electronic transfers of data. The Information Security Officer is consulted on contracts outsourcing functions that involve contractor access to education records.

Health Insurance Portability and Accountability Act of 1996

CUA will be a hybrid entity effective January 2013. The following departments of CUA will be designated as health care components and are required to comply with any applicable HIPAA regulations.

• Student Health Center, if its health care providers conduct any standard HIPAA transactions electronically, directly or through a vendor.

• Counseling Center, if its health care providers conduct any standard HIPAA transactions electronically, directly or through a vendor

• Athletic Training Staff, to the extent they conduct any standard HIPAA transaction electronically, directly or through a vendor

• Technology Services, to the extent any personnel use and disclose individually identifiable health information in providing administrative and support services to the Student Health Center, the Counseling Center, and/or the Athletic Training staff, and would constitute a business associate if the department was a separate legal entity

• Office of General Counsel, to the extent any personnel use and disclose individually identifiable health information in providing administrative and support services to the Student Health Center, the Counseling Center, and/or the Athletic Training staff, and would constitute a business associate if the department was a separate legal entity

Note that any individually identifiable health information maintained by any CUA department on a CUA student is specifically excluded from coverage as PHI under HIPAA. CUA’s health care components maintain no PHI and no e-PHI; the student health information maintained by those health care components is governed by compliance obligations under FERPA, and/or state medical records privacy laws and regulations. Business Associate agreements are maintained with any vendor whose services on behalf of CUA health care components require access to individually identifiable student health information.

Responsibilities: The ERISA Health Plan documents designate the Information Security Officer as the person responsible for resolving any issues of non-compliance and for overseeing compliance with HIPAA Security Standards.

Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act)

Summary of the Law: This law requires a safeguarding program, including identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluating the effectiveness of the current safeguards for controlling these risks; designing and implementing a safeguards program, and regularly monitoring and testing the program.

Student names, addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers would all be protected under GLB. Broad principles are set forth in the Information Security and Assurance Policy.

Responsibilities: The Information Security Officer has operational oversight for ensuring a safeguarding program is kept current and also the ISO works with Human Resources and with the Privacy Officer to so that training on Information Security and Assurance is ongoing.

Fair Credit Reporting Act and Red Flag Rules

Summary of the law: If the school meets the definition of a creditor under the FCRA (any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit, see 15 USC 1691a), then the school has several obligations under the final rules, which include periodically determining if it maintains covered accounts, and if it does, then developing and maintaining an identity theft program for those accounts, which has been approved by the Board of Directors or an appropriate committee, among other items (see 16 CFR 681.2). 

Responsibilities: The Information Security Officer is responsible for ensuring that a written identity theft program is in place; that an annual report is made to a committee of the Board of Trustees; and that staff is trained to implement the program. The Information Security Officer is also responsible for oversight of any service-provider arrangements covered under this law.

Export Administration Act (EAA) and the Arms Export Control Act (AECA)

These laws must be complied with when non-U.S. persons or foreign nationals are granted access to regulated products or technology by a company or institution of higher education in the United States. Under the "deemed export" rule, allowing non-U.S. persons or foreign nationals access to the product or technology may trigger the requirement to apply for a license prior to that access. The EAA and the EAR control the export of dual-use goods and technology (items and technical information that have both commercial and military purposes) and the AECA and ITAR control the export of products and technology with primarily military, intelligence or defense-oriented purposes.

Responsibilities: The Information Security Officer is the Technology Services liaison for Export Control issues and works with the Associate Provost for Research on any necessary training.

Compliance with Federal Policy on Institutional Review Boards

Any institution that engages in federally funded research involving human subjects must have an Institutional Review Board (IRB). An IRB is an administrative body established to protect the rights and welfare of human research subjects recruited to participate in research activities conducted under the auspices of the institution with which it is affiliated. The IRB has the authority to approve, require modifications in, or disapprove all research activities that fall within its jurisdiction as specified by both the federal regulations and local institutional policy. The Principal Investigator (PI) must obtain IRB approval before engaging in any human subject research. Research that has been reviewed and approved by an IRB may be subject to review and disapproval by officials of the institution. Institution officials may not approve research if it has been disapproved by the IRB.

Responsibilities: The Information Secruity Officer sits on the IRB to answer information security questions.

Consumer Personal Information Security Breach Notification Act of 2006

The Law: This law, effective July 1, 2007, amends Title 28 of the DC Code to ensure that consumers are notified when electronically stored personal information is compromised. The law also creates a private right of action, and provides for enforcement by the Attorney General.

Responsibilities: The Information Secruity Officer is responsible for working with the CIO and OGC to determine if a breach as defined under the law occurred, and if yes, then to coordinate any needed notification and other response.


Related Policies

Identity Theft Prevention

Information Security and Assurance

Electronic Communications

Acceptable Use

Credit Card Acceptance Policy

Student Records

 

Resources

FERPA Publications (includes info on cloud computing)

FERPA Resources

Payment Card Industry (PCI) Data Security Standard Self Assessment Questionnaire

Edwards Angell Palmer & Dodge April 2011 Client Advisory: This memo concerns an alleged PCI-DSS violation and Massachusetts Attorney General enforcement action against Briar Group LLC. a restaurant chain.

Frequently asked Questions on the Red Flag Rule