Information Security Plan

1. Purpose and Objectives

The Information Security Plan aims to protect covered data and information at BYU-Hawaii by implementing safeguards that ensure:

  • Security and confidentiality of covered data.
  • Protection against threats or hazards to data integrity.
  • Prevention of unauthorized access that may cause harm or inconvenience to any customer.

Additionally, the plan outlines mechanisms for:

  • Identifying and assessing risks to covered data.
  • Developing policies to manage and control risks.
  • Regular review and adjustments to the security plan based on evolving technology and threats.

2. Identification and Assessment of Risks

BYU-Hawaii acknowledges both internal and external risks, including:

  • Unauthorized access to data by non-owners.
  • Compromised system security through unauthorized access.
  • Data interception during transmission.
  • Loss of data integrity or physical loss of data in disasters.
  • Errors, system corruption, unauthorized employee access, and unauthorized data transfer.

To manage these risks:

  • The Office of Information Technology (OIT) monitors advisory groups (e.g., Educause Security Institute) for new risks.
  • Current OIT safeguards are continually reviewed and deemed adequate to address current threats.

3. Information Security Plan Coordinators

The Chief Information Officer (CIO) and IT Security Coordinator are responsible for:

  • Assessing risks related to unauthorized data transfers.
  • Implementing procedures to minimize risks.
  • Internal Audit personnel will review departments' internal controls to ensure compliance with this policy.

4. Design and Implementation of Safeguards

A. Employee Management and Training

  1. Background Checks: New employees in departments handling sensitive data (e.g., Cashier’s Office, Registrar) undergo background checks.
  2. Orientation Training: Employees are trained in confidentiality, proper use of systems, and password protocols.
  3. Ongoing Training: Regular privacy training is conducted with each department coordinating with the Office of General Counsel annually.

B. Physical Security

  1. Access to sensitive data is limited to employees with legitimate business needs.
  2. Storage Security: Paper records are stored in locked cabinets, rooms, or vaults. Only authorized employees have access.
  3. Paper documents containing sensitive information
Print Article