Hope International University (HIU) Information Security Policy is intended as a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data maintained at the university to assist HIU in complying with applicable laws and regulations on the protection of personal information and nonpublic personal information, as well as in records and in systems owned by the university.
HIU Information Security Policy is implemented to comply with the California Consumer Privacy Act of 2018 (CCPA), the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and the financial customer information security provisions of the Gramm-Leach-Bliley Act (GLBA) 15 USC § 6801(b) and 6805(b)(2).
In accordance with these laws and regulations, HIU is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information at the university to affected individuals and appropriate state agencies.
HIU is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the university. HIU has implemented policies to protect such information and should be read in conjunction with these policies that are cross-referenced at the end of this document.
In compliance with Gramm-Leach-Bliley Act (GLBA) HIU documents and report our data protection policies and procedures. As part of GLBA, the Federal Trade Commission requires us to:
This program applies to all HIU employees, including faculty, staff, contract, and temporary workers, hired consultants, interns and student employees.
The data covered by this program includes any information stored, accessed, or collected by and for the university. HIU Information Security is not intended to supersede any existing policy that contains more specific requirements for safeguarding certain types of data.
Data: Data refers to information stored, accessed, or collected, by and for the university.
Data custodian: A party responsible for maintaining the technology infrastructure that supports access to and safe custody, transport, and storage of the data, and which provides technical support for its use. A data custodian is also responsible for implementation of the business rules established by the data owner.
Data owner: A party responsible for the data content and development of associated business rules, including authorizing access to the data.
Personal information: As defined under the CCPA, personal information is information that identifies, relates to, or could reasonably be linked with you or your household.1
Nonpublic personal information: As defined by the GLBA 15 USC § 6809(4)(A), nonpublic personal information is personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.2
All data covered by this policy will be classified into one of three categories, based on the level of security required.
Confidential: Any data where unauthorized access, use, alteration, or disclosure could present a significant level of risk to HIU, its faculty, staff, or students. Confidential data should be treated with the highest level of security to ensure the privacy of that data, as well as to prevent any unauthorized access, use, alteration, or disclosure. Confidential data includes data that is protected by federal or state laws and regulations.
Restricted: All other personal and institutional data where the loss of such data could harm an individual's right to privacy or negatively impact the finances, operations, or reputation of HIU. Any non-public data that is not explicitly designated as confidential should be treated as restricted data.
The following University Information is classified as Restricted:
Restricted data includes data protected by FERPA, referred to as student education records. This data also includes, but is not limited to, donor information, research data on human subjects, intellectual property (proprietary research, patents, etc.), university financial and investment records, employee salary information, or information related to legal or disciplinary matters:
Access to restricted data should be limited to individuals who are employed by, or enrolled at HIU, and who have legitimate reasons for access as governed by FERPA or other applicable law or university policy:
Public: Any information for which there is no restriction to its distribution.
All data at HIU is assigned to a data owner. Data owners are responsible for approval of all requests for access to such data.
Information Technology (IT) staff serve as the data custodians for all data stored centrally on HIU's servers and administrative systems, and they are responsible for the security of such data.
Human Resources will inform IT staff about an employee's change of status or termination as soon as is practicable but before an employee's departure date from HIU. Changes in status may include terminations, leaves of absence, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee's access to HIU data.
IT staff oversees maintaining, updating, and implementing the Information Security. The university's Director of Information Technology has overall responsibility for the Information Security.
All HIU personnel with access to university data are responsible for maintaining the privacy and integrity of all sensitive data as defined above, and must protect the data from unauthorized use, access, disclosure, or alteration. All personnel with access to university data are also required to access, store, and maintain records containing sensitive data in compliance with the HIU Information Security.
To protect college data classified as confidential, the following policies and procedures were developed that relate to access, storage, transportation, and destruction of records:
Access to restricted data should be limited to those who have a legitimate business need for the data. Additional safeguards are as follows: