|
|
General Description
|
|
Description:
|
Definitions of roles and responsibilities relative to the Red Flags Identity Theft Policy.
|
|
Purpose:
|
Delineation of definitions.
|
|
Scope:
|
All faculty, staff, students, and administrators
|
|
Responsibility:
|
Administration
Executive VP
VP of Business and Finance
|
 |
|
|
Requirements
|
|
Relevant Knowledge:
|
In order to comply with this policy you should know:
Current University policy
Federal statutes
Standard company policies
Standards of good practice
State statutes
|
|
Terms and Definitions:
|
Additional training
Corrective Action
|
|
|
|
|
Policy Provisions
|
1.
|
Roles and Responsibilities
|
|
1.1
|
University Administration
|
|
The University Administration is responsible for the design, implementation, and oversight of the Identity Theft Prevention Program. However, if it is not feasible for the University Administration to be directly involved, it may appoint a member of senior management to be charged with these responsibilities. This designated Identity Theft Prevention Officer must seek University Administration approval on policy decisions. They must report to the board at least annually on the state of the Identity Theft Prevention Program.
|
1.2
|
Identity Theft Prevention Officer
|
|
The Identity Theft Prevention Officer is responsible for the following:
| 1. |
Risk Assessment – Conduct periodic risk assessments of Confidential and Sensitive Information handling methods. |
| 2. |
Design – Design of more specific or new policy guidelines as needed. |
| 3. |
Implementation – Conduct training for employees on a periodic basis. |
| 4. |
Monitor – Evaluate the policy and procedures regularly. |
| 5. |
Enforce - Take disciplinary action with employees as needed. |
| 6. |
Response Plan – Create a plan to respond to security incidents. |
|
1.3
|
|
|
All personnel are responsible for adhering to these guidelines, and for reporting any security incidents to the Identity Theft Prevention Officer immediately.
|
1.4
|
|
|
The level of responsibility given to service providers for security reasons depends on the scope of their service offering. Each will be responsible according to their direct or indirect access to information. In either case, service providers will be held accountable for their conduct and agreements must delineate where the University’s liability ends and where the service provider’s liability begins.
| 1. |
Direct Access to Information. A service provider is considered to have direct access to information when they perform an activity with employee or customer information on behalf of the University. If information is shared, then the service provider must have an Identity Theft Prevention Policy that complies with or exceeds the best practices of colleges and universities. |
| 2. |
Indirect Access to Information. A service provider is treated differently when they have indirect access to information. These are service providers that are working in the proximity of Confidential and Sensitive Information in the business, but their function does not involve sharing information. In this type of relationship, the service provider must comply with this Identity Theft Prevention Policy. |
|
|
|
|
|
|
|
|
Performance Evaluation
|
|
Performance Metrics:
|
Compliance with standard policy and procedure
Compliance with federal mandate
|
|
|
|
|
Consequences:
|
Further training
|
|
|
|
|
Subject Experts
|
|
The following may be consulted for additional information.
|
|
|
Executive VP
VP of Business and Finance
|
|
|
|
To Home Page