To Home Page To Home Page
General Description
Policy Provisions
Performance Evaluation
Subject Experts
Roles and Responsibilities

Document Number: REDFLAG--103 Revision #: 1.0
Document Owner: Date Last Updated: 11/03/2015
Primary Author: Status: Approved
Date Originally Created: 12/14/2011

General Description

Definitions of roles and responsibilities relative to the Red Flags Identity Theft Policy.


Delineation of definitions.


All faculty, staff, students, and administrators

Responsibility: Administration
VP of Business and Finance

Back to Top

Relevant Knowledge: In order to comply with this policy you should know:
Current University policy
Federal statutes
Standard company policies
Standards of good practice
State statutes

Terms and Definitions: Additional training

Corrective Action

Back to Top

Policy Provisions

Roles and Responsibilities


University Administration

The University Administration is responsible for the design, implementation, and oversight of the Identity Theft Prevention Program. However, if it is not feasible for the University Administration to be directly involved, it may appoint a member of senior management to be charged with these responsibilities. This designated Identity Theft Prevention Officer must seek University Administration approval on policy decisions. They must report to the board at least annually on the state of the Identity Theft Prevention Program.



Identity Theft Prevention Officer

The Identity Theft Prevention Officer is responsible for the following:


1. Risk Assessment – Conduct periodic risk assessments of Confidential and Sensitive Information handling methods.

2. Design – Design of more specific or new policy guidelines as needed.

3. Implementation – Conduct training for employees on a periodic basis.

4. Monitor – Evaluate the policy and procedures regularly.

5. Enforce - Take disciplinary action with employees as needed.

6. Response Plan – Create a plan to respond to security incidents.




All personnel are responsible for adhering to these guidelines, and for reporting any security incidents to the Identity Theft Prevention Officer immediately.



Service Providers

The level of responsibility given to service providers for security reasons depends on the scope of their service offering. Each will be responsible according to their direct or indirect access to information. In either case, service providers will be held accountable for their conduct and agreements must delineate where the University’s liability ends and where the service provider’s liability begins.


1. Direct Access to Information. A service provider is considered to have direct access to information when they perform an activity with employee or customer information on behalf of the University. If information is shared, then the service provider must have an Identity Theft Prevention Policy that complies with or exceeds the best practices of colleges and universities.

2. Indirect Access to Information. A service provider is treated differently when they have indirect access to information. These are service providers that are working in the proximity of Confidential and Sensitive Information in the business, but their function does not involve sharing information. In this type of relationship, the service provider must comply with this Identity Theft Prevention Policy.


Back to Top

Performance Evaluation
Performance Metrics: Compliance with standard policy and procedure
Compliance with federal mandate

Consequences: Further training

Back to Top

Subject Experts
The following may be consulted for additional information.

VP of Business and Finance

Back to Top

This page created 01/20/2016 using Zavanta® version 7.3