Information Security Plan (Example)

.010 Introduction

This Information Security Plan ("Plan") describes Kansas State University's safeguards to protect covered data and information. Covered data and Information for the purpose of this policy includes student financial information (defined below) required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required under federal law, KSU chooses as a matter of policy to also include in this definition any credit card information received in the course of business by the University, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information that KSU has obtained from a customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

These safeguards are provided to:

• Ensure the security and confidentiality of covered data and information;

• Protect against anticipated threats or hazards to the security or integrity of such information; and

• Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.

This Information Security Plan also provides for mechanisms to:

• Identify and assess the risks that may threaten covered data and information maintained by KSU;

• Develop written policies and procedures to manage and control these risks;

• Implement and review the plan; and

• Adjust the plan to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.

.020 Identification and Assessment of Risk to Customer Information

KSU recognizes that it has both internal and external risks. These risks include, but are not limited to:

• Unauthorized access of covered data and information by someone other than the owner of the covered data and information

• Compromised system security as a result of system access by an unauthorized person

• Interception of data during transmission

• Loss of data integrity

• Physical loss of data in a disaster

• Errors introduced into the system

• Corruption of data or systems

• Unauthorized access of covered data and information by employees

• Unauthorized requests for covered data and information

• Unauthorized access through hardcopy files or reports

• Unauthorized transfer of covered data and information through third parties

KSU recognizes that this may not be a complete list of the risks associated with the protection of covered data and information. Since technology growth is not static, new risks are created regularly. Accordingly, the Security Incident Response Team will actively participate and monitor advisory groups for identification of new risks.

KSU believes current information technology safeguards are reasonable and, in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information described above maintained by the central University units. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

.030 Information Security Plan Coordinator

The Chair of the Security Information Response Team (SIRT) has been appointed as the coordinator of this Plan. The Chair is responsible for assessing the risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to KSU. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that KSU departments comply with the requirements of this policy.

.040 Design and Implementation of Safeguards Program

Employee Management and Training

References of new employees working in areas that regularly work with covered data and information (Cashier's Office, Registrar, and Student Financial Assistance) are checked. During employee orientation, each new employee in these departments will receive proper training on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Each new employee is also trained in the proper use of computer information and passwords.

Training also includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including "pretext calling" and how to properly dispose of documents that contain covered data and information. "Pretext calling" occurs when an individual improperly obtains personal information of university customers so as to be able to commit identity theft. It is accomplished by contacting the University, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit, convincing as employee of the University to release customer identifying information.

Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information should ensure, on an annual basis, the coordination and review of additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information security.

Physical Security

KSU has addressed the physical security of covered data and information by limiting access to only those employees who have a business reason to know such information. For example, personal customer information, accounts, balances and transactional information are available only to KSU employees with an appropriate business need for such information.

Loan files, account information and other paper documents are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys. Paper documents that contain covered data and information are shredded at time of disposal.

Information Systems

Access to covered data and information via KSU's computer information system is limited to those employees who have a business reason to know such information. Each employee selects an eID and password. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, are available only to KSU employees in appropriate departments and positions.

Systems requiring passwords will specify that they must be changed twice annually, on the first of September and February. Passwords must conform to edits specified in the CNS Policy on User ID & Passwords. Systems that allow remote log-ins over the campus network must have passwords on all accounts. Checking passwords for conformance is the responsibility of the IT Security Coordinator.

KSU will take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. The Vice Provost for Academic Services and Technology (VPAST) requires that all servers must be registered before being allowed through KSU's firewall, thereby allowing SIRT to verify that the system meets necessary security requirements as defined by information technology policies. These requirements include maintaining the operating system and applications, including application of appropriate patches and updates in a timely fashion. User and system passwords are also required to comply with the KSU IT Policy.

In addition, an intrusion detection system has been implemented to detect and stop certain external threats, along with incident response procedures defined by SIRT for occasions where intrusions do occur.

When commercially reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind KSU's firewall. All firewall software and hardware maintained by Computing and Network Services will be kept current. The University has a number of policies and procedures in place to provide security to KSU's information systems. These policies are available in the University's Policy and Procedures Manual at www.ksu.edu/policies/ppm.

The University presently maintains a secure firewall for protecting the social security numbers of its students and employees. The University expects by the end of 2007 to have in place information systems for student records and employee records which will identify its students and employees without use of social security numbers.

Management of System Failures

The Security Incident Response Team is developing written plans and procedures to detect any actual or attempted attacks on KSU systems and has defined procedures for responding to an actual or attempted unauthorized access to covered data and information.

.050 Selection of Appropriate Service Providers

Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that KSU determines not to provide on its own. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard confidential financial information. Contracts with service providers may include the following provisions:

• An explicit acknowledgment that the contract allows the contract partner access to confidential information;

• A specific definition or description of the confidential information being provided;

• A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;

• An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information;

• A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;

• An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles KSU to terminate the contract without penalty; and

• A provision ensuring that the contract's confidentiality requirements shall survive any termination of the agreement.

.060 Continuing Evaluation and Adjustment

This Information Security Plan will be subject to periodic review and adjustment. The most frequent of these reviews will occur within the SIRT, where constantly changing technology and evolving risks mandate increased vigilance. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Plan Coordinator who will assign specific responsibility for implementation and administration as appropriate. The Coordinator, in consultation with the University Attorney's Office and VPAST, will review the standards set forth in this policy and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.

.070 Questions

Questions regarding this policy should be sent to the Director of Academic Services at academicservices@k-state.edu

Source : http://www.k-state.edu/policies/ppm/3415.html

Succession Planning - A Bigger Solution Than You Might Think

by Martin Haworth

Many companies make it a policy to "hire from within," which is a way of saying that a person can start out on the ground floor of a company and eventually work his or her way up and possibly someday become the company's CEO.

One way of keeping this process possible is by a method called "Succession Planning." Succession Planning is the way a company both promotes its employees and makes sure that it is never caught in the lurch, with a gaping hole in the system.

Succession Planning Benefits

Holes in the hierarchy can create disastrous effects in a company's productivity. This is why it's a good idea to hire from within, so that the only sudden openings are in the lower positions that are easily filled.

One of the aspects of succession planning, involves looking over each position periodically and evaluating the person who holds it and the person who is "next in line" - and making sure that everything is running smoothly that both the person currently holding the position is working well and that the person poised to take over could transition smoothly and minimize disruption.

This is a process that typically takes place in the higher levels of management and is important because the time and effort that goes in to training and grooming a successor can take years.

Senior Management Succession Planning

Examples of Succession Planning include the replacement of Jack Welch, the former Chief Executive Officer of General Electric. Prior to his retirement the Board of Directors at General Electric went through a lengthy process of evaluating possible successors.

Succession planning often involves recruiting people and then working with them to develop their skills and making sure that they are ready to advance.

It also involves making sure that the recruit knows what the company's goals are, and involves active planning to keep that recruit happy. A happy recruit is not likely to leave the company suddenly.

Succession Planning Maintains Strategic Direction

Another aspect of succession planning is making sure that the higher powered executives within the company know what the goals and ambitions of the company are, and making sure that everyone is up to date on hiring practices and market trends in their industry.

By keeping the company competitive, the executives won't have to worry about whether or not they are still relevant.

Succession Planning is important to the overall health of an organization and care should be taken in the hiring process to make sure that all employees hired or recruited can be groomed and trained to move up within the company's ranks.

By hiring from within, the company gives people an incentive to want to work there. It also ensures that the company's public reputation stays uniform and competitive.

A competitive company is much more likely to be successful than one that doesn't make an effort to compete at all.

About the Author

(c) 2007 Succession Planning Toolkit. Want a free e-course? Then sign up with a blank e-mail to sptcourse@aweber.com. For more on developing and build an easy to run business, you need to develop your people well. You can find out how, right here, on Martin Haworth's fascinating website at http://www.SuccessionPlanningToolkit.com

Article Source : www.goarticles.com

Management Performance

by Paul Abbey

It's important to monitor your management performance, keeping on top of this can really increase your productivity and create an excellent working atmosphere. Management performance needs to be strong, and by consistently knowing how your team is doing will ensure that everything is going to be right on schedule.

You want to make sure that your team leader needs to fit into specific guidelines. You want them to have excellent networking skills, good control of emotion, and excellent people management skills. It's crucial that they are able to create a good working environment. If you select someone with these important attributes then there is an excellent chance that everything will run smoothly. But this doesn't mean that you shouldn't constantly monitor their performance. It's hard to find good employees, and there are other alternatives to paying a high salary to someone when you can purchase a single piece of software that can complete this job for free. So implementing a good management performance software into your company is an excellent way to know who is working to the best of their ability and who is not.

Here are some things that a good management performance software can do for you. And the best part of it is that you can monitor everything right from the comfort of your own desk.

It will help you to delegate certain employees to designated tasks. And it will give them certain requirements, and as they complete each stage they will log check it within the software and you will easily be able to check on them by checking the program. This is a great way to track their progress and quickly see who is not working up to their requirements.

This simple to use piece of software is one of those you things that you thought you could live without, that is until you use it. Project managing software is a very valuable asset to any company. It can save you money in many different ways. And if you understand the value of great management performance then you will understand the value of using this type of software in your business no matter what type of business that you may have.

I highly suggest that you begin learning more about how to improve your management performance and you will discover that this is going to be the answer to your prays.

About the Author

P Abbey owns and operates http://www.managementperformanceadvice.com/managingperformances.html Management Performance

Article Source : www.goarticles.com

Project Managers Need To "Manage The Boss"

Most people have one. Yet attending to their demands and idiosyncrasies can be nerve-wracking. Wise people engage good boss management strategies. After all, bosses are not exalted and invincible gods. They are human beings with special roles and authority as well as the requisite levels of human weaknesses, problems and pressures.

Assess Leadership Style

Recognize leadership skills inherent in your own boss. This assists you to better understand your boss. You also benefit by becoming a better manager.

Leader #1: The Press Leader

These leaders pretend to be drill sergeants. Low self-esteem and a strong fear of failure drives them. They are impressed by outward displays of project management and busyness.rather than by results. The leader treats people as expeditors who obey orders. They tolerate no mistakes. Trivial details snare their energies and attention. They oversupervise and manage by punishment.

How to handle The Press Leader: Quickly discover on-the-job limits. Determine whether your boss is simply tough or ruthless. The tough leader precisely delegates authority balanced with appropriate responsibility. The ruthless one disregards human factors. If you choose to resist the press leader, do it privately, not within view of colleagues. This way your leader will not lose face. Support your position with plenty of evidence. Otherwise you lose.

Leader #2: The Laissez-Faire Leader

This leader abandons staff. These leaders provide little or no support in tough times. They stipulate little of what is expected of employees. They provide virtually no project management guidance on how to accomplish tasks. While the Press Leader may hover over an employee's shoulder, this leader does nothing to train or guide. The Press Leader overmanages. The Laissez-Faire Leader overlooks.

Managing The Laissez-Faire Leader: The individual who is self-motivated and needs little praise will work well under this type of leader. This leader craves facts such as costs, statistics and research findings. Provide these facts and figures for your boss, while at the same time trying to stress some human elements. Encourage your boss to clarify exactly what is to be accomplished.

Leader #3: The Participatory Leader

The Participatory Leader is adept at communication procedures. Under this type of boss, employees are given precise feedback and recognition when deserved. The Participatory Leader strives to involve employees in the assessment process. He or she is inspirational and innovative. The Participatory Leader customizes the type and amount of feedback required for each employee.
Managing The Participatory Leader: The most effective way of dealing with the Participatory Leader is to feed back the same techniques that he or she uses with subordinates. Keep them informed of what does and does not work. Since this type of leader is interested in results, your opinions will be heeded.

Leader #4: The Develop Leader

This leader goes a step beyond the Participatory Leader. The Develop Leader fosters staff self-esteem, autonomy and competence. Techniques for success are isolated and taught to subordinates as the need arises. The Develop Leader empowers staff and nurtures a feeling of reverence, not in the boss, but in employees themselves.

There is often a high staff turnover rate for employees of develop leaders. But it is a good one because it is upward. Because this type of leader creates such a high level of competence amongst the ranks through professional development and project management, there is always someone to take over when someone moves up.

Keep Your Boss Happy

- Learn what your boss expects and values.
- Strive for high quality results.
- Solve as many problems as possible without the help
of your boss.
- Keep your boss informed.
- Be your strongest critic.
- Get regular feedback from your boss.
- Differ with your boss only in private.
- Save money and earn revenue.
- Be a good leader yourself.
- Promote only valuable ideas.
- After all. Your boss is not interested in the storms you encountered, but whether you brought in the ship.

About the Author

Canadian Management Centre offers a variety of professional development, project management, marketing and management training seminars.
http://www.cmctraining.org/projectmanagement.asp

Article Source: Content for Reprint