Roles and Responsibilities
________________________________________
Document Number: REDFLAG--103
Revision #: 2.0
Document Owner: VP of Business and Finance
Date Last Updated: 04/25/2018
Primary Author: VP of Business and Finance
Status: Approved
Date Originally Created: 12/14/2011
________________________________________
General Description
Description:
Definitions of roles and responsibilities relative to the Red Flags Identity Theft Policy.
Purpose:
Delineation of definitions.
Scope:
All faculty, staff, students, and administrators
Responsibility:
Administration
VP of Business and Finance
________________________________________
Requirements
Relevant Knowledge:
Current University policy
Federal statutes
Standard company policies
Standards of good practice
State statutes
Terms and Definitions:
Additional training
Corrective Action
________________________________________
Policy Provisions
1. Roles and Responsibilities
1.1 University Administration
The University Administration is responsible for the design, implementation, and oversight of the Identity Theft Prevention Program. However, if it is not feasible for the University Administration to be directly involved, it may appoint a member of senior management to be charged with these responsibilities. This designated Identity Theft Prevention Officer must seek University Administration approval on policy decisions. They must report to the board at least annually on the state of the Identity Theft Prevention Program.
1.2 Identity Theft Prevention Officer
The Identity Theft Prevention Officer is responsible for the following:
1. Risk Assessment – Conduct periodic risk assessments of Confidential and Sensitive Information handling methods.
2. Design – Design of more specific or new policy guidelines as needed.
3. Implementation – Conduct training for employees on a periodic basis.
4. Monitor – Evaluate the policy and procedures regularly.
5. Enforce - Take disciplinary action with employees as needed.
6. Response Plan – Create a plan to respond to security incidents.
1.3 Employees
All personnel are responsible for adhering to these guidelines, and for reporting any security incidents to the Identity Theft Prevention Officer immediately.
1.4 Service Providers
The level of responsibility given to service providers for security reasons depends on the scope of their service offering. Each will be responsible according to their direct or indirect access to information. In either case, service providers will be held accountable for their conduct and agreements must delineate where the University’s liability ends and where the service provider’s liability begins.
1. Direct Access to Information. A service provider is considered to have direct access to information when they perform an activity with employee or customer information on behalf of the University. If information is shared, then the service provider must have an Identity Theft Prevention Policy that complies with or exceeds the best practices of colleges and universities.
2. Indirect Access to Information. A service provider is treated differently when they have indirect access to information. These are service providers that are working in the proximity of Confidential and Sensitive Information in the business, but their function does not involve sharing information. In this type of relationship, the service provider must comply with this Identity Theft Prevention Policy.
________________________________________
Performance Evaluation
Performance Metrics:
Compliance with standard policy and procedure
Compliance with federal mandate
Consequences:
Further training
________________________________________
Subject Experts
The following may be consulted for additional information.
VP of Business and Finance