On May 1, a new Information Security Plan will be implemented at Buena Vista University (BVU). This is in response to new requirements from the Federal Department of Education, according to an email sent to out to faculty in February. A committee was formed to develop the new plan.

The committee, headed by Chief Information Officer Mark Lumsden, is made up of members who are in central roles in handling sensitive and personal information on BVU campus. They have been meeting every week since the beginning of January to work on the new Information Security Plan.

“The core of what the Information Security Plan really is trying to do is ensure that as a university we are taking all precautions to make sure that sensitive information and personally identifiable information is protected,” Lumsden says.

Some of the goals of the plan include a formal faculty and staff training program, an Internal Security Maturity Assessment, development of a plan for the disposal of all data (paper and electronic), and revising and updating policies and procedures.

Lumsden says these initiatives were created in response to regulations within federal laws like Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), and Gramm-Leach-Bliley Act (GLBA).

BVU also had a third party come in to inspect the university and its information security, according to Lumsden. The direct result of this inspection are the initiatives taken up by the committee to be implemented in the Information Security Plan.

Before the Information Security Plan became a priority, Lumsden says that information security was less formal.

“The things in the plan were happening. We had policies, but they weren’t specifically focused on these acts, these laws that we have to follow. They were more general in terms. We are writing policies that are very, very specific now,” he says.

Not only are they creating more specific policies as a result of the inspection, but they are carrying out specific efforts to educate faculty, staff, and students about information security, as well as new ways to protect personal and private information.

One of the educational opportunities established by the committee was the Phishing ACES that many people attended. Another procedure they have recently put into effect is the online training program that is required by all faculty and staff. The BVU News announcement by Lumsden states that all faculty and staff must complete two interactive videos about safeguarding all personally identifiable information and general data protection by June 15.

While the plan has been put in place at the beginning of May, the program will constantly be changing from year to year. Lumsden says that the third-party company will assess the state of the university’s information security annually and suggest next steps to be taken each time.

“The importance of information security is really trying to ensure that people aren’t damaged by the loss of information, secure information,” says Lumsden. “The last thing that we want to have happen is that somebody gets ahold of that data and uses it in a bad way.”

With the plan coming close to fruition, Lumsden stresses that information security is up to everyone—faculty, staff, and students.

“The responsibility to secure personally identifiable information, like social security numbers, is everyone’s responsibility,” Lumsden says. “We [IT] can’t control the ‘human element,’ if you will. There’s always a way around a security system.”