| Objective | Implementation and Program Components | Roles and Responsibilities |
VIII. Implementation PriorityTufts University places a priority on protecting combinations of personal information, the unauthorized disclosure of which is most likely to cause substantial harm such as identity theft and major financial fraud. High-risk personal information combinations include the use of names in combination with financial account numbers, Social Security Numbers and/or state issued ID numbers.
IX. Program ComponentsThe Program will include the following components:
a. Information Stewards
Information Stewards are appointed within each division or school of the University. The Information Stewards will assist their managers in developing a framework to implement and maintain the Program, using resources provided by the Program as well as local resources.b. Information Stewardship Committee
Members of the Committee will provide guidance on information security policy and on the development of resources for compliance with the Program and the law.c. The Office of University Counsel
The Office of University Counsel coordinates the delivery of all legal services on behalf of Tufts University. This office provides advice and support to the University's administrative and academic departments on legal matters and the development of related policy and Program oversight.d. University Information Technology – Information Security
University Information Technology delivers information technologies to the Tufts community in support of teaching, learning, research, administration, and outreach. UIT’s Directorate of Information Security provides technical guidance and support to the University’s administrative and academic departments.e. Training
The University will provide personnel training on how to handle personal information appropriately as part of their job responsibilities.
Information—such as new tools, policies, or best practices—will be disseminated to organizational units in a timely manner.
g. Policies and Procedures
The University will create policies and procedures to protect the confidentiality of personal information and to comply with the requirements of the Data Regulations.
h. Tools & Resources
The University will make appropriate software, hardware, guidelines, and other resources available to business units to help ensure the confidentiality of personal information.
The buildings, networks, and appliances that comprise the work environment of the business units at Tufts and help support secure management of personal information.
j. Vendor Management
The process for ensuring that vendors contractually comply with applicable law concerning the secure handling and disposition of personal information and meet Tufts’ legal requirements.
k. Monitor & Audit
The process for checking compliance with the Program.
l. Security Breach Response
The controlled process for investigating a potential security breach, mitigating the impact of a breach, and taking appropriate notification and corrective action as necessary.
|page 1 | page 3 |