Information Security Program
Boise State University will continually develop, implement, and maintain a comprehensive information security program. The information security program will be written in one or more readily accessible parts and contain administrative, technical, and physical safeguards that are appropriate to Boise State University given the size and complexity of our operations, the nature and scope of its activities, and the sensitivity of university’s information.
All safeguards shall be reasonably designed to achieve the following objectives:
- Insure the security and confidentiality of customer information,
- Protect against any anticipated threats or hazards to the security or integrity of such information, and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the University.
Required Elements of Our Information Security Program
Designated Coordinator: Boise State designates the Chief Information Security Officer as the responsible party to update and coordinate its information security program.
Risk Assessment: Boise State will strive to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks.
The Boise State risk assessments, whether formal or ad hoc, will include consideration of risks in each relevant area of the University’s operations, including but not limited to:
- Employee security awareness training,
- Information systems, including network and software design, as well as information processing, storage, transmission, and disposal, and
- Detecting, preventing, and responding to attacks, intrusions, or other systems failures.
Safeguards & Testing/Monitoring: Boise State will design and implement information safeguards to control the risks identified through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
Evaluation & Adjustment: Boise State will evaluate and adjust its information security program in light of the results of the required testing and monitoring, as well as for any material changes to our operations or business arrangements or any other circumstances that it has reason to know may have a material impact the University’s information security program.
Overseeing Service Providers: A service provider is any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the University. Boise State will take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the University’s information at issue and require our service providers by contract to implement and maintain such reasonable safeguards.
Program requirements adapted from FTC regulations: 16 CFR 313.3(n) and 16 CFR 314.1–5, Gramm-Leach-Bliley Act: Sections 501 and 505(b)(2), U.S. Code: 15 USC 6801(b), 6805(b)(2)
Created: January 2015
Last Update: August 2022
Next Review: February 2023