Privacy Policy
Written Information Security Program
Florence University of the Arts - The American University of Florence (FUA) is committed to protecting the confidentiality of all sensitive data that it maintains, including information about individuals who work or study at the Institution. The FUA’s Written Information Security Program (“WISP” or “Program”) aims to describe how all information assets are protected through their entire lifecycle. The life-cycle includes the creation, collection, processing, dissemination, usage, storage, and secure disposal when no longer required.
The FUA’s WISP is a set of comprehensive guidelines and policies designed to safeguard the confidentiality, integrity, and availability of all sensitive and restricted data collected and maintained by and at the Institution. Equally important, it is regularly reviewed and updated to comply with applicable laws and regulations on the protection of Personal Information (PI), as those terms are defined below, found in records and systems owned by the College.
Data - For the purposes of this Program, “data” refers to all information stored, accessed, or collected at the Institution about members of the Institution community.
Personal Information - Personal Information (PI), as defined by GDPR (Regulation (EU) 2016/679), is any information that relates to an identified or identifiable living individual.
Examples of personal data FUA collects to fulfill its mission in accordance to the law are:
- name and surname;
- home address;
- email address;
- identification card number;
- location data (for example the location data function on a mobile device such as a phone or a computer);
- Internet Protocol (IP) address;
- phone number;
- data held by a hospital or doctor, which could be information that uniquely identifies a person.
- passport number, alien registration number, or other government-issued identification numbers.
OVERVIEW AND PURPOSE
This document has been implemented to comply with security and privacy regulations, including but not limited to:
- General Data Protection Regulation (EU) 2016/679
- ISO 9000
- ISO 27001
FUA is committed to protecting the confidentiality of all sensitive data that it maintains.
FUA is required to take measures to safeguard personally identifiable information and to provide notice of security breaches of protected information at the appropriate state agencies, to affected individuals and to institutions/organizations involved.
FUA has implemented several policies to protect such information, as described at the end of this document.
OBJECTIVES
FUA ensures the security and privacy of all personal information by following the program’s objectives as outlined below:
- Establishing a comprehensive information security program for FUA with policies designed to safeguard sensitive data that is maintained by the Institution, in compliance with state laws and regulations;
- Establishing employee responsibilities in safeguarding data according to its classification level;
- Establishing administrative, technical, and physical safeguards to ensure the security of sensitive data.
SCOPE
The Program applies to all FUA students and employees, whether full- or part-time, including faculty, administrative staff, interns, contract and temporary workers. The Program also applies to certain contracted third-party vendors and hired consultants. The data covered by this Program includes any information stored, accessed, or collected at the Institution or for Institution operations.
GENERAL PROGRAM MONITORING
FUA employs multiple monitoring procedures in the protection of Information and Information System assets. These procedures are in compliance with best practice ISO 9000:2018 and General Data Protection Regulation (GDPR) protocols. The fundamental focus is to prevent improper disclosure, alteration, and destruction of information assets; to ensure that transactions are genuine and cannot be disputed.
FUA information assets are classified as follows:
Confidential - Confidential data refers to any data where unauthorized access, use, alteration, or disclosure of this data could present a significant level of risk to the Institution. All PI, as defined above, are designated as Confidential. Confidential data should be treated with the highest level of security to ensure the privacy of that data and prevent any unauthorized access, use, alteration, or disclosure.
Restricted - Restricted data refers to all other personal and institutional data where the loss of such data could harm an individual's right to privacy or negatively impact the finances, operations, or reputation of the Institution. Any non-public data not explicitly designated as Confidential should be treated as Restricted Data.
Restricted data include, but are not limited to, donor information, research data on human subjects, intellectual property, Institution financial and investment records, employee salary information, or information related to legal or disciplinary matters.
Access to restricted data is limited to individuals who are employed by or matriculate at the Institution and who have legitimate reasons for accessing such data.
A reasonable level of security should be applied to this both Confidential and Restricted data to ensure the privacy and integrity of this data.
Public (or Unrestricted) - Public data includes any information for which there is no restriction to its distribution, and where the loss or public use of such data would not present any harm to the Institution or its members (staff and students). Any data that is not classified as Confidential or Restricted should be considered Public data.
GOVERNANCE
FUA’s executive management team actively and visibly supports an information security culture. FUA ICT Team is responsible for the oversight of institution-wide information risks, which includes all Information Security and Privacy related affairs. All monitoring is governed by the required policies that are approved by the Institution's executive management team. Standards and procedures set the correct conventions and steps for implemented monitoring. The Information Security Program status is reported regularly to FUA’s Board and executive management team. Specific security roles and responsibilities have been established to oversee and manage information security and privacy risks.
ROLES & RESPONSIBILITIES
FUA Board of Trustees
- Oversee Information Security and Privacy Program activities
- Monitor execution of the program’s strategic objectives
FUA Executive Committee
- Provide Executive Sponsorship/Tone at the top for Information Security and Privacy program and activities
- Accountable to Board of Trustees for FUA’s security profile
- Inform program of current and future strategy and vision
- Ensure alignment of FUA strategy and Information Security & Privacy goals
- Informed of and provide direction in response to FUA’s most significant risks
- Provide management oversight of all aspects of the Information Security & Privacy program
- Provide authorization to operate information systems at an acceptable level of risk
- Approve investments and resource allocation to Information Security & Privacy program
(the following tasks should be carried on by a subset of FUA Executive Committee)
- Guide Information Security in maintaining alignment between business goals and the Information Security Program principles and objectives
- Guide Information Security related to capital investments
- Guide Information Security related to long term strategic initiatives, execution tactics, and operational impacts
Chief of Information Office
- Strategic Planning: Developing and executing a comprehensive IT strategic plan aligned with the university's overall vision, mission, and goals. The CIO must ensure that the university's technology investments are consistent with its long-term objectives.
- Information Technology Governance: Establishing IT governance frameworks, policies, and procedures to guide decision-making related to technology, security, data management, and compliance.
- Technology Infrastructure Management: Overseeing the design, implementation, and maintenance of the university's IT infrastructure, including networks, servers, databases, and other critical systems.
- Data Security and Privacy: Ensuring the security and privacy of sensitive data, including student records, financial information, and research data. This involves implementing robust cybersecurity measures and promoting awareness of data protection among staff and students.
- Innovation and Emerging Technologies: Identifying and evaluating new technologies that can enhance teaching, learning, research, and administrative processes within the university.
- Academic and Research Support: Collaborating with faculty and researchers to provide technology solutions that enhance their teaching, learning, and research endeavors.
- Administrative Systems: Overseeing the development and maintenance of administrative systems, such as student information systems, human resources systems, and financial management systems.
- Budgeting and Resource Management: Managing the IT department's budget and resources effectively to optimize technology investments and ensure cost efficiency.
- Vendor Management: Overseeing relationships with technology vendors and ensuring that the university receives reliable and cost-effective services and products.
- Technology Support Services: Providing technical support services to the university community, including faculty, staff, and students, to resolve technology-related issues.
- IT Policy Compliance: Ensuring that the university's IT practices and procedures comply with relevant laws, regulations, and industry standards.
- Disaster Recovery and Business Continuity: Developing and implementing strategies to safeguard IT systems and data in case of disasters or emergencies, ensuring that the university can continue its operations without significant disruption.
- Technology Training and Awareness: Promoting technology literacy and awareness among faculty, staff, and students through training and educational initiatives.
- Collaboration and Communication: Fostering effective communication and collaboration between IT and other university departments to align technology initiatives with institutional needs.
- Reporting and Evaluation: Regularly reporting on the performance of IT systems and projects to university leadership, and using data-driven insights to improve technology services and processes.
Data Security Coordinator
- Responsible for data content and development of associated business rules, including authorizing access to the data
- The Data Security Coordinators for each constituency group are designated as follows:
Data types | Data Security Coordinator |
Academic | Provost |
Human Resources | VP for Human Resources |
Student | Director of Admissions, Dean of Students |
Financial | Chief Financial Officer |
Staff and students
- Handle information and information assets in compliance with this Program and as defined in Institution’s policies/standards/procedures
- Consult information Security and Privacy on solution(s) implementations
- Escalate suspected incidents to the Helpdesk or Information Security
- Participate in Security and Privacy Awareness Training
SECURITY ARCHITECTURE
A multi-layer security architecture supports the Institution's business infrastructure. The security architecture enables the effective deployment of security resources that include policy, standards, and risk-based decisions, enabling technical decisions in support of the Institution's business goals and the management of its information assets.
FUA employs active network peripheral and monitoring tools. Where possible, encryption is enforced at rest, in application databases, on portable media, backup media, desktops, laptops, and in data transmissions. The Institution also enforces end-point protection.
MANAGEMENT MONITORING
RISK MANAGEMENT
FUA Institution recognizes it has both internal and external risks to the privacy and integrity of Institution information. These risks include, but are not limited to:
- Unauthorized access of Confidential/Restricted data by someone other than the owner of such data or authorized personnel
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data in a disaster
- Errors introduced into the system
- Corruption of data or systems
- Unauthorized access of Confidential/Restricted data by employees
- Unauthorized requests for Confidential/Restricted data
- Unauthorized access through hard copy files or reports
- Unauthorized transfer of Confidential/Restricted data through third parties
This may not be a complete list of the risks associated with the protection of Confidential and Restricted data. Since technology growth is not static, new risks are created regularly. Accordingly, the Institution’s CIO will actively participate in and monitor advisory groups such as the CVE Database and SANS Internet Storm Center for the identification of new risks.
VENDOR MANAGEMENT AND MONITORING
The Institution exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for PI provided by the Institution to them. All relevant contracts with these third parties are reviewed and approved to ensure the contracts contain the necessary language regarding safeguarding PI. It is the responsibility of the Chief Information Officer to confirm that the third parties are required to maintain appropriate security measures to protect PI consistent with this Program and all laws and regulations
PERSONNEL AND AWARENESS
The Institution promotes security awareness using email messages, formal instruction, and newsletters to communicate awareness. All employees are required to complete ongoing information security training. Training consists of a core security curriculum plus additional materials based on the employee's role.
Training is provided monthly via an online training platform, with each module covering a different topic related to information security. Employees must also read and re-sign FUA’s Information Systems Acceptable Use Policy annually.
The training goals are to ensure that Employees:
- Understand and utilize techniques to minimize security threats
- Know how to respond to security incidents diligently
- Are aware of the policies, standards, and procedures that protect Institution information assets
FUA reviews and updates all training content on an annual basis to ensure that it reflects changes to FUA regulatory and legal environment and policies.
TECHNICAL AND OPERATIONAL CONTROLS
FUA Information Privacy Policy
The Institution has adopted an Information Privacy Policy, which establishes policies and procedures which protect the information it gathers and retains about students, employees, and community visitors. See Information Privacy Policy document.
Access & Storage of Confidential Data
- Only employees and authorized third parties that require access to Confidential data in the regular course of their duties are granted access to this data, including both physical and electronic records.
- All electronic records containing Confidential data should only be stored within approved, secured information.
- Confidential data must be stored on cloud-based storage solutions that are supported by the Institution, such as Google Drive and Microsoft One Drive.
- Paper records containing Confidential data must be kept in locked files or other secured areas when not in use. While storage in a locked office is minimally acceptable, employees should work with their supervisors to find solutions that offer greater long-term security, since many individuals have access to offices that are not their own.
- Upon termination of employment or relationship with FUA, electronic and physical access to documents, systems, and other network resources containing Confidential and Restricted data is immediately terminated.
- Transportation of Confidential Data outside the FUA internal network, when needed, should take place only by encrypted network connections. Storing Confidential Data on personal devices such as smartphones, computers, USB pen drives, external hard drives, etc. is not permitted.
Access and Storage of Restricted Data
- Access to Restricted Data is limited to members of the community who have a legitimate business need for the data.
- Restricted Data can be stored on the FUA Moodle learning management system since this is a primary point of academic interaction between students and instructors.
- Documents containing Restricted Data should not be posted publicly.
Destruction of Data
When Confidential or Restricted Data are no longer needed for the purpose they were acquired or the prescribed time to keep them has expired, they must be destroyed in a way to prevent their recovery.
Institution email policy
A detailed description on the appropriate use of the Institution’s email service is available in the email policy document.
ACCESS CONTROL
FUA manages access control, identification, and authorization through established policies and procedures that grant access using the principle of least privilege as the guiding tenet, the use of strong passwords, and the approval of access by the information owners. Access to Institution assets is audited on a user and application level at defined frequencies and criticality as stated in the User Account Review Policy.
Upon termination, the employee is required to surrender all college assets, keys, IDs, access codes, badges, business cards, and the like that permit access to the Institution's premises or information. Moreover, terminated employee's remote electronic access to personal information will be disabled; his/her voicemail access, e-mail access, internet access, and passwords will be disabled or invalidated.
FUA has adopted a Remote Access Policy, guiding remote access to the Institution networks and data. It should be understood as a complementary policy to the guidelines contained in this Program.
FUA College has provided wireless access to students, and staff and faculty to access information assets while on campus. Access to campus wireless networks requires the use of ad-hoc wifi vouchers.
USER AUTHENTICATION AND PASSWORD CONTROL
FUA has adopted a User Authentication and Password Control Policy, which establishes policies and procedures covering user authentication, password control, and network access. It should be understood as a complementary policy to the guidelines contained in this Program.
PHYSICAL SECURITY
Institution’s work areas are secured to protect its information assets and ensure privacy. Documents and media are stored in a prescribed manner based on the policies and procedures governing information protection. The Institution strictly enforces a clean-desk policy. The Institution will ensure that all data centers and network distribution are equipped with automatic door closers and locking hardware to ensure the security of these facilities. Keys that provide access to these facilities are restricted to the Information Technology Department (IT) staff members, along with individuals with Institution roles requiring access to all college facilities, including administrators, maintenance staff, and security officers. All unauthorized employees, guests and/or vendors entering these facilities will be accompanied by a member of the Institution staff.
The Institution’s work environment is equipped with the required safety level controls - FUA reviews the appropriateness of the physical and environmental controls on an annual basis. Screen and laptop locks are required and in use. The college shall ensure all computer hardware is secured, either in locked rooms or with other security systems, to prevent loss from theft. The college shall maintain a hardware inventory for identification and retrieval purposes. Filing cabinets and drawers are locked when not in use. Security guides control building entry. Cameras are in effect and monitored.
SYSTEMS AND COMMUNICATION PROTECTION
FUA has implemented essential controls that are used to assure secure information transmission using the security principle of defense in depth. FUA’s system and communications protection strategy focus on perimeter and boundary protections, network, gateways, and application-level malware and virus protection, public access protection, and the use of encryption of information. The protections are governed by strict rules-based standards and processes of administration. Audit trail reviews are proactively conducted regularly to alert on anomalies.
To combat external risks to the security, confidentiality, and integrity of any electronic records containing PI, the Institution has implemented, and will maintain, the following technical systems and processes:
- Redundant network firewall systems which are regularly updated with malware protection and operating system security patches.
- Antivirus and malware software that has been installed on all Institution servers and computer workstations. These software systems refresh their virus signature database files daily.
- Encryption software for Institution desktops, laptops, and other portable devices, to prevent any loss of Confidential or Restricted data that might be inappropriately stored locally on these devices. Encryption here means the transformation of data using an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key.
- Virtual Private Networks have been established between the Institution and vendors providing critical hosting services for the Institution’s Student Information Management System. These VPNs are encrypted to prevent external interception of Confidential or Restricted data.
- Operating system patches and security updates are installed to all servers on a regular timeframe.
INCIDENT REPORTING AND RESPONSE PLANNING
Any incident of possible or actual unauthorized access to or disclosure, misuse, alteration, destruction, or other compromises of PI, or of a breach or attempted breach of the information safeguards adopted under this Program, must be reported immediately to the CIO, who will coordinate the College’s response. FUA ensures that all employees, contractors, and temporary workers are trained to report suspected incidents expediently.
FUA has adopted an Information Security Incident Response Policy regarding the response and reporting to any Information Security Incident. It should be understood as a complementary policy to the guidelines contained in this Program.
REGULAR MONITORING AND DETECTION OF SECURITY FAILURES
The Institution’s CIO will oversee regular internal network security audits performed on all server and computer system logs to discover, to the extent reasonably feasible, possible electronic security breaches, and to monitor the system for possible unauthorized access to or disclosure, misuse, alteration, destruction, or other compromise of Institution data. Additionally, centralized logging systems are configured to look for anomalous behavior or unauthorized access to Confidential or Restricted data and provide alerts and regular reports to the CIO.
CHANGE CONTROL POLICY
The purpose of the Change Control Policy is to establish a structured process for managing changes to information technology systems, applications, and infrastructure within the Institution.
BUSINESS CONTINUITY AND DISASTER RECOVERY
As FUA is committed to ensuring uninterrupted service delivery, safeguarding sensitive information, and maintaining the trust of its stakeholders, the Institution has developed and maintains a Business Continuity and Disaster Recovery plan as well as a Network Backup Policy. Whether facing natural disasters, cyber attacks, supply chain interruptions, or any other unexpected incidents, this plan aims to minimize downtime, ensure the availability of critical resources, and facilitate a swift return to normalcy.
List of documents
e-mail policy, controllare le due note nel documento CROSS-REFERENCE POLICIES
The following FUA policies provide advice and guidance as related to this Program:
- Information Systems Acceptable Use Policy
- Information Privacy Policy
- User Account Review Policy
- Remote Access Policy
- User Authentication and Password Control Policy
- Information Security Incident Response Policy
- Change Control Policy
- Business Continuity and Disaster Recovery plan
- Network Backup Policy