Information Security Program

Information Security Program



Criswell College is required by the Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations at 16 CFR Part 314, to implement and maintain a comprehensive written Information Security Program (“ISP”) and to appoint a coordinator for the program. The objectives of the ISP are to (1) insure the security and confidentiality of covered information; (2) protect against anticipated threats or hazards to the security and integrity of such information; and (3) protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to customers.

Related Policies

This ISP is in addition to existing Criswell College policies and procedures that address various aspects of information privacy and security, including but not limited to, Academic Records Policy, Financial Aid Verification, Personal Records, Student Identity Verification, Criswell Acceptable Computer Use Policy, and the Data Breach Policy.

ISP Coordinator

Criswell College has designated the Senior Director of Information Technology as its ISP Coordinator. The ISP Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP.

Covered Information

“Covered information” means nonpublic personal information about a student or other third party who has a continuing relationship with Criswell College, where such information is obtained in connection with the provision of a financial service or product by Criswell College, and that is maintained by Criswell College or on Criswell College’s behalf. Nonpublic personal information includes students’ names, addresses and social security numbers as well as students’ and parents’ financial information. Covered information does not include records obtained in connection with single or isolated financial transactions such as ATM transactions or credit card purchases.

Elements of the ISP

  1. Risk Identification and Assessment. Criswell College’s ISP identifies and assesses external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The ISP Coordinator will provide guidance to appropriate personnel in the President’s Cabinet, and various departments throughout the college for evaluating their current practices and procedures and in assessing reasonably anticipated risks to covered information in their respective areas. The ISP Coordinator will work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:
  • Employee Training and Management. The ISP Coordinator will coordinate with the appropriate personnel to evaluate the effectiveness of current employee training and management procedures relating to the access and use of covered information.
  • Information Systems. The ISP Coordinator will coordinate with the appropriate personnel to assess the risks to covered information associated with the college’s information systems, including network and software design as well as information processing, storage, transmission and disposal.
  • Detecting, Preventing and Responding to Attacks and System Failures The ISP Coordinator will coordinate with the appropriate personnel to evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures.
  1. Designing and Implementing Safeguards.  The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
  2. Overseeing Service Providers. The ISP Coordinator, in conjunction with the Vice President of Finance and a General Counsel if needed will assist in instituting methods for selecting and retaining service providers that are capable of maintaining appropriate safeguards for covered information. The ISP Coordinator will work with the Vice President of Finance to develop and incorporate standard, contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA.
  3. Adjustments to Program. The ISP Coordinator will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to Criswell College’s operations or other circumstances that may have a material impact on the ISP.


Criswell College admits students who are Christians of good character, without regard or reference to race, national or ethnic origin, color, age, disability, or sex (except where regard to sex is required by the College’s religious tenets regarding gender and sexuality) to all the rights, privileges, programs, and activities generally accorded or made available to students at the school. It does not discriminate on the basis of these classifications in administration of its educational policies, admissions policies, scholarship and loan programs, and other school-administered programs.