The Financial Modernization Act, also known as the Gramm-Leach-Bliley Act (GLBA), requires financial institutions to develop, implement, and maintain a comprehensive information security program containing administrative, technical, and physical safeguards. The GLBA extends to colleges and universities because they participate in financial institution activities, such as making student loans. This policy applies to student loan records in particular as well as other applicable University records.
Consumer means an individual who obtains or has obtained a financial product or service from the University.
Customer means a consumer who has a customer relationship with the University.
Customer information means any record containing nonpublic personal information about a customer of the University, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the University.
Customer relationship means a continuing relationship between a consumer and the University under which the University provides one or more financial products or services.
Information security program means the administrative, technical, or physical safeguards the University uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the University.
The President of the University shall designate an appropriate individual to serve as the Information Security Program Coordinator. The Information Security Program Coordinator must work closely with the Office of the General Counsel and relevant academic and administrative schools and departments throughout the University.
The Information Security Program Coordinator must work with relevant offices of the University to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; assess the sufficiency of any safeguards in place to control these risks; design and implement information safeguards to control the risks the University identifies through risk assessment; and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
Each University office designated by the Information Security Program Coordinator shall comply with the guidelines set forth in Appendix A to this policy that detail information security procedures.
Relevant offices of the University should determine whether more extensive background or reference checks or other forms of confirmation are prudent in the hiring process for certain new employees, for example, employees handling confidential financial information.
The Information Security Program Coordinator will coordinate with the University’s Internal Auditor to maintain the information security program.
The University shall select appropriate service providers that are capable of maintaining appropriate safeguards for customer information and shall require them by contract to implement and maintain such safeguards. In the process of choosing a service provider that will have access to customer information, the evaluation process shall include the ability of the service provider to safeguard customer information. Contracts with service providers shall include the following provisions:
The University shall evaluate and adjust the information security program in light of the results of required testing and monitoring, any material changes to the University’s operations or business arrangements, or any other circumstances that the University knows or has reason to know may have a material impact on the information security program.
The Internal Auditor shall periodically audit the University’s compliance with this policy.
The Office of the General Counsel shall be responsible for the development of training for all employees who have access to customer information, as defined previously.
These affected employees typically fall into three categories: information systems personnel who have general access to University data, custodians of such data, and those employees who use such data as part of their essential job duties.
Safeguarding Paper Information
Secure customer information by locking file cabinets and offices when not in use.
Do not leave customer information unattended and unsecured.
Grant access to customer information only to those who need such access.
Comply with other applicable University policies and procedures including but not limited to the University’s Record Retention Policy.
Password-protect computers and systems with access to customer information, and log off of computers and systems when access to customer information is no longer needed. Shut down and turn off computers at the end of each day.
Grant access to computers and systems only to those who need such access.
Encrypt customer information when transmitting it electronically.
Monitor systems for actual or attempted attacks, intrusions, or other systems failures.
Comply with other applicable University policies and procedures including but not limited to: