The Financial Modernization Act, also known as the Gramm-Leach-Bliley Act (GLBA), requires financial institutions to develop, implement, and maintain a comprehensive information security program containing administrative, technical, and physical safeguards. The GLBA extends to colleges and universities because they participate in financial institution activities, such as making student loans. This policy applies to student loan records in particular as well as other applicable University records.
The above-referenced safeguards are intended to:
- ensure the security and confidentiality of customer information,
- protect against any anticipated threats or hazards to the security or integrity of such information, and
- protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Consumer means an individual who obtains or has obtained a financial product or service from the University.
Customer means a consumer who has a customer relationship with the University.
Customer information means any record containing nonpublic personal information about a customer of the University, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the University.
Customer relationship means a continuing relationship between a consumer and the University under which the University provides one or more financial products or services.
Information security program means the administrative, technical, or physical safeguards the University uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
Nonpublic personal information means:
- personally identifiable financial information, and
- any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
Personally identifiable financial information means:
- any information a consumer provides to the University to obtain a financial product or service from the University
- any information about a consumer resulting from any transaction involving a financial product or service between the University and the consumer
- any information the University obtains about a consumer in connection with providing a financial product or service to that consumer.
Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the University.
The GLBA requires the University to:
- Designate an employee or employees to coordinate the information security program.
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of University operations, including:
- employee training and management;
- information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
- detecting, preventing, and responding to attacks, intrusions, or other systems failures.
- Design and implement information safeguards to control the risks the University identifies through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
- Oversee service providers by:
- taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue, and
- requiring service providers by contract to implement and maintain such safeguards.
- Evaluate and adjust the information security program in light of:
- the results of the testing and monitoring required by paragraph 3 of this section,
- any material changes to the University’s operations or business arrangements, or
- any other circumstances that the University knows or has reason to know may have a material impact on the information security program.
Information Security Program Coordinator
The President of the University shall designate an appropriate individual to serve as the Information Security Program Coordinator. The Information Security Program Coordinator must work closely with the Office of the General Counsel and relevant academic and administrative schools and departments throughout the University.
The Information Security Program Coordinator must work with relevant offices of the University to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; assess the sufficiency of any safeguards in place to control these risks; design and implement information safeguards to control the risks the University identifies through risk assessment; and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
Each University office designated by the Information Security Program Coordinator shall comply with the guidelines set forth in Appendix A to this policy that detail information security procedures.
Relevant offices of the University should determine whether more extensive background or reference checks or other forms of confirmation are prudent in the hiring process for certain new employees, for example, employees handling confidential financial information.
Network Computing Services shall maintain and provide access to policies and procedures that:
- protect against any anticipated threats or hazards to the security or integrity of electronic customer information, and
- protect against unauthorized access to or use of such information.
The Information Security Program Coordinator will coordinate with the University’s Internal Auditor to maintain the information security program.
The University shall select appropriate service providers that are capable of maintaining appropriate safeguards for customer information and shall require them by contract to implement and maintain such safeguards. In the process of choosing a service provider that will have access to customer information, the evaluation process shall include the ability of the service provider to safeguard customer information. Contracts with service providers shall include the following provisions:
- a stipulation that confidential information shall be held in strict confidence and accessed only for the explicit business purpose(s) of the contract;
- a guarantee from the service provider that it will protect confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers’ confidential information; and
- a provision allowing for the return or destruction of all confidential information received by the service provider upon completion of the contract.
The University shall evaluate and adjust the information security program in light of the results of required testing and monitoring, any material changes to the University’s operations or business arrangements, or any other circumstances that the University knows or has reason to know may have a material impact on the information security program.
The Internal Auditor shall periodically audit the University’s compliance with this policy.
The Office of the General Counsel shall be responsible for the development of training for all employees who have access to customer information, as defined previously.
These affected employees typically fall into three categories: information systems personnel who have general access to University data, custodians of such data, and those employees who use such data as part of their essential job duties.
Safeguarding Paper Information
Secure customer information by locking file cabinets and offices when not in use.
Do not leave customer information unattended and unsecured.
Grant access to customer information only to those who need such access.
Comply with other applicable University policies and procedures including but not limited to the University’s Record Retention Policy.
Safeguarding Electronic Information
Password-protect computers and systems with access to customer information, and log off of computers and systems when access to customer information is no longer needed. Shut down and turn off computers at the end of each day.
Do not leave customer information unattended and unsecured.
Grant access to computers and systems only to those who need such access.
Encrypt customer information when transmitting it electronically.
Monitor systems for actual or attempted attacks, intrusions, or other systems failures.
Comply with other applicable University policies and procedures including but not limited to:
- the University’s Computer Resources Policies and Procedures, and
- the University’s Record Retention Policy.