Financial Information Security Program (GLBA)
The University takes seriously its responsibility to safeguard personal data and its obligation to comply with various federal and state laws related to the protection of personal, sensitive or otherwise protected data it collects. The Federal Trade Commission’s Safeguards Rule and the Gramm–Leach–Bliley Act (“GLBA”) require that the University implement an information security program designed to protect and safeguard nonpublic personally identifiable financial information which it has collected for the purpose of offering a financial product or service. The University has an institution level Information Security Policy and related Standards and Guidelines which describe elements of the University’s overall information security program and which include the protection of all nonpublic University information. This Financial Information Security Program (GLBA) document, supplemental to University Policy 311.2, Financial Information Security Program Regulation (GLBA), is intended to provide additional information specifically related to the GLBA Safeguards Rule, including the following program elements:
- to ensure the security and confidentiality of customer information in compliance with applicable GLBA rules as published by the Federal Trade Commission;
- to safeguard against any anticipated threats or hazards to the security or integrity of such records;
- to guard against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to any customer.
II. Scope of the Program
The Financial Information Security Program (GLBA) applies to any record containing nonpublic personally identifiable financial information about a student or other third party who has a relationship with the University under which the University provides one or more financial products or services (“customer”), whether the record is on paper, electronic or other form that is handled or maintained by or on behalf of the University or its affiliates. For these purposes, the term nonpublic personally identifiable financial information shall mean any information:
- provided by a student or other third party in order to obtain a financial service from the University,
- about a student or other third party resulting from any transaction with the University involving a financial service, or
- otherwise obtained about a student or other third party in connection with providing a financial service to that person.
III. Financial Information Security Program (GLBA) Components
The Office of OneIT maintains a comprehensive, written information security program with administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information. The Chief Information Security Officer (CISO) is responsible for overseeing, maintaining, and implementing the information security program for the University. The FTC Safeguards Rule requires that the security program include the processes and safeguards listed below.
A. Risk Assessment
As part of the program, the University will conduct periodic risk assessments that identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic personally identifiable financial information (“covered data”) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.
The documented risk assessment will include the following:
- employee training management;
- criteria for evaluating and categorizing security risks and threats to information systems;
- detecting and responding to security incidents and events;
- criteria for assessing adequacy of security safeguards;
- information describing how identified risks will be mitigated or accepted.
Based on the risk identification and assessment process, safeguards will be implemented, monitored, and maintained by the University that are reasonable and sufficient to provide security and confidentiality for covered data maintained by the University. Additionally, these safeguards will protect against currently anticipated threats or hazards to the integrity of such information.
The GLBA Committee will identify units and areas of the University with access to nonpublic personally identifiable financial information and will maintain a list of these areas that must be compliant. Members of the GLBA Committee will evaluate the effectiveness of the University’s procedures and practices relating to access to and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of the University’s current standards and procedures in this area as well as the training of employees who have access to nonpublic personally identifiable financial information.
- Employees with access to nonpublic personally identifiable financial information will receive proper training on the importance and appropriate use and sharing of confidential student records, student financial information, and all other covered data and information.
- Employees with access to nonpublic personally identifiable financial information will be required to take Security Awareness Training on a recurring annual basis.
- Employees with access to nonpublic personally identifiable financial information will be verified and updated annually.
- Employees with access to nonpublic personally identifiable financial information will receive instructions regarding the controls and procedures in place regarding how to properly dispose of documents that contain covered data.
The GLBA Committee will assess the risks to nonpublic personally identifiable financial information associated with the University’s information systems, including the storage, transmission and disposal of nonpublic financial information. This evaluation will include assessing the University’s current standards and guidelines associated with University Policy 311. The GLBA Committee will also assess procedures for monitoring potential information security threats to limit the risk of unauthorized access to covered data. This may include limiting access to covered data and information to only those employees who have a legitimate business reason to access such information, maintaining appropriate screening programs to detect computer hackers and viruses, and performing appropriate management on information systems.
Security Incidents and Events
The Office of OneIT maintains a written plan for responding to any security event that may materially affect the confidentiality, integrity, or availability of customer information. The CISO is responsible for maintaining appropriate procedures and methods for detecting, preventing and responding to attacks or other system failures and will evaluate the incident response procedures on an annual basis. The CISO will notify the FTC regarding a security breach involving nonpublic personally identifiable financial information as stipulated in the FTC’s Safeguards Rule.
B. Security Safeguards and Monitoring
The CISO will ensure that the relevant components of the University’s IT environment are managed consistent with the information security program’s risk strategy and will work closely with the other members of the GLBA Committee to ensure that appropriate safeguards are implemented to control the risks identified through assessments. Safeguards will include the following:
- implement and periodically review access controls for those with access to covered data;
- maintain an inventory of systems that house covered data;
- encrypt customer information at rest and in transit over external networks;
- establish secure development practices for in-house software and applications;
- require the use of multi-factor authentication for anyone accessing covered data;
- establish procedures for the secure disposal of covered data;
- adopt change management procedures; and
- maintain a log of authorized users’ activity and monitor activity of unauthorized users in order to detect unauthorized access or use of customer information.
Regular testing of the effectiveness of safeguards will include either continuous monitoring or periodic penetration testing (annually) and vulnerability assessments (semi-annually). Testing and monitoring may be accomplished through existing network monitoring, vulnerability assessment and management, access control audits, and training validation.
C. Overseeing Service Providers
In the course of business, the University may appropriately share covered data with third parties. This Financial Information Security Program (GLBA) will ensure that reasonable steps are taken to select service providers that are capable of maintaining appropriate safeguards. The University has developed standard, contractual protections applicable to third-party service providers. The language related to implementing and maintaining appropriate safeguards is included in contracts and agreements with service providers who may require access to nonpublic financial information. As part of the University’s procurement process, those vendor contracts for technology that require access to nonpublic financial information will undergo a security review to ensure compliance with maintaining appropriate safeguards of covered data.
IV. Program Maintenance and Annual Reports
The GLBA Committee will evaluate and adjust the program based on the risk identification and assessment activities undertaken pursuant to the program, as well as any material changes to the University’s operations, business arrangements, or other circumstances that may have a material impact on the program.
Written reports will be provided to the Board of Trustees periodically (at least annually) regarding all material matters relating to the Financial Information Security Program (GLBA).
● Approved by the CIO, December 13, 2022