91社区

ITS Policies & Procedures

GLBA Compliance Policy

Policy #: LFC.ITS.14
Date: 11/28/2023
Author: LFC ITS
Version: 1.0
Status: Approved

OVERVIEW

Pursuant to the Gramm Leach Bliley Act (GLBA) Safeguards Rule codified at , the Federal Trade Commission required institutions handling non-public customer information to adopt an Information Security Program no later than June 9, 2023 and develop, implement, and maintain safeguards to protect the security, confidentiality, and integrity of customer financial records and related non-public personally identifiable financial information. Certain activities conducted by 91社区 are subject to the GLBA. The GLBA does not contain an exemption for colleges or universities.

1. PURPOSE

To ensure that all required elements are in place for 91社区 to be fully compliant with the Gramm-Leach Bliley Act (GLBA) including the Federal Trade Commission’s (FTC’s) . The full text of Part 314 – Standards for Safeguarding Customer Information can be found on the website. It is important to note effective date of Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are as of June 9, 2023. At the time of publication for this policy, a pending "Final Rule" with mandatory reporting to the FTC for security events involving Covered Data is expected to become effective May 13, 2024.

2. SCOPE

This policy applies to any division, department or business unit of 91社区, any Service Provider of 91社区, and any Related Entities of 91社区, that collects, stores or processes Covered Data in connection with the delivery of Financial Services (as defined below in this Policy). This obligation is in addition to any other College policies and procedures adopted pursuant to international law or U.S. federal and state laws and regulations for the protection of personal data, including the Family Educational Rights and Privacy Act (FERPA).

3. HISTORY

The Gramm-Leach Bliley Act (GLBA) enacted in 1999 is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information-sharing practices and to safeguard sensitive information. It is comprised of three rules:
  1. The Pretexting Rule is designed to counter identity theft; the College must have mechanisms in place to detect and mitigate unauthorized access to personal, non-public information (such as impersonating a student to request private information by phone, email, or other media.)
  2. The Privacy Rule is designed to govern the collection and disclosure of customers’ personal financial information by financial institutions.
  3. The Safeguards Rule is designed to ensure the administrative, technical, and physical safeguarding of personal, non-public customer information. The Safeguards Rule requires the College to develop, implement, and maintain a Comprehensive Information Security Program (or "CISP") containing administrative, technical, and physical safeguards that are appropriate for the size, complexity, and nature of its activities, in order to:
    • Ensure the security and confidentiality of customer records and information.
    • Protect against any anticipated threats or hazards to the security or integrity of such records.
    • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
While GLBA has been around for years, its impact increased for colleges and universities when the Office of Management and Budget (OMB) released the Compliance Supplement in July 2019, containing a new audit objective designed to assess institutional compliance and to ensure higher education institutions adhered specifically in their collection, storage, and use of student financial records containing Personally Identifiable Information (PII.)
In December 2021, the FTC revised the Safeguards Rule. Many of the provisions went into effect 30 days later, and other requirements were effective Dec. 9, 2022. Finally, the FTC provided a six-month extension through June 9, 2023. At a virtual Federal Student Aid conference in December 2022, the Department of Education Office of Inspector General informed institutions about the changes to the Safeguards Rule and the requirements for compliance in the single audit/federal awards program audit. The Department of Education then issued on February 9, 2023 to provide clear guidance to higher educational institutions.

4. COVERED DATA TYPES

By way of example, the type of Covered Data regulated by the GBLA includes the following:
  • Information provided by an applicant or student to obtain a loan or extension of credit from the College, a private lender, or the federal government;
  • Information provided by a student to regularly receive refunds or make payments by wire transfer or debit card;
  • Information from a consumer report regarding a student to receive a loan;
  • Information from an employee or student to license real property from the College;
  • Account balance information, payment history, overdraft history, and credit or debit card purchase information;
  • Any information provided by a student in connection with collecting on or servicing an account;
  • Personal information collected through an internet cookie for the provision of Financial Services (as defined below) by the College.

5. RESPONSIBLE DIVISIONS

The following divisions within the College handle Covered Data in the delivery of services:
  • Enrollment (Admissions, Financial Aid, Student Accounts)
  • Advancement Office
  • Business and Finance
  • Human Resources
  • Information Technology Services
  • Student Affairs / Residence Life / Health and Wellness
  • Academic Affairs / Registrar's Office
  • Athletics / CAC

6: PROGRAM REQUIREMENTS

As of December 9, 2021, the Gramm-Leach Bliley Act (GLBA) Safeguards Rule mandates that institutions and servicers under FTC jurisdiction are required to develop, implement, and maintain a written, comprehensive information security program. The FTC’s regulations require that the information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information.
An institution or servicer’s written information security program must include the following nine elements per FTC regulations:
Element 1: Designates a qualified individual responsible for overseeing, implementing, and enforcing the institution’s information security program (16 C.F.R. 314.4(a)).
Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).
Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8).
Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).
Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)).
Element 6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)).
Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).
Element 8: Addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).
Element 9: Addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).

7: COMPREHENSIVE INFORMATION SECURITY PROGRAM

The College maintains GLBA compliance through the following efforts, activities, policies, and procedures:
7.1 Qualified Individual: The position of Information Security Manager (ISM) was created in 2023 to advise the Chief Information Officer (CIO), develop the administrative and technical safeguards in the CISP, to implement the Information Security Plan, and to regularly evaluate and modify College security controls as necessary.
7.2 Risk Assessment: On an annual basis, the College performs information security risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Covered Data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of information and the sufficiency of safeguards in place to control these risks.
7.3 Design and implement safeguards: The successful design and implementation of safeguards requires the College to:
  • Implement and periodically review access controls;
  • Periodically inventory Covered Data in all its forms and on all systems;
  • Encrypt Covered Data in storage, in transit, and in use;
  • Implement secure development practices for internal applications;
  • Implement strong authentication such as Multi-Factor Authentication (MFA):
  • Dispose of Covered Data securely:
  • Enforce Change Management controls to continually evaluate whether IT infrastructure changes may compromise designed security controls; and
  • Log and monitor systems storing, processing, or handling Covered Data to detect unauthorized access.
7.4 Monitor and Test Safeguards: The College regularly monitors systems storing, processing, and handling Covered Data and periodically arranges for penetration testing services to assess the capabilities of its administrative and technical security controls.
7.5 Train Staff: College employees are regularly provided with training on secure data handling practices, general security awareness, and specific types of phishing and social engineering attacks.
7.6 Service Provider Oversight: The College evaluates and selects service providers with the skills and experience to maintain appropriate safeguards. All College contracts must enumerate specific information security expectations and provide for periodic reassessments of their suitability for ongoing partnership.
7.7 Adjustments to Program:The College shall consider the results of penetration tests and other periodic security assessments, officially perform an annual review of all technical and administrative safeguards, determine how well they continue to protect Covered Data against the tactics, techniques, and procedures of modern threat actors, and either fine-tune existing controls or develop new ones in response to any identified weaknesses.
7.8 Incident Response Plan: The College maintains an Incident Response Plan which includes goals, internal processes, roles and responsibilities, and planned processes for communication, information sharing, remediation, documentation, and post-mortem efforts to improve the CISP and/or safeguards going forward.
7.9 Annual Reporting: The ISM shall provide the CIO with a written annual Information Security & Compliance report for the College. Such reports shall contain overall assessments of the College's compliance with the CISP, cover specific topics related to the program such as risk assessment, risk management and control decisions, service provider arrangements, penetration test results, identified security events and response efforts, and any recommendations for changes in the information security program.
Further details on the CISP, responsible personnel, and specific administrative and technical safeguards may be found in the 91社区 Information Security Policy.

TERMS:

Unit means a constituent business unit of the College, including without limitation undergraduate and graduate programs, as well as fund groups and organizations that are not legally separate from the College (e.g., EXAMPLE?), Athletic and Recreational Funds and other associations of 91社区, such as the Gates Foundation, the Gorter Family Foundation, etc.
Covered Data means (i) non-public personal financial information about a Customer and (ii) any list, description, or other grouping of Customers (and publicly available information pertaining to them) that is derived using any non-public personal financial information. Examples of Covered Data include bank and credit card account numbers, income and credit histories, tax returns and social security numbers and lists of public information such as names, addresses and telephone numbers derived in whole or in part from personally identifiable financial information (e.g., names of students with outstanding loans). Covered Data is subject to the protections of GLBA, even if the Customer ultimately is not awarded any financial aid or provided with a credit extension. Covered Data includes such information in any form, including paper and electronic records.
College means 91社区.
Customer means any individual (student, parent, faculty, staff, or other third party with whom the College interacts) who receives a Financial Service from the College for personal, family or household reasons that results in a continuing relationship with the College.
Customer Information means any record containing about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the institution.
Financial Service includes offering or servicing student and employee loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, engaging in debt collection activities, and leasing real or personal property to individuals for their benefit.
Related Entities means the following types of entities and their subsidiaries, if legally separate from the College and unless otherwise indicated: auxiliary enterprise corporations, college associations, student services corporations, childcare centers, performing arts centers, and art galleries.
Service Provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to Covered Data information through its direct provision of services to the College.

RELATED POLICIES:

Document Control:

Entry#: Date Version Notes
1 11/28/2023 1.0 Original policy, submitted for review
2 12/07/2023 1.0 Reviewed and approved by the LITS Advisory Committee
3 01/11/2024 1.0 Reviewed and approved by the Senior Leadership Team