I. Purpose
The Gramm-Leach-Bliley Act (GLB) was enacted in 1999 and affects all financial institutions. Colleges and universities fall under GLB as part of financial lending and alumni processes. The GLB Financial Privacy Rule requires financial institutions to provide a privacy notice at the time the consumer relationship is established and annually thereafter. It defines the protection of non-public personal information (NPI). It also requires institutions to implement thorough administrative, technical and physical safeguards to protect against any anticipated threats or hazards to the security or integrity of such information.
II. Scope
This policy applies to all offices that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Covered Information. These offices specifically include, but are not limited to Information Technology Services (ITS), Student Financial Services, Registrar’s Office, Finance Office, Residence Life, Business Operations, Alumni Relations, and Human Resources (“Covered Offices”).
III. Definitions
A “customer” is any individual (student, parent, faculty, staff, or other third party with whom the university interacts) who receives a financial service from the university and who, in the course of receiving that service, provides the university with sensitive, non-public, personal information about themselves.
“Covered Information” is sensitive, non-public, personally identifiable information includes, but may not be limited to, and individual’s name in conjunction with any of the following:
- social security number
- credit card information
- income and credit history
- bank account information
- tax return
- asset statement
Covered Information includes both paper and electronic records.
A "financial service" is defined by federal law to include, but not be limited to, such activities as the lending of money; investing for others; providing or underwriting insurance; giving financial, investment or economic advisory services; marketing securities and the like.
IV. Policy & Process
The goals for this program are as follows:
- To ensure employees have access only to the relevant data needed to conduct university business;
- To ensure the security and confidentiality of customer records and information;
- To safeguard and prevent unauthorized access to personally identifiable financial records and information maintained by the university;
- To comply with existing university policies, standards, guidelines and procedures; and
- To comply with applicable federal, state and local regulations.
Information Security Plan Coordinator
The designated employee for the coordination and oversight of this policy is the Director of Administrative & Enterprise Services or his/her designee (“Information Security Plan Coordinator” or “coordinator”). The coordinator works with all relevant areas of the university: 1) to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Covered Information, 2) to evaluate the effectiveness of the current safeguards for controlling these risks, 3) design and implement a safeguards program, 4) to implement a training program for employees who have access to Covered Information, 5) to oversee service provider(s) and contract compliance, and 6) to evaluate and adjust the security plan periodically.
The coordinator, with guidance from the assistant vice president of operations & compliance, may establish a Gramm-Leach-Bliley working committee to work with the coordinator to carry out elements of the policy. The coordinator may also designate other university officials to oversee and coordinate particular elements of the policy. All comments and inquiries about the university’s Gramm-Leach-Bliley Policy should be sent by e-mail to the coordinator at gerald.korea@uupt.net.
Risk Assessment
The coordinator provides guidance to Covered Offices to identify and assess internal and external risks to the security, confidentiality, and integrity of Covered Information that could result in unauthorized access, disclosure, misuse, alteration, destruction or other compromise of such information
Each Covered Office is responsible for securing Covered Information in accordance with this policy. Covered Offices must develop and document their own information safeguards for Covered Information. The scope of such assessment and evaluation may include but is not limited to management and training of employees (including student employees) and volunteers; information systems (including network and software design, as well as information processing, storage, transmission and disposal for both paper and electronic records); procedures for detecting, preventing and responding to attacks, intrusions, or other system failures (including data processing, and telephone communication), and contingency planning and business continuity.
Employee Training
Each Covered Office trains and educates its employees on relevant policies and procedures for safeguarding Covered Information. The coordinator, along with the office of Risk & Compliance management, helps each Covered Office develop procedures to evaluate the effectiveness of its procedures and practices regarding employee training.
Information Systems
The coordinator, or his/her designee, develops procedures to assess the risks to Covered Information associated with the university’s information systems including network and software design, as well as information processing, storage, transmission, retrieval, and disposal of Covered Information. This assessment includes a review of the university’s information technology practices and procedures. In addition, the coordinator assesses the procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with security flaws.
Physical Security of Paper Records
Covered Offices should develop and maintain procedures that reasonably assure the security of paper records and include guidelines relating to the university’s records retention and disposal policy. Periodic evaluation of these procedures regarding physical paper records should be conducted.
Managing System Failures
The university maintains systems to prevent, detect, and respond to attacks, intrusions, and other system failures. The coordinator, or his/her designee, maintains plans for detecting, preventing and responding to attacks or other system failures; and reviews network access an security policies and procedures, and protocols for responding to network attacks and intrusions.
Designing and Implementing Safeguards
The risk assessment and analysis described herein shall apply to all methods of handling or disposing of Covered Information, whether in electronic, paper, or other forms. On a regular basis, the coordinator shall implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided.
Service Providers and Contracts
From time to time, the university may share Covered Information with third parties in the normal course of business. These activities may include debt collection activities, transmission of documents, destruction of documents or equipment, or other similar services. All contracts must include provisions that address third-party Gramm-Leach Bliley compliance.
The coordinator works with those responsible for the third-party service procurement activities and Covered Offices to raise awareness of, and to institute methods for selecting and retaining only those providers that are capable of maintaining appropriate safeguards for Covered Information.
V.Exceptions
Any exceptions to this policy are to be reviewed and approved by the Information Security Plan Coordinator in consultation with the office of Risk & Compliance Management, as needed.
V. Responsibilities
The Information Security Plan Coordinator is responsible for implementing the provisions of this policy.
Employees with access to Covered Information must abide by university policies and procedures governing Covered Information, as well as any additional practices or procedures established in their units.
VI. Cross Reference
This policy is supported by the following policies, procedures, and/or guidelines.
- Account Creation and Removal Policy (.pdf)
- Acceptable Use Policy
- Computer & Electronic Resources Policy
- Email Policy
- Security Policy (.pdf)
- Document Retention & Destruction Policy
- HIPPA Policy
VII. Resources
FTC Safeguards Rule external website
Effective: 06/01/2018 | Updated: 6/01/2020