GLBA Information Security Program
Higher Education institutions are required to comply with the Gramm Leach Bliley Act (GLBA) of 1999. The law requires financial and educational organizations to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of personal identifiable information (pii).
• Ensure the security and confidentiality of customer information in compliance with applicable GLBA rules.
• Provide administrative, physical, and technical safeguards to ensure compliance.
• Safeguard against anticipated threats to the security or integrity of protected electronic data.
• Guard against unauthorized access to or use of protected data that could result in harm or inconvenience to any customer.
Questions regarding GLBA impacts on business processes, policies, technical issues, risk assessments, and information technology security policy should be directed to the Director of IT Services serving as the Institutional Privacy Officer and Coordinator.
Coordination and Responsibility for the Information Security Program
The Coordinator of the Information Security Program is the Director of IT Services for Shepherd University. The Coordinator is responsible for the development, implementation, and oversight of Shepherd University’s compliance with the policies and procedures required by the Gramm Leach Bliley Act (GLBA) Safeguards Rule. Although ultimate responsibility for compliance lies with the Coordinator, representatives from each of the operational departments are responsible for implementation and maintenance of the specified requirements of the security program in their specific operation.
Executive Information Security Governance Group
The above referenced group was established in July of 2021 and exists to ensure that this Information Security Program is kept current and to evaluate policy or procedural changes. Membership may change but will include the Director of IT Services, General Counsel, Vice President Enrollment Management, and VP for Finance/Admin. Additionally, a subset group of data custodians contains but is not limited to the Registrar, CFO, Financial Aid, Admissions, HR, Procurement, ITS, and other individuals as deemed necessary.
Risk Assessment and Safeguards
There is an inherent risk in handling and storing any personal information that must be protected. Identifying areas of risk and maintaining appropriate safeguards can reduce this risk. Safeguards are designed to reduce the risk inherent in handling protected information and include safeguards for information systems and the storage of paper hardcopy documents.
Employee Training and Education
Employees handle and have access to protected personal information in order to perform their job duties. This includes permanent and temporary employees as well as student employees, whose job duties require them to access protected personal information or who may work in a location where there is access to protected personal information. Departments are responsible for maintaining a high level of awareness and sensitivity to safeguarding protected personal information and should periodically reiterate its important to employees.
Shepherd University GLBA Training Materials
The department head or designated representative is responsible for ensuring that staff are properly trained in the relevant GLBA concepts and requirements. Training materials relative to GLBA and data handling are available on the IT Services website. Upon approval by the Coordinator for GLBA, these training materials may be tailored to reflect individual training needs. Training may be delivered in a variety of ways including townhalls. Departments are responsible for maintaining records of staff that have received training and must be able to produce proof of participation upon request of the Coordinator.
Oversight of Service Providers and Contracts
GLBA requires Shepherd University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. General Counsel has assisted with language to ensure that all relevant service provider contracts comply with GLBA provisions. The GLBA contract due diligence is considered in various aspects of contract negotiation, including security control reviews. Contracts are reviewed to ensure the following language is included:
[Service Provider] agrees to implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of customer information and further containing each of the elements set forth in § 314.4 of the Gramm Leach Bliley Standards for Safeguarding Customer Information (16 C.F.R. § 314). [Service Provider] further agrees to safeguard all customer information provided to it under this Agreement in accordance with its information security program and the Standards for Safeguarding Customer Information.
Evaluation and Revision of the Information Security Program
GLBA mandates that this Information Security Program be subject to periodic review and for Shepherd University to make any needed adjustments. The most frequent of these reviews will occur within Information Technology Security and Policy where constantly changing technology and constantly evolving risks indicate the need for reviews. Processes in other relevant offices of the University such as data access procedures and the training programs should undergo regular review. This Information Security Program is reevaluated annually in order to ensure ongoing compliance with laws and regulations.
Covered Component means any area of Shepherd University, which is required to be compliant with GLBA.
CUI (Controlled Unclassified Information) means information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
1. Information Security program: As per FTC Safeguard Rules §314.2.c, an Information Security program means the administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
2. Consumer: The GLBA defines a ‘consumer’ as ‘an individual who obtains from a financial institution, financial products or services which are to be used primarily for personal, family or household purposes, and also means the legal representative of such an individual (refer 15 U.S.C. § 6809(9))
3. Customer: As per GLBA, a ‘customer’ is a consumer who has a ‘customer relationship’ with a financial institution. A customer relationship’ is a continuing relationship with a consumer.
4. Non-public personal Information: GLBA protects ‘the privacy of non-public personal information’, including personal address / phone Nos., personal health information, personal financial information, Driving License Nos., Bank Account information, Credit Card Nos., credit reports, loan applications / loan details, social-security Nos., tax returns etc.
5. Customer Information: As per GLBA FTC Safeguard Rules §314.2.b, any record containing nonpublic personal information as defined in 16 CFR 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
6. Personal Data: Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
7. Processing: The term ‘processing’ includes any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
8. Data protection: by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product, or process and then throughout the lifecycle.
9. Data protection: by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimization and purpose limitation.
10. Third Party: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor and person who under the direct authority of the controller or processor are authorized to process personal data.
11. Personally Identifiable Information (PII): is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected can lead to the identification of a particular person, also constitute personal data.
Personally Identifiable Financial Information any information
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to the consumer.
12. A PII Controller: is a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body).
13. A PII Processor is a person, company, or other body that processes data on behalf of the data controller.
14. Top-management: A person or group of people who directed and control an organization at the highest level. Note: Top management has the power to delegate authority and provide resources within the organization
Examples of Activities the FTC is Likely to Consider as a Financial Product or Service include:
• Student (or other) loans, including receiving application information, and the making or servicing of such loans
• Financial or investment advisory services
• Credit counseling services
• Tax planning or tax preparation
• Collection of delinquent loans and accounts
• Sale of money orders, savings bonds or traveler’s checks
• Check cashing services
Legal References (citations)
• 15 USC, Subchapter I, §§ 6801-6809 (Gramm-Leach-Bliley Act)
• Pub. L. No. 104-191, 110 Stat. 1936 (codified in scattered sections of 18, 26, 29, and 42 U.S.C.). (Health Insurance Portability and Accountability Act of 1996)
• 16 CFR, Part 313 (Privacy Regulations, see reference to Family Educational Rights and Privacy Act (FERPA).)
• 20 USC, Chapter 31, 1232g (FERPA)
• 34 CFR, part 99 (FERPA regulations)
• 16 CFR, part 314 (Safeguard Regulations, as published in the Federal Register, 5/23/02)
• 45 CFR, parts 160 & 164; 68 Fed. Reg. 8334 (Feb. 20, 2003) (HIPAA Security Regulations)
• NACUBO Advisory Report 2003-01, issued 1/13/03
• FTC Facts for Business: Financial Institutions and Customer Data: Complying with the Safeguards Rule, published September 2002
The GLBA includes requirements to protect the security, integrity, and confidentiality of this consumer information. To be GLBA compliant, organizations must develop, implement, and enforce a comprehensive information security program including administrative, technical, and physical safeguards as determined appropriate for the institution and data. In addition to developing their own safeguards, organizations are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. The United States Department of Education strongly encourages institutions of higher education to review and understand the standards defined in the NIST SP 800-171, the recognized information security publication for protecting “Controlled Unclassified Information” (CUI).
University personnel are responsible for recognizing and assessing risks, as well as managing and controlling these accordingly. Due to the size and complexity of the University, a collaborative approach to assessing and mitigating risks exists. This includes, but is not limited to, expertise in the following areas: vendor management and contracts; human resource training; systems, software and network security; legal; and operational monitoring, etc.
Actions Required and Taken
The following basic actions must be taken to satisfy GLBA requirements:
• Assessment of risk
• Manage, remediate, and control risks
• Oversee service provider arrangements and contracts
• Adjust the program to work with new technologies
The U.S. Department of Education issued a letter to institutions of higher education reminding of the importance of strengthening their cybersecurity infrastructure and that:
“Under their Program Participation Agreement (PPA) and the Gramm-Leach-Bliley Act (15 U.S. Code § 6801), they must protect student financial aid information, with particular attention to information provided to institutions by the Department of Education or otherwise obtained in support of the administration of the Title IV Federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended.”
Also under their Student Aid Internet Gateway (SAIG) Enrollment Agreement, they “[m]ust ensure that all users are aware of and comply with all of the requirements to protect and secure data from Departmental sources using SAIG.”
The Department of Education also indicated that they are in the process of incorporating the GLBA security controls into the Annual Audit Guide in order to assess and confirm institutions’ compliance with the GLBA. The Department will require the examination of evidence of GLBA compliance as part of institutions’ annual student aid compliance audits.
“The Department strongly encourages institutions to review and understand the standards defined in the NIST SP 800-171, the recognized information security publication for protecting “Controlled Unclassified Information (CUI), a subset of data that includes unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Federal policies. NIST SP 800-171 identifies specific recommended requirements for non-Federal entities that handle CUI, including:
• Limit system access to authorized users (Access Control Requirements);
• Ensure that system users are properly trained (Awareness and Training Requirements);
• Create information system audit records (Audit and Accountability Requirements);
• Establish baseline configurations and inventories of systems (Configuration Management Requirements);
• Identify and authenticate users appropriately (Identification and Authentication Requirements);
• Establish incident-handling capability (Incident Response Requirements); Incident Management Process
• Perform appropriate maintenance on information systems (Maintenance Requirements);
• Protect media, both paper and digital, containing sensitive information (Media Protection Requirements);
• Screen individuals prior to authorizing access (Personnel Security Requirements);
• Limit physical access to systems (Physical Protection Requirements);
• Conduct risk assessments (Risk Assessment Requirements);
• Assess security controls periodically and implement action plans (Security Assessment Requirements);
• Monitor, control, and protect organizational communications (System and Communications Protection Requirements);
• Identify, report, and correct information flaws in a timely manner (System and Information Integrity Requirements)
Revision 3; updated and approved 7/27/2021