Draft GLBA Policy | Spalding University Policy Guide

1.4.15: Draft GLBA Policy

Gramm-Leach-Bliley Act, (GLBA) effective May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. In 2021, The Federal Trade Commission (FTC) issued amendments that were approved by its governing agency, the Gramm-Leach-Bliley Act (GLBA); subsequently, these changes updated the compliance requirements for those higher educational institutions with a financial connection to the Title IV Program. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices (employee, student, customer, alumni, doner, etc.), both electronic and physical. Current Compliance Policies will have a direct impact from the changes listed below:

  • designate a qualified individual to oversee their information security program,
  • develop a written risk assessment,
  • limit and monitor who can access sensitive customer information,
  • encrypt all sensitive information,
  • train security personnel,
  • develop an incident response plan,
  • periodically assess the security practices of service providers and implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information

These updates to policies at Spalding University are for certain highly critical private financial and related information. The University’s compliance program applies to customer financial information (covered data) that the University receives in the course of business as required by GLBA as well as other confidential financial information included within its scope.  

 

GLBA Compliance Program

The GLBA Compliance Program covers the entirety of the activities and practices of the following offices and individuals:

  • Academic and administrative offices that handle electronic or printed personnel records, financial records, transactional records, or student records.
  • Academic and administrative offices that transmit confidential information (protected data) to off-site locations as part of a periodic review or submission requirement.
  • Faculty serving as directors, coordinators, principal investigators, or program directors for programs collecting protected data.
  • Faculty, staff, and administrators with contracts to use, access, or provide protected data to or receive from a non-campus entity (e.g., government databases, science databases).

Categories of Information under the Plan

Information covered under the plan is defined by three categories:

  • Personal Identifiable Information (PII) – Also known as protected data, PII includes first and last name, social security number, date of birth, home address, home telephone number, academic performance record, physical description, medical history, disciplinary history, gender, and ethnicity.
  • Financial Information – Information that the University has obtained from faculty, staff, students, alumni, auxiliary agencies, and patrons in the process of offering financial aid or conducting a program. Examples include bank and credit card account numbers, and income and credit histories.
  • Student Financial Information – Information that the University has obtained from a student in the process of offering a financial product or service, or such information provided to the University by another financial institution. Examples include student loans, income tax information received from a student’s parent when offering a financial aid package, bank and credit card account numbers, and income and credit histories.

Departments Covered Under the GLBA

The following table lists the departments and data that fall under the scope of GLBA Safeguard Rules.

Department

Data/Information

Financial Aid

Bursar

Admissions

Registrar

Student Loans

Private Loans

Personal Identifiable Information- SSN, billing information, cred card, account balance, citizenship, passport information, tax return, bank account, driver’s license (other forms of ID), date of birth

Disbursement of Financial Aid
Payment Plans

1098

Legal Counsel

Personal Identifiable Information - SSN, Billing Information, Credit Card, Account Balance, Passport Information, Tax Return Information, Bank Account Information, Driver’s License and Date of Birth

Human Resources

Bank account information

Payroll

Benefits

403(b) loans

Finance Office

G5 drawdown of federal funds

Refunds and reimbursements

Reconciliations

Audit data

1099

 

 

Roles and Responsibilities

Roles

Responsibilities

Chief Information Officer

· Designates or serves as the GLBA Compliance Plan Coordinator.

· Responsible for systemwide compliance with the GLBA Safeguarding Rule through appropriate communication with and coordination among applicable groups.

· Designates individuals who have the responsibility and authority for information technology resources.

Information Technology Security Office

· Establishes and disseminates enforceable rules regarding access to and acceptable use of information technology resources.

· Establishes reasonable security policies and measures to protect data and systems.

· Monitors and manages system resource usage.

· Investigates problems and alleged violations of University information technology policies and report violations to appropriate University offices such as the Office of the General Counsel and Human Resources Department for resolution or disciplinary action.

Deans, Department Heads and other Managers

 

· Keep employees informed about policies and programs that pertain to their work, including those that govern GLBA compliance and ensure that they successful complete the required training.

 

Employees with access to covered data

· Abide by University policies and procedures governing covered data as well as any additional practices or procedures established by their unit heads or directors.

· Report concerns to their supervisor

 

 

GLBA Compliance Program Coordinator    

Compliance Program Plan

 

Defined Policy and Standards

Keeping security risks at a low is Spalding University’s priority. The University’ structure for maintaining confidentiality with information security ensures that risks of any kind are at a minimum. There is the quality assurance that comprehensive processes are in place for best practices and information protection. The areas are listed below:

  • Risk Assessment
  • Vulnerability Assessment
  • Patch Management
  • Access Control
  • Acceptable Use
  • Security Awareness, Training and Education
  • Incident Response

 

Conduct Risk Assessment

Testing and Monitoring of Systems

Vulnerability Assessment

Access Control

Encryption

 

Provide Awareness, Training and Education

The following shall guide the training and management of employees:

The University implements required training programs to ensure staff is aware of protocols for protecting customer information.

All training programs incorporate concepts relevant to both electronic and paper-based customer information.

Managers and supervisors determine which positions deal with customer information. Background checks are performed on all employees.

All University employees that interact with the covered PII data during their daily activities are required to complete a cybersecurity training course describing their responsibilities while handling the personally identifiable information (PII).

  • Annual Cybersecurity training
  • Additional PII training requirements (FERPA training or HIPAA training as examples)
  • Phishing exercises that have been designed and implemented by the IT department (and approval from security governance) to help employees to identify fake emails from authentic ones and not respond to questionable emails or communications
  • Informative campus-wide communications regarding phishing, spear phishing, and other types of spam email

 

 

Incident Response Plan and Procedures

 

Evaluate Service Providers’ Agreements and Processes

The University may, from time to time appropriately share covered data with third parties. When third-party business is conducted, however, appropriate risk management activities are in place to minimize any corresponding potential risks. These activities include but are not limited to reputational, financial, operational, strategic, and compliance risks. The decision to engage with third parties must be consistent with the University’s business objectives, and they must be made after careful consideration of the risks involved are contracted for implementing and maintaining such safeguards.