GLBA Information Security Plan
The Federal Trade Commission (FTC) requires financial institutions to establish policies and procedures for safeguarding customer financial information by complying with the Gramm-Leach-Bliley Act (GLBA). The GLBA also includes specific requirements regarding the privacy of customer financial information. The FTC has ruled that being in compliance with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirement of the GLBA, but does not satisfy the safeguarding provisions.
Customer: A customer is any individual who receives a financial service from the institution and who, in the course of receiving that financial service, provides the institution with nonpublic financial information about themselves. Customers may include, but are not limited to, students, parents, faculty, staff and other third parties with whom the institution interacts.
Customer information: Customer information means any nonpublic financial information that is handled or that is maintained by or on behalf of the institution or its affiliates. The definition of customer information is very broad and may include records containing social security numbers, bank account numbers, account balances, credit card numbers, credit history or rating, or tax return information of individual customers.
Nonpublic financial information: Nonpublic financial information means any information:
Financial Product or Service: Offering a financial product or service includes, but is not limited to, offering or processing student loans; granting emergency or long term loans to students or faculty; receiving income tax information from a student's parent when offering a financial aid package; offering career counseling services to individuals who seek employment at financial institutions; and management consulting activities on any subject to a financial institution and on financial, economic, accounting or audit matters to any company.
Service Providers: Service providers refer to all third parties who, in the ordinary course of institutional business, are provided access to customers' covered data and information. Service providers may include, but are not limited to, businesses retained to store, transport or dispose of covered data; collection agencies; and technology systems support providers.
The following factors will be reviewed on an annual basis by department heads to determine internal and external risks to the security, confidentiality and integrity of nonpublic financial information. Such reviews will be to prevent unauthorized disclosure, misuse, alteration, destruction or otherwise compromise of such information. This information security plan shall be evaluated and adjusted in light of relevant circumstances, including changes in the college's business arrangements or operations, or as a result of testing and monitoring the safeguards. All reports on assessments of risk, including hand written notes, will be labeled CONFIDENTIAL – DRAFT and will not be publicly disclosed.
The offices below have been identified as relevant areas to be considered when assessing the risks to customer information. Offices not listed may still require GLBA training and compliance review. Ongoing operations and business changes can change the scope of a departments need to be compliant with GLBA.
In addition, in coordination with the appropriate administrators, an annual review of this plan will be completed by the Primary Coordinator. Evaluation of the risk of new or changed business arrangements will be done through the legal counsel's office or other area as designated by the institution.
The designated employee for the coordination and execution of the Information security plan may vary from one institution to another. The institution is responsible for naming the Primary Coordinator and communicating that informaton to all employees. All correspondence and inquiries should be directed to the Program Coordinator. Each department with access to nonpublic financial information will designate a security coordinator who will work with the Program Coordinator.
The Program Coordinator and/or the designated security committee will coordinate with other required departments to maintain the information security program. This policy will provide guidance in complying with all privacy regulations. Each relevant area is responsible to secure customer information in accordance with all privacy guidelines. In addition, the Program Coordinator and/or the designated security committee will maintain and provide access to other policies and procedures that protect against any anticipated threats to the security or integrity of electronic customer information and that guard against the unauthorized use of such information.
Physical Security Measures
The institution Records Management Officer will supervise all disposal of customer financial information.
Paper and CD's containing customer financial information will be shredded with a secure shredder capable of producing unreadable waste material.
All electronic media (tapes, diskettes) will be erased magnetically if possible or cleaned with NSA approved deletion programs.
All institututional departments will identify appropriate service providers that are given access to customer information in the normal course of business and will work with the institutional Contract Officer to ensure that they provide adequate safeguards. The service provider that will have access to customer information will complete an evaluation process that includes the ability of the service provider to safeguard customer information. Contracts with service providers shall include the following provisions:
All new staff that has access to customer financial information will be required to complete this training. Upon successful completion the employee will print, sign, and submit thier certification attesting to the fact they undestand their responsibility to safeguard customer financial information. A copy of this certification will be maintained by Human Resources.
Existing staff will be required to successfully complete this online training module annually. In addition to the email record of completion, the employee will print, sign, and submit the certificate of completion to Human Resources.
You have now completed the training review. In order to complete your certification you must take the quiz by clicking "Quiz Group" below. After answering the question clieck the "NEXT" button to see the next question. After completing the test you may review answers. You must answer a minimum of 5 correctly to pass. Once you have reviewed your answers click "NEXT PAGE" at the bottom to print and send your certificate. DO NOT CLICK RETRY IF YOU PASS.
NOTE: To print the certificate after successfully passing the test you must be on a computer that has access to a printer. The use of iPads or other devices that do not support Adobe Flash will not allow the viewing or printing of the certificate.
Type your name in the space below and click "EMail Score" to record your completion of this training module. Click "Print Certificate" to print a certificate of completion. When the certificate window opens, right click on the cerfificate and select Print. You must select Preference and set your printer to landscape before clicking Print. You may also print a copy of your score by clicking "Print Score Summary".
If you have not successfully completed the test then you will not be able to e-mail and print a certificate.