The Gramm-Leach-Bliley Act (GLB), or Financial Modernization Act of 1999, includes protections for privacy of consumer’s confidential financial information held by financial institutions. In 2003, higher education institutions were considered financial institutions under federal law, as determined by the Federal Trade Commission. The Safeguards Rule of the GLB Act requires institutions to implement a written comprehensive information security program protecting consumer records.

 

The Office of Higher Education, to the extent that it engages in certain financial transactions and collection of confidential financial information (CFI) in its administration of student aid and other federal and state programs, has determined that it is subject to the Safeguard Rule of the GLB Act, as advised by the Office of the Attorney General for the State of Connecticut.

 

The GLB Safeguard Rule requires the Office of Higher Education to develop standards for administrative, technical and physical security procedures for certain information. Such standards will: “ensure the security and confidentiality of customer records and information; protects against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.” (16 CFR Part 314)

 

GLB Act Safeguards Requirements

Program Statement

Program Coordination

Risk Assessment

Design and Implementation of a Safeguarding Program

Review and Revision of Information Security Program

 

GLB Act Safeguards Requirements

 

In order to accomplish these objectives, GLB requires the following:

 

• Designate one or more employees to coordinate the Information Security Program;

• Assess risks to the security of customer information;

• Design and implement safeguards to address risks, and test and monitor their effectiveness over time;

• Adjust the program to address developments.

 

Under GLB, customer information includes: 1) Non-public personal information concerning customers of the Office of Higher Education; and 2) Non-public personal information that the Office of Higher Education receives from a financial institution about the customers of another financial institution (i.e. information received from a college or university).

 

Program Statement

 

The Office of Higher Education has reviewed its current security standards and will ensure compliance with the provisions of the GLB Safeguard provisions related to the administrative, technical and physical safeguarding of customer information. The agency’s security program takes into account the agency’s size and complexity, the nature and scope of its activities, and the sensitivity of its customer information.

 

Program Coordination

 

The Information Security Program Committee (ISPC), appointed by the Executive Director, is charged with coordinating the agency’s Information Security Program (ISP). The ISPC is responsible for risk assessment, design, implementation and adjustment of safeguarding policies and procedures, and for employee training. It is imperative that all staff members within the agency understand and maintain the ISP within his or her specific operation.

 

Risk Assessment

 

The Office of Higher Education recognizes that it has both internal and external risks. These risks include, but are not limited to:

 

• Unauthorized access to CFI within agency records by employees or others

• Unauthorized requests for access to agency records

• Interception of data during transmission

• Loss of data in a disaster

• Corruption of data or systems

• Misplacement or loss of paper records

• Compromise of data from disposal of records

• Unauthorized or unintended disclosure of electronic or printed CFI

 

At least annually, the Office of Higher Education will conduct an assessment of all areas of operation for potential risks and evaluate current precautions in place. Areas will include: employee training and management; information systems, including network and software design; information processing, storage and disposal; detecting, preventing and responding to attacks, intrusions or other system failures. The ISP will be modified based upon the findings of these assessments.

 

Design and Implementation of a Safeguarding Program

 

The Office of Higher Education Information Security Program includes four key components:

 

1. Employee Training and Management

2. Information System Security

3. Physical Security of Paper Records

4. Disposal of Records

 

1. Employee Training and Management

 

All Office of Higher Education employees will receive training in data privacy and security at least annually, and all employees are required to sign the agency’s Confidentiality Agreement. Directors, and Associate Directors and other program managers of activities and systems that utilize CFI must be especially vigilant in ensuring their employees understand and have adequate training in data privacy and security. Each new employee will receive appropriate training regarding the importance of information security during orientation, including in the proper use of computer information and passwords. Appropriate training includes controls and procedures to prevent employees from providing CFI to unauthorized parties, and methods for proper disposal of documents containing CFI.

 

Periodically, each department within the Office of Higher Education will provide training to all employees to remind them of the importance of data security and to ensure that the safeguarding procedures and controls are followed. Training activities may be modified on a department basis, depending on the risks perceived, scope and types of activities, and access to confidential customer information within each department.

 

In the case of temporary workers, a supervisor will provide adequate training regarding the identification and protection of CFI to protect against disclosure.

 

2. Information System Security

 

Access to CFI through the agency’s information systems and networks is limited to individuals who have a legitimate business reason to access such information and who are authorized by the Executive Director. Access controls are implemented at the user, application, system and network layers to ensure access to CFI is implemented consistently with regulations, the agency’s Information Security Program and other acceptable use policies.

 

The Office of Higher Education will take reasonable and appropriate steps, consistent with the Information Security Program, current technological capabilities and industry recognized “best practices,” to ensure that all confidential customer information is stored, accessed, processed and transmitted as securely as possible and to safeguard the confidentiality, integrity and authorized availability of any and all records.

 

These steps include but are not limited to:

 

• Maintaining the network- and host-based integrity of systems through consistent and timely updates and patches;

• Utilization of anti-virus software, where appropriate;

• Routinely monitoring system health and availability;

• Routinely monitoring and mitigating the risks associated with known network- and host-based vulnerabilities as well as monitoring and responding to network- and host-based threats;

• Ensuring separation of privileges with regard to confidential customer information access; and

• Documented and controlled incident response and escalation processes.

 

All CFI is maintained on secured hosts behind the firewalls of the Office of Higher Education. To the extent reasonably available, encryption technology will be utilized for both storage and transmission of all confidential customer information. Routine audits and system tests will be made to ensure that safeguards are in-place and effective.

 

3. Physical Security of Paper Records

 

Only employees who have a business reason for CFI and who have been authorized by the Executive Director will have access to any physical paper records. All physical records will be kept in a locked office or in locked files as reasonable. The files will be locked at a minimum of each night. Sound business practice dictates that the files also will be locked whenever an authorized employee is not present with the files.

 

4. Disposal of Records

 

The Office of Higher Education will only keep physical paper records and electronic documents for as long as they are being actively used by the agency, or as necessary to comply with state or federal law, audit compliance guidelines, or the State of Connecticut policy for record retention.

 

Paper documents that are no longer required to be kept by the Office of Higher Education will be shredded at the time of disposal. Electronic documents will be deleted and magnetic media will be erased.

 

Review and Revision of Information Security Program

 

GLB mandates that this program be subject to periodic review and adjustment. With respect to the security of information resources, the technology is constantly evolving so the expectation is that the Office of Higher Education will continuously monitor the technology and make adjustments as necessary to preserve the infrastructure. The remainder of the processes required by this program will be reassessed by the ISPC at least annually.

 

 

Revision History

 

Rev. 1.1 9/26/11