Policy Table of Contents
The Gramm-Leach-Bliley Act (Public Law 106-102) was signed into law in 1999 as part of an effort to enhance competition in the financial services industry. Section 501 of this Act calls for the protection of non-public personal information. Although they are not part of the financial services industry, higher education institutions such as the College for Creative Studies (CCS) are considered financial institutions under this Act due to their significant role in servicing student loans. The Federal Trade Commission, the statutory authority for implementation of the GLBA, published a Final Rule entitled Privacy of Consumer Financial Information to implement privacy provisions of GLBA.
Similarly, higher education institutions are subject to broad privacy compliance provisions of the 1974 Family Educational Rights and Privacy Act (FERPA), which is administered by the U.S. Department of Education. The FERPA requirements are understood to override any other compliance activities when dealing with educational records.
In 2001, the Federal Trade Commission published a Final Rule entitled Standards for Safeguarding Customer Information. This Rule states that financial institutions must “[…] develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” (16 CFR 314.3) Within the scope of its role as a financial institution, institutions of higher education are required to conform with this rule.
Coordinator of the Program
The College’s Director of Information Technology Services is designated as the Program Coordinator who shall be responsible for coordinating and overseeing the Program. The Program Coordinator will work with the Privacy and Security Committee to oversee and coordinate particular elements of the Program. The Privacy and Security Committee consists of the following members: Vice President for Administration and Finance, Vice President for Enrollment and Student Services, Associate Provost, Director of Information Technology Services (Program Coordinator), Director of Business Services, Director of Financial Aid, Director of Human Resources, Registrar, Director of Undergraduate Admissions, and Director of Graduate Admissions. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the Program Coordinator or a member of the Privacy and Security Committee.
Scope of Program
The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the College, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the College or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from the Institution, (ii) about a student or other third party resulting from any transaction with the College involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
Elements of the Program
Risk Identification and Assessment
The College intends, as part of the Program, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. In implementing the Program, the Program Coordinator, along with the Privacy and Security Committee, will establish procedures for identifying and assessing such risks in each relevant area of the Institution’s operations, including:
- Employee training and management. The Program Coordinator, along with the Privacy and Security Committee, will evaluate the effectiveness of the College’s procedures and practices relating to access to and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of the College’s current policies and procedures in this area, including all employee handbooks (staff, full-time faculty and adjunct), student handbook, the CCS Policy Database and other student record policies.
- Information Systems and Information Processing and Disposal. The Program Coordinator will coordinate with representatives of the Information Technology Services department to assess the risks to nonpublic financial information associated with the College’s information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic financial information. This evaluation will include assessing the College’s current polices and procedures relating to Acceptable Use Policy of the College’s network and network security, document retention and destruction. The Program Coordinator will monitor potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
- Detecting, Preventing and Responding to Attacks. The Program Coordinator will evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. The Program Coordinator will be responsible for monitoring and disseminating information related to the reporting of known security attacks and other threats to the integrity of networks utilized by the College.
Designing and Implementing Safeguards
The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The Program Coordinator along with the Privacy and Security Committee will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
Overseeing Service Providers
The Program Coordinator shall coordinate with those responsible for the third-party service procurement activities among the Information Technology Services and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the Program Coordinator will work with the Vice President of Administration and Finance or the Vice President for Enrollment and Student Services to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards.
Adjustments to the Program
The Program Coordinator, along with the Privacy and Security Committee, is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the College’s operations or other circumstances that may have a material impact on the Program.