The Gramm-Leach-Bliley Act (GLBA) addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for postsecondary educational institutions. As a result, educational institutions that engage in financial activities, such as processing student loans, are required to comply. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both electronic and physical (employee, student, customer, alumni, etc.). Therefore, AIMS Education has adopted the following Information Security Program for all student and/or third party records containing nonpublic personal information.
Federal regulations state that any institution of higher education that complies with the Family Educational Rights and Privacy Act (FERPA), and that is also a financial institution subject to the requirements of GLBA, shall be deemed to be in compliance with the Privacy Rule of GLBA. All institutions of higher education are still subject to the Safeguards Rule.
Purpose and Scope
This security program applies to customer financial information that AIMS receives in the course of business as required by GLBA, as well as other confidential financial information the Institution has voluntarily chosen as a matter of policy to include within its scope. This program is in addition to any other institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including FERPA.
Furthermore, this document describes the activities currently undertaken by AIMS Education to ensure the privacy and security of customer information according to legal and institutional requirements. This Information Security Program provides an outline of the safeguards that apply to this information.
GLBA requires the Institution to develop, implement, and maintain a comprehensive information security program that details the administrative, technical, and physical safeguards that are appropriate for its size and activities. GLBA further mandates that the Institution:
- Designate one or more employees to coordinate the information security program.
- Identify and assess the risks to customer information in each relevant area of the institution’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
- Design and implement a safeguards program, and regularly monitor and test it.
- Select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards, and oversee their handling of customer information.
- Evaluate and adjust the program based on changes to the Institution’s operations and business arrangements, or the results of security monitoring and testing.
All information that must be protected under GLBA. This includes the financial information that the Institution has included within the scope of this Information Security Program. Covered data also includes any information collected from a student in the course of offering a financial product or service (e.g. student loans), or such information provided from another institution. Examples include mailing addresses, phone numbers, bank and credit card account numbers, and social security numbers. Covered data consists of both paper and electronic records that are handled by the Institution or its affiliates.
Nonpublic personal information (NPI)
Any “personally identifiable financial information" that the Institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available." Examples of NPI include name, address, income, social security number, or other information on an application.
All third parties who, in the ordinary course of Institution business, are provided access to covered data. Service providers may include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers, for example.
Information Security Program Coordinator
In order to comply with GLBA, AIMS Education has designated an Information Security Program Coordinator. This individual must work closely with the President’s Office, the Information Security Committee, the Information Technology team, and all relevant academic and administrative departments throughout the Institution.
The Coordinator is responsible for assisting all department supervisors in identifying internal and external risks to the security, confidentiality, and integrity of covered data; evaluate the effectiveness of current safeguards; design and implement a safeguards program, and regularly monitor and test the program.
The Information Security Program will identify internal and external risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or otherwise compromise such information, and assess the sufficiency of any safeguards in place to control these risks. Risk assessments will include consideration of risks in each area that has access to covered data. Risk assessments will include, but not be limited to, consideration of employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.
The Coordinator will work with the Information Security Committee, and all department supervisors, to carry out comprehensive risk assessments. Risk assessments will include institution-wide risks, as well as risks unique to each department with covered data. The Coordinator will ensure that risk assessments are conducted at least annually, and more frequently where required. The Coordinator may identify a responsible party from the Information Technology team to conduct a system-wide risk assessment. The Coordinator may identify a responsible party in each department with access to covered data to conduct the risk assessment considering the factors set forth above, or employ other reasonable means to identify risks to the security, confidentiality and integrity of covered data in each area of the Institution with covered data.
The Coordinator will provide copies of complete and current risk assessments for institution-wide and department-specific risks at least annually with the Coordinator’s report to the President’s Office.
Information Safeguards and Monitoring
The Information Security Program will verify that safeguards are in place to control the risks identified in the risk assessments. The Coordinator will ensure that reasonable safeguards and monitoring are implemented and cover each department that has access to covered data. These safeguards will include the following:
Employee Management and Training
Safeguards for security will include the management and training of all employees with authorized access to covered data. The Coordinator will, working with the Information Security Committee, identify which employees have access to covered data. The Coordinator will ensure that appropriate training and education is provided to all employees who have access to covered data. The training will include education on relevant policies and procedures, and other safeguards used to protect covered data.
Additional safeguards will include the following:
- Background checks before hiring employees who will have access to covered data
- Requiring new employees to sign an agreement that they will abide by the institution’s security and confidentiality standards
- Job-specific training on maintaining security and confidentiality
- Requiring “strong” user-specific passwords that must be changed every 90 days
- Limiting access to covered data to employees with a legitimate business need to see it
- Preventing former employees from accessing customer information by deactivating their user names and passwords
- Other measures that provide reasonable safeguards based upon the risks identified
Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal.
Network and software systems will be designed to limit the risk of unauthorized access to covered data. This may include designing limitations to access, and maintaining appropriate screening programs to detect computer hackers and viruses and implementing security patches.
Safeguards for information processing, storage, transmission, retrieval, and disposal may include the following:
- Requiring electronic covered data to be entered into a secure, password-protected system
- Using secure connections to transmit data outside the Institution.
- Using secure servers
- Ensuring covered data is not stored on transportable media (USB drives, portable hard drives, etc.)
- Permanently erasing covered data from computers, hard drives, or other electronic media before transferring, recycling, or disposing of them
- Storing physical records in a secure area and limiting access to that area
- Providing safeguards to protect covered data and systems from physical hazards such as fire or water damage
- Shredding confidential paper records before disposal
- Maintaining an inventory of servers or computers with covered data
- Other reasonable measures to secure covered data
Managing System Failures
The Institution will maintain effective systems to prevent, detect, and respond to attacks, intrusions, and other system failures. Such systems may include the following:
- Maintaining and implementing current anti-virus software
- Monitoring the websites of software vendors for news of software vulnerabilities and available security patches
- Maintaining appropriate firewall technologies
- Alerting those with access to covered data of threats to security
- Backing up data regularly and storing back up information off site
- Other reasonable measures to protect the integrity and safety of information systems
Monitoring and Testing
The Coordinator, working with other designated personnel, will regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed, and to swiftly detect and correct breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include system checks, reports of access to systems, reviews of logs, audits, and any other reasonable measures to verify that the Information Security Program’s controls, systems, and procedures are working.
In the course of business, the Institution may share covered data with third parties. Such activities may include collection activities, transmission of documents, destruction of documents or equipment, or other similar services. This Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the covered data at issue, and requiring service providers by contract to implement and maintain such safeguards.
The Coordinator will identify service providers who are provided access to covered data. The Coordinator will work with the President’s Office, and other departments as appropriate, to make certain that service provider contracts contain appropriate terms to protect the security of covered data.
The Coordinator, working with the Information Security Committee, will evaluate and adjust the Information Security Program based on the results from regular monitoring and testing, as well as any material changes to operations or business arrangements, and any other circumstances which may reasonably have an impact on the Information Security Program.