The Gramm Leach Bliley Act, also known as the Financial Modernization Act of 1999 incorporates measures to safeguard the privacy of customers confidential information held by financial institutions. In 2003 higher education institutions were deemed to be institutions under federal law by the Federal Trade Commission. As a result the Safeguards Rule of the GLB Act mandates that these institutions establish an information security program in writing to protect consumer records.
Taking into account its involvement in financial transactions and collection of confidential financial information (CFI) for student aid and other federal and state programs the Office of Higher Education has concluded, based on guidance from the Office of the Attorney General for Connecticut that it is subject to compliance with the Safeguard Rule of the GLB Act.
The GLB Safeguard Rule necessitates that the Office of Higher Education establish guidelines encompassing technical and physical security procedures for certain types of information. These guidelines aim to ensure customer records and information are secure and confidential; mitigate threats or risks to their security or integrity; and prevent unauthorized access or use that could cause significant harm or inconvenience, to any customer.
The Information Security Program Committee (ISPC) is appointed by the Executive Director to ensure coordination of the agencys Information Security Program (ISP). The ISPCs main responsibilities include assessing risks, designing and implementing safeguarding policies and procedures providing employee training and making adjustments. It is crucial for all agency staff members to have an understanding of the ISP and actively maintain its standards within their respective operations.
The Office of Higher Education acknowledges that both internal and external risks exist. These risks encompass factors, such as;
- Data or system corruption.
- Misplacement or loss of paper records.
- Compromise of data resulting from disposal practices.
- Unauthorized or unintended disclosure of electronic or printed CFI.
- Employees or unauthorized individuals gaining unauthorized access to agency records
- containing confidential financial information (CFI).
- Unauthorized requests for access to agency records.
- Interception of data during transmission.
- Loss of data in case of a disaster.
Annually the Office of Higher Education will conduct an assessment across all operational areas to identify potential risks and evaluate existing precautions. This assessment will cover employee training and management information systems including network infrastructure and software design, information processing, storage and disposal practices well as measures, for detecting, preventing and responding to attacks, intrusions or system failures.The Internet Service Provider (ISP) will make adjustments according to the results obtained from these evaluations.
Safeguarding Requirements under the GLB Act
To achieve these goals the GLB Act mandates the following;
- Create and implement measures to mitigate risks, regularly testing and monitoring their effectiveness;
- Adapt the program to address any new developments.
- Assign one or more employees to oversee coordination of the Information Security Program;
- Evaluate risks to protect customer information;
According to GLB regulations customer information includes; 1) public personal data about customers associated with higher education institutions; and 2) Non public personal information received by higher education institutions from financial organizations regarding customers from other financial institutions (such as data received from colleges or universities).
Description of the Program
The Office of Higher Education has carefully examined its existing security standards. Is committed, to complying with all provisions outlined in the GLB Safeguard requirements for safeguarding customer information. The agencys security program takes into consideration its size, complexity, nature and scope of activities well as the sensitivity of its customer information.
Design and Implementation of a Program to Ensure Security
The Program for Safeguarding in the Office of Higher Education comprises four elements;
1. Training and Management of Employees
All employees in the Office of Higher Education will undergo training on data privacy and security accompanied by signing the agencys Confidentiality Agreement. Directors, Associate Directors and other program managers responsible for activities and systems involving CFI (Confidential Financial Information) must be particularly diligent in ensuring that their employees have an understanding of data privacy and security through adequate training. Every new employee will receive orientation training emphasizing the importance of information security, including proper use of computer information and passwords. This training will cover controls and procedures to prevent disclosure of CFI as well as guidelines for secure document disposal.
Regularly each department within the Office of Higher Education will conduct training sessions for all employees to reinforce the significance of data security while ensuring adherence to safeguarding procedures and controls. Department specific modifications may be made in training activities based on perceived risks, the nature and scope of activities involved, well as access to confidential customer information, within each department.
When it comes to workers a supervisor will provide them with proper training on how to identify and protect confidential customer information (CFI) in order to prevent any unauthorized disclosure.
2. Security of Information Systems
Only individuals who have a business reason and are authorized by the Executive Director can access CFI through the agencys information systems and networks. Access controls are put in place at levels, including user, application, system and network layers. These measures ensure that access to CFI is consistently implemented in accordance, with regulations the agencys Information Security Program and other acceptable use policies.
The Office of Higher Education is committed to taking necessary actions using current technological capabilities and industry recognized best practices outlined in the Information Security Program. This is done to ensure that all confidential customer information is stored, accessed, processed and transmitted securely. The aim is to maintain the confidentiality, integrity and authorized availability of all records.
These steps encompass measures, including but not limited to;
- Managing and mitigating risks associated with known vulnerabilities well as responding to network and host based threats.
- Maintaining separation of privileges to safeguard customer information access.
- Establishing documented incident response and escalation processes.
- Regularly updating and patching systems to ensure the integrity of both network and host based security.
- Implementing antivirus software when appropriate.
- Monitoring system. Availability on a routine basis.
All critical financial information (CFI) is securely stored behind firewalls within the Office of Higher Education. Whenever feasible encryption technology will be employed for both storing and transmitting customer data. Routine audits and system tests will be conducted to verify the effectiveness of implemented safeguards.
3. Security Measures for Physical Records
Access to paper records will be granted exclusively to employees who have a legitimate business purpose for accessing CFI authorized by the Executive Director. All physical records will be stored in offices or secure files, as reasonably practical. These files will be locked every night at minimum.
It is considered business practice to ensure that files are locked whenever there is no authorized employee present, with them.
4. Getting Rid of Records
The Office of Higher Education will only keep paper records and electronic documents for as long as they are actively used by the agency or as required by state or federal law audit compliance guidelines or the State of Connecticuts record retention policy.
When the Office of Higher Education no longer needs to keep paper documents they will be shredded. Electronic documents will be. Magnetic media will be erased.
Adjusting the Information Security Program
According to GLB regulations this program must undergo review and adjustment. Since technology is constantly evolving in terms of information resource security it is expected that the Office of Higher Education will continuously monitor technology and make adjustments to maintain the infrastructure. The ISPC will reassess the remaining processes required by this program at once a year.