Policy 2160A
GRAMM-LEACH-BLILEY ACT
References: U.S. Department of Education Program Participation Agreement (PPA), Gramm-Leach-Bliley Act (15 U.S. Code § 6801), 32 C.F.R. Part 2002 and National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171) REV 2.
Western Wyoming Community College (the College) shall adhere to the Gramm-Leach-Bliley Act, (GLBA). The College, as an educational entity engaging in financial activities, such as processing student loans, shall adopt procedures that ensure compliance. These procedures will safeguard and maintain confidentiality of customer information held in the College’s possession.
GLBA and other emerging legislation may result in standards of care for information security across all areas of data management practices, both electronic and physical (employee, student, customer, alumni, donor, etc.). Therefore, the College shall adopt a program for certain highly critical and private financial and related information. This security program shall apply to customer financial information (covered data) the College receives in the course of business as required by GLBA as well as other confidential financial information the College has voluntarily chosen as a matter of policy to include within its scope.
Adopted October 19, 2021
Procedure 2160A
GRAMM-LEACH-BLILEY ACT
Reference: Board Policies 2160A, 2110A, 2120A, 3130J, 3710H, 3910H, 3910M, 3910N, 5110C, 5240F, 5310A, 5430A, 5460A, 5460B, 6120A
Western Wyoming Community College (the College) shall protect private information and data, and shall comply with the provisions of the Federal Trade Commission's safeguard rules implementing applicable provisions of the Gramm-Leach-Bliley Act (GLBA). The College has adopted an Information Security Program for specific highly critical and private financial and related information. This security program applies to customer financial information (covered data) the College receives in the course of business as required by GLBA as well as other confidential financial information the College has voluntarily chosen as a matter of policy to include within its scope. This procedure identifies the activities undertaken by the College to maintain compliance with GLBA. The Information Security Program is designed to provide an outline of the safeguards that apply to this information, specifically in compliance with GLBA. The practices set forth will be carried out by, and impact, diverse areas of the College.
Definitions
Customer: Any individual who receives a financial service from the College. Customers may include students, parents, spouses, faculty, staff, and third parties.
Non-public personal information: Any personally identifiable financial or other personal information, not otherwise publicly available, that the College has obtained from a customer in the process of offering a financial product or service; such information provided to the College by another financial institution; such information otherwise obtained by the College in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.
Financial product or service: Includes student loans, employee loans, activities related to extending credit, financial and investment advisory activities, management consulting and counseling activities, community development activities, and other miscellaneous financial services.
Covered data and information: For the purpose of this Program, includes non-public personal information of customers required to be protected under GLBA. In addition to this required coverage, the College chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the College, whether or not such financial information is covered by GLBA. Covered data and information includes both paper and electronic records.
Security Program Components
The GLBA requires that the College develop, implement, and maintain a comprehensive information security program containing the administrative, technical, and physical safeguards that are appropriate based upon the College's size, complexity, and the nature of its activities. This Information Security Program has five components:
- Designating an employee or office responsible for coordinating the program;
- Conducting risk assessments to identify reasonably foreseeable security and privacy risks;
- Ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored;
- Overseeing service providers;
- Maintaining and adjusting the Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.
Security Program Coordinators
The GLBA Security Program Coordinators (Coordinators) will be responsible for implementing this Information Security Program. The College President designates the Vice President for Student Services, Chief Information Officer, Associate Vice President of Finance, and Dean of Students, collectively referred to as the “GLBA Coordinators”, to coordinate the protection of student financial information. The GLBA Coordinators will coordinate the protection of student financial information with the Financial Aid Director, Associate Vice President of Human Resources, and Chief Academic Officer to implement the GLBA requirements in this procedure. These Coordinators will work together to identify reasonable and foreseeable internal and external risks to the security, confidentiality, and integrity of student financial information; to evaluate the effectiveness of the current safeguards for controlling these risks; to design and implement a safeguards program; and to regularly monitor and test the program. The GLBA Coordinators will evaluate the program periodically to make appropriate adjustments and send reminders to the various college departments. The GLBA Coordinators will ensure that risk assessments and monitoring are carried out for each unit or area that has covered data and that appropriate controls are in place for the identified risks.
The GLBA Coordinators will work with responsible parties to ensure adequate training and education is developed and delivered for all employees with access to covered data. The GLBA Coordinators will, in consultation with other College offices, verify that existing policies, standards and guidelines that provide for the security of covered data are reviewed and adequate. The GLBA Coordinators will make recommendations for revisions to policy, or the development of new policy, as appropriate.
The GLBA Coordinators will update this Information Security Program, including this and related documents, from time to time. The GLBA Coordinators will maintain a written security plan and make the plan available to the College community.
Risk Assessment
The Information Security Program will identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks.
The GLBA Coordinators will work with all relevant areas to carry out comprehensive risk assessments. Risk assessments will include system-wide risks as well as risks unique to each area with covered data.
Information Safeguards and Monitoring
The Information Security Program will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above. The GLBA Coordinators will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data. Such safeguards and monitoring will include the following:
A. Employee Management and Training:
Safeguards for security will include management and training of those individuals
with authorized access to covered data. The College has adopted (or will adopt) comprehensive
policies, standards and guidelines setting forth the procedures and recommendations
for preserving the security of private information, including covered data.
The GLBA Coordinators will, working with other responsible offices and units, identify categories of employees or others who have access to covered data. Employee access shall be determined by job functionality.
B. Information Systems:
Information systems include network and software design, as well as information processing,
storage, transmission, retrieval, and disposal. Access to the information systems
shall require proper authorization, clearance and training.
Network and software systems will be reasonably designed to limit the risk of unauthorized access to covered data. This may include designing limitations to access, maintaining appropriate screening programs to detect computer hackers and viruses and implementing security patches.
C. Managing System Failures:
The College will maintain effective systems to prevent, detect, and respond to attacks,
intrusions and other system failures.
D. Monitoring and Testing:
Monitoring systems will be implemented to regularly test and monitor the effectiveness
of information security safeguards.
Service Providers
In the course of business, the College may from time to time share covered data with third parties when appropriate. Such activities may include collection activities, transmission of documents, transfer of funds, destruction of documents or equipment, or other similar services. This Information Security Program will ensure that reasonable steps are taken to select and retain service providers that can maintain appropriate safeguards for customer information and require service providers by contract to implement and maintain such safeguards.
The GLBA Coordinators, by survey or other reasonable means, will identify service providers who have access to covered data. The GLBA Coordinators will work with the offices responsible for legal affairs, procurement and others as appropriate to ensure service provider contracts contain appropriate terms to protect the security of covered data.
Program Maintenance
The GLBA Coordinators, working with responsible units and offices, will evaluate and adjust the Information Security Program in light of the results of testing and monitoring described in Section VI, as well as in response to any material changes to operations or business arrangements and any other circumstances which may reasonably impact the Information Security Program.
Roles and Responsibilities
Deans, Directors, Department Heads and other Managers.
The dean, department head, director or other manager responsible for managing employees with access to covered data will designate a responsible contact to work with the GLBA Coordinators to assist in implementing this program. The designated contact will ensure that risk assessments are carried out for that unit and that monitoring based upon those risks takes place. The designated responsible contact will report the status of the Information Security Program for covered data accessible in that unit to the GLBA Coordinators.
Employees with Access to Covered Data.
Employees with access to covered data must abide by College policies and procedures governing covered data as well as any additional practices or procedures established by their unit heads or directors.
Information Security Officer.
The College's Chief Information Officer will designate individuals who have the responsibility and authority for information technology resources, establish and disseminate enforceable rules regarding access to and acceptable use of information technology resources, establish reasonable security policies and measures to protect data and systems, monitor and manage system resource usage, investigate problems and alleged violations of College information technology policies, and refer violations to appropriate College offices such as the offices responsible for legal affairs and internal audits for resolution or disciplinary action.
Adopted October 19, 2021