Introduction
Elements of Security Program
Designating Information Security Program Coordinators
Conducting Risk Assessments
Ensuring Safeguards Employed
Overseeing Service Providers
Periodic Review and Adjustment of Program
Definitions
University Policies and Other References
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, together with an implementing Safeguards Rule issued by the Federal Trade Commission, regulate the security and confidentiality of non-public customer personal information collected or maintained by or on behalf of financial institutions or their affiliates. To the extent that the University of Memphis is classified as a financial institution under GLBA, by virtue of processing or servicing student or employee loans, or offering other financial products or services, the University has established this Information Security Program (Program) to assure compliance with GLBA and the Safeguards Rule. As required by the Safeguards Rule, this security program is designed to provide for the security and confidentiality of non-public customer personal information, protect against anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to a customer. This Program applies to customer financial information (covered data and information) the University receives in the course of business as required by these new federal laws. This document describes many of the activities the University currently undertakes, and will undertake, to maintain covered data and information according to legal and University requirements. This Information Security Program document is designed to provide an outline of the safeguards that apply to this information. The goal of this document is to define the University's Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to position the University for likely future privacy and security regulations.
GLBA mandates that the University appoints an Information Security Plan Coordinator; conduct a risk assessment to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of customer covered data and information; oversee service providers and contracts; and evaluate and adjust the Information Security Program periodically.
GLBA requires the University to develop, implement and maintain a comprehensive information security program containing the administrative, technical and physical safeguards that are appropriate based upon the University’s size, complexity and the nature of its activities. This Information Security Program has five components:
- designating an employee or office responsible for coordinating the program;
- conducting risk assessments to identify reasonably foreseeable security and privacy risks;
- ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored;
- overseeing service providers;
- maintaining and adjusting this Information Security Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems
In order to comply with GLBA, the University has designated Information Security Program Coordinators to be responsible for coordinating and overseeing the Program. The Coordinators are presently the Network Security Specialist from the Division of Information Technology (lead Coordinator), the Director of Financial Aid, and the Director of Business and Finance Technology. The Coordinators report to the Vice President for Information Technology, CIO, for this program. The Vice President for Information Technology, CIO, may add representatives from other divisions as deemed appropriate. The Office of University Counsel will work closely with the Coordinators and will serve as a resource on all elements of the Program.
As part of this Information Security Program, the Coordinators have identified units and areas of the University with access to covered data and information. The Coordinators with assistance from the Office of University Counsel conducted a survey to confirm that all areas with covered information are included within the scope of this Information Security Program. The Coordinators will maintain a list of areas and units of the University with access to covered data and information. The Coordinators will continue to consult with responsible offices to identify units and areas of the University with access to covered data and information.
The Coordinators will ensure that risk assessments and monitoring are carried out for each unit or area that has covered data and information and that appropriate controls are in place for the identified risks. The Coordinators may require units with substantial access to covered data and information to further develop and implement comprehensive security plans specific to those units and to provide copies of the plan documents to the Coordinators for inclusion in an annual report for the Vice President for Information Technology, CIO. The Coordinators may designate, as appropriate, responsible parties in each area or unit to carry out activities necessary to implement this Information Security Program.
The Coordinators will work with responsible parties to ensure adequate training and education is developed and delivered for all employees with access to covered data and information. The Coordinators will, in consultation with other University offices, verify that existing policies, standards and guidelines that provide for the security of covered data and information are reviewed and adequate to ensure compliance with GLBA. The Coordinators will make recommendations for revisions to policy, or the development of new policy, as appropriate.
The Coordinators will prepare an annual report on the status of the Information Security Program and provide the report to the Vice President for Information Technology, CIO. The Coordinators may prepare more frequent reports as necessary or requested. These reports may include copies of any unit-specific security plans, current risk assessments for each unit with access to covered data, a statement on the controls in place to mitigate those risks and the effectiveness of those controls, summaries of monitoring activities, actions taken or to be taken to correct any security concerns identified through monitoring, and such other information as required to provide assurance that this Information Security Program is implemented and maintained.
The Coordinators will update this Information Security Program, including this and related documents, from time to time.
Each University office or department handling covered data and information, as identified by the Coordinators will take steps to identify and assess internal and external risks to the security, confidentiality, and integrity of covered data and information that could result in the unauthorized access, disclosure, misuse, alteration, destruction or other compromise of such information.
The Coordinators with the assistance of the Office of University Counsel will develop procedures for identifying and assessing risks in each relevant area of the University’s operations. The Coordinators will work with all relevant areas to carry out comprehensive risk assessments for identifying potential and actual risks to security and privacy of information. Risk assessments will include system-wide risks, as well as risks unique to each area with covered data and information. Risk assessments will include, but not be limited to: employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and systems for detecting, preventing, and responding to attacks, intrusions, or other system failures.
The Coordinators will ensure that risk assessments are conducted at least annually and more frequently where required.
Each affected office or department will design, implement, and maintain in writing, such administrative, technical, and physical safeguards as are necessary to control the risks identified through risk assessment, and will regularly monitor the effectiveness of such safeguards. Each office should design and implement safeguards in accordance with the nature and scope of that office’s activities and the sensitivity of the covered data and information at issue. The Coordinators will provide guidance on appropriate safeguards to all affected offices and departments, and will work with individual offices as requested or appropriate in the design and implementation of safeguards.
The Coordinators will ensure that reasonable safeguards and monitoring are implemented and cover each unit that has access to covered data. Such safeguards and monitoring relate to employee training, information systems, and managing system failures.
Employee Management and Training
Safeguards for security will include management and training of those individuals with authorized access to covered data and information. The Coordinators will, working with other responsible offices and units, identify categories of employees or others who have access to covered data and information and ensure that appropriate training and education is provided to all employees who have access to covered data and information. Such training will include education on relevant polices and procedures and other safeguards in place or developed to protect covered data and information.
Other safeguards may also be used, as appropriate, including job-specific training on maintaining security and confidentiality, requiring user-specific passwords and required periodic changes to those passwords, limiting access to covered data to those with a business need for access to information, requiring signed certification of responsibilities prior to authorizing access to systems with covered data and information, requiring signed releases for disclosure of covered data and information, establishing methods for prompt reporting of loss or theft of covered data and information or media upon which covered data may be stored, and other measures that provide reasonable safeguards based upon the risks identified.
Information Systems
Information systems include network and software design, as well as information processing, storage, transmission, retrieval, and disposal.
Network and software systems will be reasonably designed to limit the risk of unauthorized access to covered data and information. This may include designing limitations to access, and maintaining appropriate screening programs to detect computer hackers and viruses and implementing security patches.
Safeguards for information processing, storage, transmission, retrieval and disposal may include: requiring electronic covered data be entered into a secure, password-protected system; using secure connections to transmit data outside the University; using secure servers; ensuring covered data stored on transportable media is authorized for temporary use (floppy drives, zip drives, etc); permanently erasing covered data from computers, diskettes, magnetic tapes, hard drives, or other electronic media before re-selling, transferring, recycling, or disposing of them; storing physical records in a secure area and limiting access to that area; providing safeguards to protect covered data and information and systems from physical hazards such as fire or water damage; disposing of outdated records under a document disposal policy; shredding confidential paper records before disposal; maintaining an inventory of servers or computers with covered data and information and information; and other reasonable measures to secure covered data and information during its life cycle in the University’s possession or control.
The University of Memphis has policies governing the use of information technology resources including access to data.
Detecting System Failures
The University will maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with software vendors and others to regularly obtain and install patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents and shredding paper copies; backing up data regularly and storing back up information off site, as well as other reasonable measures to protect the integrity and safety of information systems.
Processes will be implemented to regularly test and monitor the effectiveness of information security safeguards. Monitoring will be conducted to reasonably ensure that safeguards are being followed, and to swiftly detect and correct breakdowns in security. The level of monitoring will be appropriate based upon the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring may include sampling, system checks, reports of access to systems, reviews of logs, audits, and any other reasonable measures adequate to verify that Information Security Program’s controls, systems and procedures are working.
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for non-public customer personal information. A service provider is any person or entity that receives, maintains, processes, or otherwise is permitted to access covered data and information through its provision of services directly to the University which may include collection activities, transmission of documents, destruction of documents or equipment, or other similar services. This Information Security Program will ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards.
GLBA affects the contracting procedures of Tennessee Board of Regents (TBR) institutions in that all existing and future contracts with service providers that have access to nonpublic financial information of the institution’s customers must be amended to require, by contract, that the service providers implement and maintain the safeguards prescribed in the act. At the University, the Director of Purchasing is responsible to verify that certain contracts with third party service providers comply with the requirements of GLBA. The University uses the standard addendum published by the TBR Office of General Counsel to incorporate into all existing contracts and will incorporate the TBR’s Gramm-Leach-Bliley Service Provider Contract Clause in all future contracts.
GLBA requires that this Program be subject to periodic review and adjustment. The most frequent of these reviews will likely occur within Information Technology, whose operations involve constantly changing technology and constantly evolving risks. Processes in other relevant offices of the University should also be reviewed regularly (annually at a minimum), particularly as appropriate to any operational changes that may have a material impact on the Program. The Coordinators will review the Program itself annually to assure ongoing compliance with GLBA and the Federal Trade Commission Safeguards Rule, as well as consistency with other existing and future laws and regulations. Coordinators will review related University policies and guidelines for their compliance with GLBA.
“Customer” is defined as a consumer who has a customer relationship with a financial institution. A consumer means an individual (or that individual’s legal representative) who obtains or has obtained a financial product or service from a financial institution that is used primarily for personal, family, or household purposes.
“Financial Institution” refers to any institution the business of which is significantly engaged in financial activities, which may include but are not limited to, extending credit and servicing loans; lending, exchanging, transferring, investing for others, or safeguarding money or securities; insuring, guaranteeing, or indemnifying against loss harms, damage, illness, disability, or death. The Federal Trade Commission has classified institutions of higher education as financial institutions for purposes of compliance with the Safeguarding Rule as such institutions process student loans.
“Nonpublic financial information” is any record that an institution obtains from a customer in the process of offering a financial product or service, or such information provided to the institution by another financial institution. This term means any information: (1) (a) that a student or other third party provides in order to obtain a financial service from the institution; (b) about a student or other third party resulting from any transaction with the institution involving a financial service; or (c) otherwise obtained about a student or other third party in connection with providing a financial service to that person, and (2) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
"Covered data and information" means all information required to be protected under the GLBA which includes any personally identifiable financial information, not otherwise publicly available, that the University has obtained from a student, student parent or spouse, employee, alumnus, or other third party, in the process of offering a financial product or service, or such information provided to the University by another financial institution, or such information otherwise obtained by the University in connection with providing a financial product or service.
"Offering a financial product or service" includes offering student loans, receiving income tax information from a current or prospective student’s parents as a part of a financial aid application, offering credit or interest bearing loans, employee mortgage loans, employee educational grants and other miscellaneous financial services as defined by GLBA. Examples of customer financial information relating to such products or services are addresses, phone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, in both paper and electronic form.
"Service Providers" refers to all third parties who, in the ordinary course of University business, are provided access to covered data and information. Service providers may include businesses retained to transport and dispose of covered data and information, collection agencies, and systems support providers, for example.
UM1535: Acceptable Use of Information Technology Resources
UM1337: Data Access
xxxxx: Computer and Network Security
xxxxx: Security and Protection of Campus Communication Networks
UM1365: University Records Management Program
1:2A:03:01: Privileged Access to Computer Systems