Safeguarding GLBA Customer Information Procedure
Purpose
The Gramm-Leach Bliley Act (“GLBA”) and Title IV of the Higher Education Act of 1965 require institutions of higher education, as financial institutions, to take steps to protect customers’ nonpublic personal information. Institutions of higher education are required to comply with the Federal Trade Commission Standards for Safeguarding Customer Information (Safeguards Rule) as outlined in 16 C.F.R. Part 314. These requirements are additional to those of the Family Educational Rights and Privacy Act (FERPA).
Scope
This procedure applies to all “customer information” which is defined to be information obtained by Eastern Illinois University because of providing a financial service such as when the University administers or aids in the administration of Title IV programs; makes institutional loans or scholarship; or certifies a private education loan on behalf of a student. Customer information is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages.
The following departments have GLBA responsibilities for customer information: Financial Aid and Bursar's Office
Procedure
The GLBA Safeguards Rule mandates that an institution of higher education’s GLBA written information security program includes the elements outlined in this procedure.
1 - Designate a Qualified Individual to oversee and implement its information security program
The University IT (Information Technology) Security Officer is responsible for this GLBA procedure and is designated as the Qualified Individual for the University.
2 - Identify and assess the risks to covered data in each relevant area of the university’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks
The designated units and the IT Security Officer work together to identify and assess risks to customer information including but not limited to:
- Unauthorized access to customer information;
- Compromised system security because of system access by an unauthorized person;
- Interception of customer information during transmission;
- Loss of data integrity;
- Physical loss of customer information in a disaster;
- Errors introduced into the system;
- Corruption of data or systems;
- Unauthorized requests for customer information;
- Unsecured disposal of customer information.
The University acknowledges that the list of risks mentioned above may not cover all the potential risks related to the security of customer information. Technology evolves over time, and new risks may emerge, so the program's evaluation will revise the plan annually.
3 - Design and implement a safeguards program with the minimum safeguards outlined in 16 C.F.R. 314.4 (c)(1) through (c)(8)
The minimum safeguards to protect customer information include:
- Implementing and periodically reviewing access controls, including technical and as appropriate, physical controls to authenticate authorized users and limit users’ access only to customer information needed to perform duties or functions;
- Identify and manage the data, personnel, devices, systems, and facilities that enable each unit to achieve business purposes in accordance with their relative importance to business objectives and the University’s risk strategy;
- Protect customer information held or transmitted by the designated units in transit over external networks and at rest, or use effective alternative compensating controls reviewed and approved by the IT Security Officer;
- Require all in-house and external developed applications used by units subject to GLBA to notify the Information Security group to ensure customer information is collected, stored, used, and known, and secured in approved ways;
- Implement either multi-factor authentication or an equivalent access controls approved by the IT Security Officer for information systems where customer information is held;
- Follow IT Security Officer approved secure disposal procedures for any system with customer information or retain records in accordance with the State Record Retention Act;
- Follow ITS solutions procedures for change management impacting University information systems where customer information is held; and
- Follow all ITS procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information.
4 - Regularly monitor and test the safeguards program
The IT Security Officer will follow regular Technology Solution procedures to test the technical safeguards for GLBA customer information. Internal Audit performs periodic audits/reviews of the University's information technology and information security.
5 - Implement policies and procedures to ensure that university personnel can implement the information security program
The GLBA Information Security Procedure is a subset of the University IT Policies. Data Custodians are responsible for facilitating and enforcing compliance with all information security policies and practices applicable to their unit. Ensuring employees are trained is an essential component of their efforts.
6 - Select service providers that can maintain appropriate safeguards over covered data, ensure the service contract requires them to maintain safeguards, and oversee their handling of covered data
The University units subject to GLBA will take reasonable steps to collaborate with the University Purchasing Office and ITS to take steps to select and retain service providers who maintain appropriate safeguards for customer information.
7 - Provides for the evaluation and adjustment of information security program considering relevant circumstances, including changes in the university’s business or operations, or the results of security testing and monitoring
The GLBA Information Security Procedure will comply with the standards established by ITS Policy and related procedures for assessing the information security program, regular updates, and enhancements.
8 - Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of covered data in the university’s control; and,
The University Emergency Plan contains a written plan for handling a data security incident. Eastern Illinois University will adhere to the Information Technology Security Incident Reporting Policy. The Information Security team has the duty of carrying out response actions to a compromise of University IT systems or an unauthorized disclosure of Eastern Illinois University data.
It is understood that in the event of a breach of customer information, the University is required to notify contacts designated by the U.S. Department of Education within 24 hours after an incident is known or identified.
9 - Require the Qualified Individual to report in writing, regularly and at least annually, to the Board of Trustees.
The Qualified Individual will collaborate with departments have GLBA responsibilities and will submit a report to the President Council annually.
Last Report Submitted: 06/10/2024
Last Date Reviewed: 06/13/2024