Financial and Business

Gramm-Leach-Bliley Act Information Security Program

Section: Financial & Business Policies
Policy Name: Gramm-Leach-Bliley Act Information Security Program
Policy Owner: Executive Vice President
Responsible University Office: Office of the Vice President For Finance and Deputy Treasurer
Origination Date: December 1, 2005
Legacy Policy Number: 1-23
  1. Purpose

    The purpose of the policy summarizes the University of Delaware’s written information security program mandated by the Federal Trade Commision’s Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA).

  2. Designation of Representatives

    The Institution’s Director for Billing and Collection is designated as the Program Officer who shall be responsible for coordinating and overseeing the Program with the appropriate unit heads and the Information Systems Auditor. The Program Officer may designate other representatives of the Institution to oversee and coordinate particular elements of the Program. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the Program Officer or his or her designees.

  3. Scope of the Program

    The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institution, whether in paper, electronic or other forms that are handled or maintained by or on behalf of the University or its affiliates. For these purposes, the term nonpublic financial information is any information a student or other third party provides in order to obtain a financial service from the Institution; information about a student or other third party resulting from any transaction with the Institution involving a financial service; or information otherwise obtained about a student or other third party in connection with providing a financial service to that person.

  4. Elements of the Program
    1. Risk Identification and Assessment

      Risk assessments and associated action plans have been established for the external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Risk assessments and compliance plans are in effect for the departments/units involved.

      1. Employee Training and Management

        Human Resources and the Office of Information Technologies provide training for new employees and existing employees through a program segment at new employee orientation and on-going annual training programs for faculty and staff.

      2. Information Systems and Information Processing and Disposal

        Management Information Services and Network and System Services have assessed the risks to nonpublic information associated with information systems, including network and software design, information processing, and the storage, transmission, and disposal of nonpublic financial information. Current archiving and destruction processes are in place for all paper, non-public financial information.

      3. Detecting, Preventing and Responding to Attacks

        Management Information Services and Network and System Services have procedures for the methods of detecting, preventing, and responding to attacks or other system failures. They also have network access and security policies and procedures.

    2. Designing and Implementing Safeguards

      The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper, or other forms. An annual audit of safeguard compliance will be done through the Internal Auditor’s Office. Evaluation of risk of new or changed business arrangements will be coordinated by the Program Officer and the appropriate unit head.

    3. Overseeing Service Providers

      The University may appropriately share covered data with third parties. Such activities may include collection activities, transmission of documents, destruction of documents, or other similar services. Reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards. The Associate Director for Procurement Services ensures that all such third party contracts include language requiring the vendor to comply with the Federal Trade Commission (FTC) Standards for Safeguarding Customer Data.

    4. Adjustment to Program

      This information security plan shall be evaluated and adjusted for any changes in the University’s business arrangements or in light of future guidance from the National Association of College and University Business Officers and/or the Federal Trade Commission.

      Related Links: Legacy Policy 1-22: Personal Non-Public Information Policy