The Gramm-Leach-Bliley Act (GLB or Act) requires “financial institutions” (which includes colleges and universities) to protect the privacy of their customers, including customers’ nonpublic, personal information. Because universities are governed by GLB,* California Christian College has a responsibility to secure the personal records of its students and employees. To ensure this protection, GLB mandates all institutions establish appropriate administrative, technical and physical safeguards. In an effort to set safeguarding standards, the Act directs that all financial institutions implement an Information Security Program, and designate a program coordinator. California Christian College has designated Bart Fielder, US Computers and Networks, as Security Consultant. The Security Consultant will be supported by Mindy Scroggins, who will act as Compliance Officer.
*GLB also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement because they already do so under the Federal Educational Rights and Privacy Act (FERPA). Colleges and universities complying with FERPA are considered in compliance with GLB.
The Information Security Program must include five main elements: designation of an employee(s) as coordinator of the information security program, identification of internal and external risks to the security and confidentiality of customer information and evaluation of current safeguards, employee training, oversight of service providers, and evaluation of the information security program.
WHAT IS CALIFORNIA CHRISTIAN COLLEGE DOING IN ORDER TO SAFEGUARD PRIVATE INFORMATION?
California Christian College is currently implementing its own Information Security Program, as required by GLB. For greater protection, California Christian College’s Plan will safeguard all credit card information even though it may not be strictly required under GLB. Here are the ways California Christian College is incorporating the safeguarding elements GLB requires:
1) Information Security Policy Coordinator
Mindy Scroggins, will serve as the GLB Coordinator. Bart Fielder, Security Consultant, is responsible for the technical aspects of network and computer security. The GLB Coordinator will take the lead in answering any questions concerning California Christian College’s GLB program and working closely with the College Administrative Staff to implement California Christian College’s Plan. The Coordinators will also interact with relevant College Departments to facilitate safeguarding measures. All general questions regarding California Christian College’s Plan should be directed to Mindy Scroggins, email@example.com.
2) Risk Identification and Evaluation of Current Safeguards
First, the Coordinators must identify all potential and actual risks to the security and confidentiality of customer information. Under the Coordinator’s guidance an annual data security review will be conducted covering all departments. The California Christian College Administrative Staff will identify any employees who work with covered data and information. The GLB coordinators (GLBC) and the California Christian College Administrative Staff will review procedures, incidents, and responses quarterly, and will publish all relevant materials where the risk of security breach is not likely.
GLBC is developing a registry of all computers connected to the College network and a registry of College community members with access to the covered data and information. GLBC is also creating a plan to ensure the encryption of all electronic covered information in transit.
The GLBC are developing training and education programs for all employees with access to covered data, including social security numbers and financial information. Directors and supervisors will play a particularly important part in securing compliance with the information security policy.
4) Oversight of Service Providers
California Christian College Business Office, in cooperation with the GLBC, will develop and send form letters to all covered contractors requesting assurances of GLB compliance. GLBC will take steps to ensure that all relevant future contracts will include a privacy clause and that all existing contracts are in compliance with GLB.
5) Program Evaluation
California Christian College’s Information Security Plan will be subject to periodic review and adjustment, as required by GLB. Bi-Annual reviews will be conducted within GLBC, while other relevant College offices will undergo regular review. The Information Security Plan itself will be reevaluated annually.