Skip to main content

9.8.9 Safeguarding GLBA Customer Information Procedure

Purpose

The Gramm-Leach Bliley Act (“GLBA”) and Title IV of the Higher Education Act of 1965 require institutions of higher education, as financial institutions, to take steps to protect customers’ nonpublic personal information. Institutions of higher education are required to comply with the Federal Trade Commission Standards for Safeguarding Customer Information (Safeguards Rule) as outlined in 16 C.F.R. Part 314. These requirements are additional to those of the Family Educational Rights and Privacy Act (FERPA) as outlined under University Policy 2.1.1 Student Records.

Scope

This procedure applies to all “customer information” which is defined to be information obtained by Illinois State University as a result of providing a financial service such as when the University administers or aids in the administration of Title IV programs; makes institutional loans or scholarship; or certifies a private education loan on behalf of a student. Customer information is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages.

The following departments have GLBA responsibilities for customer information: All units within the Enrollment Management and Academic Services Aid division; the Office of Technology Solutions; Student Accounts, Comptroller; Planning, Research, and Policy Analysis; and the University Advancement division.

Procedure

The GLBA Safeguards Rule mandates that an institution of higher education’s GLBA written information security program include the elements outlined in this procedure.

Element 1: Designate a Qualified Individual to oversee and implement its information security program

The University Chief Information Security Officer (“CISO”) is responsible for this GLBA procedure and is designated as the Qualified Individual for the University.

Element 2: Identify and assess the risks to covered data in each relevant area of the university’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks

The designated units and the CISO work together to identify and assess risks to customer information including but not limited to:

  • Unauthorized access to customer information;
  • Compromised system security as a result of system access by an unauthorized person;
  • Interception of customer information during transmission;
  • Loss of data integrity;
  • Physical loss of customer information in a disaster;
  • Errors introduced into the system;
  • Corruption of data or systems;
  • Unauthorized requests for customer information;
  • Unauthorized access to hard copy files or reports containing customer information;
  • Unauthorized transfer or release of customer information by third parties contracted by the University;
  • Unauthorized disposal of customer information; and
  • Unsecured disposal of customer information.

The University recognizes that the above list of risks may not be a complete list of risks associated with the protection of customer information. Since technology changes over time, the possibility of new risks may arise. The University’s Data Custodians will seek to identify and address technology security risks associated with customer information. In addition, the University Office of Internal Audit shall incorporate continuous monitoring and identification of security risks and controls into its regular internal control review process.

Element 3: Design and implement a safeguards program with the minimum safeguards outlined in 16 C.F.R. 314.4 (c)(1) through (c)(8)

The minimum safeguards to protect customer information include:

  • Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to authenticate authorized users and limit users’ access only to customer information needed to perform duties or functions;
  • Identify and manage the data, personnel, devices, systems, and facilities that enable each unit to achieve business purposes in accordance with their relative importance to business objectives and the University’s risk strategy;
  • Protect customer information held or transmitted by the designated units in transit over external networks and at rest, or use effective alternative compensating controls reviewed and approved by the CISO;
  • Require all in-house and external developed applications used by units subject to GLBA to complete the Information Security Office Data Usage Form Process to ensure customer information is collected, stored, used and known, and secured in approved ways;
  • Implement either multi-factor authentication or a reasonably equivalent access controls approved by the CISO for information systems where customer information is held;
  • Follow CISO approved secure disposal procedures for any system with customer information or retain records in accordance with the State Record Retention Act;
  • Follow Technology Solutions procedures for change management impacting University information systems where customer information is held; and
  • Follow all Technology Solutions procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information.

Element 4: Regularly monitor and test the safeguards program

The CISO will follow regular Technology Solution procedures to test the technical safeguards for GLB customer information. Internal Audit performs periodic audits/reviews of the University's information technology and information security.

Element 5: Implement policies and procedures to ensure that university personnel are able to implement the information security program

The GLBA Information Security Procedure is a subset of the University Policy 9.8, the University Information Security Program and the Data Governance Framework and associated procedures. Where appropriate, unit level policies and procedures may be adopted as long as they are consistent with University Policy 9.8 and related procedures. Data Custodians are responsible for facilitating and enforcing compliance with all information security policies and practices applicable to their unit. Ensuring employees are properly trained is an essential component of their efforts.

Element 6: Select service providers that can maintain appropriate safeguards over covered data, ensure the service contract requires them to maintain safeguards, and oversee their handling of covered data

The University units subject to GLBA will take reasonable steps to collaborate with the University Purchasing Office, Technology Solutions to follow the Information Security office Data Usage Form process and take steps to select and retain service providers who maintain appropriate safeguards for customer information.

Element 7: Provides for the evaluation and adjustment of information security program in light of relevant circumstances, including changes in the university’s business or operations, or the results of security testing and monitoring

The GLBA Information Security Procedure will follow the requirements University Policy 9.8, the University Information Security Program and the Data Governance Framework and associated procedures with respect to evaluation of the information security program, periodic updates, and improvements.

Element 8: Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of covered data in the university’s control; and,

The University Emergency Plan includes a written incident response plan to respond to a data security incident. The Information Technology Cyber Emergency Response Team is responsible for conducting response operations to a breach of University IT systems or an unauthorized release of University data. The team is comprised of IT professionals, the University Police Department and others as needed to resolve the incident. It is understood that in the event of a breach of customer information, the University is required to notify contacts designated by the U.S. Department of Education within 24 hours after an incident is known or identified.

Element 9: Require the Qualified Individual to report in writing, regularly and at least annually, to the Board of Trustees.

The Qualified Individual will collaborate with the University Internal Audit Office and the Comptroller’s Office to submit a report to the Board of Trustees annually.

Established: December 2023