Gramm-Leach-Bliley Act (GLBA)Safeguards Rule
Information Security Program Training
July 28th, 2021
Agenda
GLBA Overview Safeguards Rule Requirements Check Your Knowledge College Program Coordinator Additional Resources
GLBA Overview
Gramm-Leach Bliley Act (GLBA)
Federal law which mandates financial institutions, including higher education, to develop, implement and maintain administrative, technical and physical safeguards to protect the security, integrity and confidentiality of customer information.
Regulations include a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314).
Compliance with GLBA is required under the University's Federal Program Participation Agreement, and therefore a requirement in order to receive federal financial aid funds.
Enforced by the Federal Trade Commission (FTC).
Key Terms
Covered Data means (i) non-public personal identifiable (NPI) financial information about a Customer and (ii) any list, description, or other grouping of Customers (and publicly available information pertaining to them) that is derived using any non-public personal financial information. Covered Data is subject to the protections of GLBA, even if the Customer ultimately is not awarded any financial aid or provided with a credit extension. Covered Data includes such information in any form, including paper and electronic records. Examples include Social Security Number (SSN), credit card account numbers, bank account number, income and credit history, and information derived from personally identifiable financial information.
Customer means any individual (student, parent, faculty, staff, or other third party with whom the University interacts) who receives a Financial Service from the University for personal, family or household reasons that results in a continuing relationship with the University.
Financial Service includes offering or servicing student and employee loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, engaging in debt collection activities, and leasing real or personal property to individuals for their benefit.
Service Providers means any person or entity that receives, maintains, processes, or otherwise is permitted access to Covered Data through its direct provision of services to the University.
Financial Institution any institution that significantly engages in financial activities. CUNY significantly engages and provides financial services to students. As such, CUNY falls within the definition of "financial institution" under GLBA and must comply with the law's requirements.
Financial Institution - CUNY
CUNY significantly engages and provides financial services to students. As such, CUNY falls within the definition of "financial institution" under GLBA and must comply with the law's requirements.
Examples of CUNY Financial Services:
Student loans, including receiving
applications and the making and
servicing of loans
Receiving parent income tax returns
Collection of delinquent loans
Risks of Non-Compliance
Administrative enforcement action may be brought against any financial institutions for non-compliance.
Inability to receive federal financial aid funds.
GLBA Regulations
GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC) for higher education institutions.
Privacy Rule
According to the FTC, Colleges or Universities that are in compliance with the Federal Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g) and are also financial institutions shall be deemed to be in compliance with GLBA’s Privacy Rule (16 CFR 313.1).
The University’s FERPA policy addresses the FTC’s requirements relating to the Privacy Rules.
Examples include:Social Security Number (SSN)Credit card account numbers
Income and credit historyBank account information
Tax returnNames, addresses and telephone numbers derived from personally
identifiable financial information (e.g., names of students with outstanding loans)
Safeguards Rule
Unlike the Privacy Rule, the FTC has not made any exceptions to the Safeguards Rule; therefore, all Colleges or Universities must comply with each requirement.
The Safeguards Rule requires all financial institutions to develop an Information Security Program designed to protect customer financial information (Covered Data).
Safeguards Rules Objectives
The objectives of the Safeguards Rule are to:• Ensure the security and confidentiality of covered data,• Protect against any anticipated threats or hazards to the security or
integrity of such information and,• Protect against unauthorized access or use of such information that
could result in substantial harm or inconvenience to any customer.
Safeguards Rule Requirements
Safeguards Rule Requirements
Designate an employee(s) to coordinate the
program
1
Identify and assess risks to Covered Data
2
Design and implementation of safeguards
3
Oversee service
providers and contracts
4
Program review and
revision
5
1. Designate an Employee(s) to Coordinate the Program
The Central Office of Budget and Finance, led by SVC Sapienza and Central Office of Computing and Information Systems, led by VC Brian Cohen are the program coordinators and are responsible for:• Administering CUNY’s Information Security Program• Serving as a resource and liaison with the colleges• Disseminating relevant information and updates
Local college program coordinators have been designated by the college presidents.
2. Identify and Assess Risks to Covered Data
CUNY’s data owners and custodians shall actively seek to identify and address all potential technology security risks associated with Covered Data. Since technology changes over time, the possibility of new risks may arise.
University cybersecurity and IT staff monitor advisories, alerts and threat intelligence from a variety of sources that include vendors, cybersecurity trusted communities like the MS-ISAC and REN-ISAC, the U.S. Department of Homeland Security and the Federal Bureau of Investigation and public media reports for identification of new risks.
CUNY’s Office of Risk, Audit and Compliance shall incorporate continuous monitoring and identification of security risks and controls into its Annual Risk Assessment/Internal Control Review process.
The risk assessment should include consideration of risks in each relevant area of their operations, including:
Example of Risk Assessment:
2. Identify and Assess Risks to Covered Data (Cont’d)
2. Identify and Assess Risks to Covered Data (Cont’d)Examples of internal and external risks associated with the protection of Covered Data:
• Compromised system security as a result of unauthorized requests for or access to Covered Data (both paper and electronic data)
• Unauthorized release of Covered Data by third parties contracted by the University
• Interception of data during transmission• Loss of data integrity• Physical loss of data in a disaster• Corruption of data or systems• Unauthorized/Unsecured disposal of Covered Data
3. Design and Implementation of Safeguards
The Safeguards Rule requires that all financial institutions implement an Information Security Program to safeguard Covered Data.
The Information Security Program has four components:A. Employee Training and ManagementB. Information System SecurityC. Safeguarding Paper and Electronic RecordsD. Disposal of Records
3A. Employee Training and Management
CUNY staff in all departments that collect, retain, access, transmit or dispose of Covered Data shall receive a copy of the Gramm-Leach Bliley Act (GLBA) Financial Information Security Program Policy and the Safeguards Rule Training.
Each department director will distribute these documents to current employees and clarify how they relate to the department.
These documents will be part of new staff orientation, including transfer employees.
College Program Coordinators will ensure that each department director is aware of these responsibilities.
The University and College Program Coordinators will arrange for training as needed.
Some examples include:• Training staff on basic steps they must take to protect Covered Data• Ensuring staff are knowledgeable about applicable policies and expectations• Limiting access of Covered Data to employees who have a business reason
to have such information
3B. Information System Security
Access to Information Access to Covered Data through University and College networks
enterprise and stand-alone systems shall be limited to those employees who have a “strict need to know,” consistent with the individuals job responsibilities, per CUNY IT Security Procedures. (§II.3.(a))
Each employee with access to Covered Data is assigned a user name and password.
All databases and imaged documents containing Covered Data must be appropriately protected, including use of password or other authentication, encryption and other access restrictions as appropriate.
3B. Information System Security (Cont’d)
Security and Integrity of Records To the extent reasonably available, the University utilizes industry-
standard protocols and cybersecurity technologies, including:• firewalls, • intrusion prevention, • encryption, • anti-malware, • email security • and restricted physical access to its data centers
To protect the University's digital assets, everyone’s participation is required, in consultation with CUNY and College information technology departments, to ensure that reasonable and appropriate steps are taken to protect Covered Data and to safeguard the integrity of records in storage and transmission.
These steps include maintaining operating systems and applications, applying security-related updates in a timely manner after appropriate testing and reviewing overall protections on an ongoing basis.
Access to Covered Data shall be limited to those employees who have a job responsibility to have access to such information.
Reasonable care needs to be exercised for safekeeping of records. Supervisory staff should periodically monitor the effectiveness of
these safeguards to ensure they are working as intended. Some examples include:
• Secure physical records by locking file cabinets and offices when not in use
• Do not leave Covered Data unattended and unsecured• Referring calls or requests for Covered Data to staff trained to
respond to such requests• Being alert to fraudulent attempts to obtain Covered Data and
reporting these to management • Ensuring that storage areas are protected against destruction or
potential damage from physical hazards, such as fire or floods
3C. Safeguarding Paper and Electronic Records
3C. Safeguarding Paper and Electronic Records (Cont’d)• Password protect computers and systems with access to Covered
Data and log off when access is no longer needed• Secure computer records by not sharing your username or
password with anyone• Shut down and turn off computers at the end of each day where
possible (when working remotely, this may not be possible)• Using password activated screensavers• Using strong passwords, changing them periodically and not writing
them down• Encrypt Covered Data when transmitting or storing it electronically• Monitor systems for actual or attempted attacks, intrusions, or other
systems failures• Storing electronic Covered Data on a secure server that is
accessible only with a password or has other security protections and is kept in a physically secure area
3C. Safeguarding Paper and Electronic Records (Cont’d)• Maintaining secure backup media and securing archived data• Using anti-virus software that updates automatically• Obtaining and installing patches that resolve software vulnerabilities• Following written contingency plans to address breaches of
safeguards• Maintaining up-to-date firewalls particularly if the institution uses
broadband Internet access or allows staff to connect to the network from home
• Providing central management of security tools and keep employees informed of security risks and breaches
• Comply with other applicable University policies and procedures including, but not limited to:• CUNY’s Information Security Policies & Procedures• CUNY’s Records Retention Schedule
3D. Disposal of Records
Stored records containing Covered Data shall be maintained only until they become inactive or are no longer required under applicable rules and regulations.
When no longer active or required, records shall be destroyed in accordance with CUNY’s Records Retention Schedule governing the disposition of such records.
Paper records that are no longer required to be kept by the University shall be shredded using a cross cut shredder or other means so that the information cannot be read or reconstructed.
Per §III.14 of CUNY’s General IT Security Procedures Policy, whenever records containing Non-Public University Information are subject to destruction under the CUNY Records Retention and Disposition Schedule, the storage devices information must be securely overwritten or physically destroyed in a manner that prevents unauthorized disclosure. Users should contact their campus help desk for assistance in this destruction.
The designated Records Retention Officer at the University and at each College is responsible for administering a records management program, and should be consulted with any questions about the disposition status of records.
4. Oversee Service Providers and Contracts
Under the Safeguards Rule, CUNY is required to select and contract with service providers who will maintain safeguards to protect Covered Data and oversee their handling of the Covered Data.
Service providers who will collect, store and/or otherwise use or have access to University Covered Data must comply with applicable legal and the University’s requirements regarding protection of the Covered Data. Offices and departments wishing to contract for a service in which the provider will use or access Covered Data shall ensure that college procurement is aware that Covered Data will be involved so that the appropriate security review will be included in the procurement process and appropriate privacy and security language is included in the contract with the service provider.
One part of the security review of a potential service provider could be to require the service provider to provide a Service Organization Control report (SOC report) as part of its proposal. These reports are developed by the American Institute of Certified Public Accountants (AICPA) and can provide information about controls related to security, processing integrity, confidentiality and privacy that can be helpful when evaluated in conjunction with an internal risk assessment.
Colleges should inventory existing contracts with service providers who use or access Covered Data to confirm that such contracts contain appropriate privacy and information security language. The University Office of the General Counsel can be helpful in analyzing contract language.
5. Program Review and Revision
The Safeguards Rule mandates periodic review and revision of the Information Security Program.
• On an ongoing basis the Information Security Officer at the University and at each college keeps abreast of emerging threats and changes in technology and recommends necessary adjustments to cybersecurity infrastructure, policies and procedures to mitigate new risks.
• Each college program coordinator shall work with CUNY’s Office of Risk, Audit and Compliance / Computing and Information Services to reassess annually the other processes covered by the Information Security Program.
5. Program Review and Revision (Cont’d)
Annual Assessment The annual assessment will be accomplished primarily thorough the
annual Risk Assessment coordinated through CUNY’s Office of Risk, Audit and Compliance.
Completion of the Risk Assessment will require a collaboration between multiple entities on the campus, typically the business office and the IT area. Each will have parts of their own operations to assess and submit a Report indicating issues such as:• Changes or modifications to the existing systems of internal
control• Status of planned improvements• Types of control testing• Any applicable corrective changes
Test Your GLBA Knowledge
Question #1: According to the GLBA, CUNY must protect covered data that is printed on paper.
Question #2: According to the GLBA, CUNY must protect covered data that is maintained electronically.
Question #3: An employee should place paper listings of covered data in campus trash when they no longer use the information.
Question #4: If covered data is stolen, then an employee should keep this occurrence to themselfso as not to cause disruption to CUNY.
Question #5: If an employee believes that covered data has been or may be inappropriately released, then the employee should contact the Information Security Program Coordinator for his/her college.
Click here to take the quiz
Test Your GLBA Knowledge!
College Program Coordinators
College Program Coordinators
Help departments that collect, retain, access, transmit or dispose of Covered Data to implement the program
Help identify risks to security, confidentiality and integrity of Covered Data
Distribute relevant information, updates and training materials
Participate in the Annual Risk Assessment
Assure that Department Directors are aware of their responsibilities
Review the Information Security Program and make suggestions for changes and additions to the program
Additional Resource
Additional Resources
https://www.ftc.gov/tips-advice/business-enter/privacy-and-security/gramm-leach-bliley-act
CUNY Resources: https://Security.cuny.edu https://www2.cuny.edu/about/administration/offices/cis/information-
security/security-policies-procedures https://www2.cuny.edu/website/privacy-policy
Questions?