Document Actions
Draft Gramm Leach Bliliey (GLBA) Information Security Policy
RUTGERS POLICY
Section: xx.x.xx
Section Title: Legal Matters
Policy Name: Gramm Leach Biliey (GLBA) Information Security Policy
Formerly Book: not applicable
Approval Authority: Senior Vice President and Chief Financial Officer
Responsible Executive: Vice President for Information Technology
Responsible Office: OIT Information Protection and Security
Originally Issued: DATE TBD
Revisions:
Errors or changes? Contact: mgergel@rutgers.edu
1. Policy Statement
It is the position of the university to provide safeguards to protect information and data in accordance with the Financial Services Modernization Act of 1999, also known as the Gramm Leach Biliey Act (GLBA). Therefore, any department that stores or processes customer financial information ("covered data") must implement data protection standards in order to ensure compliance.
2. Reason for Policy
To ensure that individuals or departments which access or utilize covered data understand their responsibility with respect to complying with the GLBA.
To identify the corresponding Rutgers standards to be implemented by owners and/or custodians of GLBA data.
3. Who Should Read Policy
University administrators including but not limited to:
Provosts and vice presidents
Deans, directors, chairs, and department heads
University administrators/managers
All members of the Rutgers University community
4. Related Documents
GLBA Section 501 16 CRF Part 316 (May 23 Federal Register, p. 346484
New Jersey Identity Theft Prevention Act, N>J>S>A> 56:8-161 through 56:8-166
Family Educational Rights and Privacy Act (FERPA)
5. Contacts
Rutgers Information Protection and Security
732-445-8011
rusecure@rutgers.edu
6. The Policy
xx.x.xx GLBA Compliance
I. GLBA Requirements
Any person or department using or processing covered data shall ensure protection against anticipated threats or hazards to the security or integrity of covered data by implementing the GLBA control standards. Further, business units are responsible for ensuring that the following activities and processes are implemented:
· Conduct an annual risk assessment of likely security and privacy risks.
· Institute a training program for all employees who have access to covered data and information.
· Oversee service providers and contracts to ensure the protection of covered data.
II. Definitions
"Covered data" means all information required to be protected under the Gramm-Leach-Bliley Act (GLBA). "Covered data" also refers to financial information that the university, as a matter of policy, has included within the scope of this Information Security Program. Covered data includes information obtained from a student in the course of offering a financial product or service, or such information provided to the University from another institution. "Offering a financial product or service" includes offering student loans, receiving income tax information from a current or prospective student’s and their parents as a part of a financial aid application, offering credit or interest bearing loans, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information relating to such products or services are bank and credit card account numbers, income and credit histories and social security numbers. "Covered data" consists of both paper and electronic records that are handled by the University or its affiliates.
III. Roles and Responsibilities
The major responsibilities each party has in conjunction with the GLBA policy are as follows:
University Administrators. Provosts and Senior Vice Presidents will allocate the appropriate level of administrative and financial resources required to support the implementation of the required control standards and GLBA processes referenced in this document.
The university administrator responsible for managing employees with access to "covered data" are responsible for ensuring protection of covered data, through the application of the GLBA control standards, and required processes outlined in this document.
The university administrator will designate a responsible point of contact to work with the GLBA Program Coordinator to assist in implementing this program. The designated contact will ensure that risk assessments are carried out for that unit and that monitoring based upon those risks takes place. The designated responsible contact will report the status of their Information Security Program for covered data accessible in that unit to the Coordinator at least annually and more frequently where appropriate.
GLBA Program Coordinator. The GLBA Program Coordinator serves in the capacity to facilitate the GLBA compliance activities of the business units processing covered data. The coordinator assists business units in meeting their obligations and responsibilities associated with protecting covered data, and corresponding policies and processes. Based upon the feedback collected from the business units, the coordinator will report on an annual basis the status of compliance, and communicate these findings to those with authority over the data.
University Counsel and the Internal Audit Department. Departmental compliance with this policy is subject to review by University Counsel and the Internal Audit Department.
Employees with Access to Covered Data. Employees with access to covered data must abide by University policies and procedures governing covered data, as well as any additional practices or procedures established by their unit heads or directors.
IV. Protection Standards
The GLBA Control Standards have been developed in order to provide direction on the appropriate logical, administrative, and physical security controls to apply to GLBA Data. Therefore, GLBA university data will be protected by implementing the GLBA Control Standards.
Last updated 11/08/07