Transcript Gramm-Leach-Bliley - University of Minnesota

Gramm-Leach-Bliley Act (GLBA)
Implementation of the Safeguards Rule
Information Security Program
University of Minnesota
(Adapted from the Federal Trade Commission website
and Purdue University materials.)
1
Preamble
The GLBA is in addition to other privacy laws.
The University must appropriately safeguard all
private financial and other information, regardless
of whether it is obligated to do so under the
GLBA.
In other words, the University’s focus should be to
protect all private data rather than to identify
which particular law applies (GLBA, HIPAA,
FERPA) in any given situation.
2
The University of
Minnesota seeks to:

Ensure the security and confidentiality of
customer records and information – in paper,
electronic or other form.

Protect against any anticipated threats or
hazards to the security or integrity of such
records.

Protect against unauthorized access to or use
of any records or information which could result
in substantial harm or inconvenience to any
customer.
3
Training Objectives:
 Understand the applicability of GLBA and the
Federal Trade Commission’s Safeguards Rule.
 Understand what “customer information” is
protected and why.
 Understand the different types of safeguards.
 Understand the roles and responsibilities of all
parties.
 Provide resources for additional questions.
4
What is GLBA?
 The Gramm-Leach-Bliley Act (GLBA) is a Federal law which requires
“financial institutions” to ensure the security and confidentiality of the
nonpublic personal information of customers.
 To the extent colleges and universities offer “financial products or
services” - primarily student loan activities – they are considered
covered financial institutions.
 The Federal Trade Commission (FTC) implemented GLBA by issuing
two rules: the Privacy Rule and the Safeguards Rule.
 Colleges and universities are deemed in compliance with the Privacy
Rule if they already comply with the Family Educational Rights to
Privacy Act (FERPA).
 The University of Minnesota must take active steps to comply with
the Safeguards Rule.
5
What is the FTC
Safeguards Rule?
 Only applies to information about a consumer who is a
“customer” of a financial institution (defined in next slide).
 The Safeguards Rule requires “financial institutions” to
develop an Information Security Program (ISP) that includes
five required components:
1.
2.
3.
4.
5.
Designate a Program Coordinator (currently the Controller’s Office).
Conduct a risk assessment to identify reasonably foreseeable internal and
external risks.
Ensure that safeguards are employed to control the identified risks; regularly
test and monitor the effectiveness of these safeguards.
Oversee selection and retention of service providers who handle or maintain
customer information, including contractual requirement to safeguard the data.
Evaluate and adjust the program in light of relevant circumstances and
changes in the business.
6
What is “Customer
Information”?
 Any record containing nonpublic personal information about a
customer, obtained in connection with offering a “financial product or
service” that is handled or maintained by or on behalf of the University.
 Examples include:
• Social security numbers.
• Bank account numbers.
• Credit card account numbers.
• Account balances; payment histories; credit ratings; income
histories.
• Drivers license information.
• Tax return information.
• Personal data connected to financial data (name, address,
birthday).
7
Customer Information (cont’d.)
 GLBA applies to customer information obtained in a
variety of situations, including:
• Information provided by the customer to obtain a financial product
or service.
• Information about a customer resulting from any transaction
involving a financial product or service between the University
and a customer.
• Information otherwise obtained about a customer in connection
with providing a financial product or service to the customer.
• Nonpublic personal information received by a University
department that does not directly provide a financial product or
service.
» Example: financial aid information handled or maintained by a
college/unit that does not directly make student loans.
8
Examples of Activities Not Covered
Under the University’s GLBA
Security Plan:
 The following are examples of activities not subject to the GLBA.
• Payments for merchandise.
• Services that are not “financial services or products”:
»
»
»
»
»
health insurance;
facilities rentals;
administration of student health benefit plan;
transfer retirement plan withholdings;
administration of employee retirement/benefit plans.
9
Information Security
Program
 Coordinated by Controller’s Office.
 Requires applicable departments/units to:
•
•
•
•
•
Name a contact person.
Conduct risk assessment (guidance template provided).
Design, monitor and test safeguards.
Oversee service providers.
Evaluate and adjust safeguards in response to
monitoring and testing activities and material changes
that may affect the adequacy of current safeguards.
A Guidance Template and FTC compliance guide are available on the Controllers Office website.
10
Risk Assessment
 Identify reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could result in
the unauthorized disclosure, misuse, alternation, destruction or other
compromise of such information, and assess the safeguards currently in
place to control these risks. The risk assessment should consider each
relevant area of operations, at a minimum:
• employee training and management,
• information systems, including network and software design, information
processing, storage, transmission and disposal, and
• detecting, preventing and responding to attacks, intrusions or other systems
failures.
A Guidance Template and FTC compliance guide are available on the Controllers Office website.
11
Safeguards
 Design and implement safeguards to control risks
identified in the Risk Assessment. Three types of
safeguards that must be considered:
• Administrative
• Physical
• Technical
 Regularly test or monitor the effectiveness of the
safeguards’ key controls, systems and procedures.
 Departments are responsible for ensuring adequate
safeguards are in place within their area.
A Guidance Template and FTC compliance guide are available on the Controllers Office website.
12
Examples of Administrative
Safeguards*
 Administrative safeguards are generally within the direct
control of a department and may include:
• Checking references on potential employees.
• Training employees on basic steps they must take to protect customer
information.
• Ensuring that employees are knowledgeable about applicable policies
and expectations.
• Limiting access to customer information to employees who have a
business need to see it.
• Reducing exposure to the Safeguards Rule by requesting customer
information only when it is required to conduct departmental activities.
• Imposing disciplinary measures where appropriate.
*
Examples are for illustrative purposes only. Each department must identify safeguards
relevant to their situation.
13
Examples of Physical Safeguards*
 Physical safeguards are also generally within a
department’s control and may include:
•
•
•
•
Locking rooms and file cabinets where customer information is kept.
Using password activated screensavers.
Using strong passwords.
Changing passwords periodically and not sharing or writing them
down.
• Encrypting sensitive customer information transmitted electronically.
• Referring calls or requests for customer information to staff trained to
respond to such requests.
• Being alert to fraudulent attempts to obtain customer information and
reporting these to management for referral to appropriate law
enforcement agencies.
*
Examples are for illustrative purposes only. Each department must identify safeguards
relevant to their situation.
14
Physical Safeguards (cont’d.)
• Ensuring that storage areas are protected against destruction
or potential damage from physical hazards, like fire or floods.
• Storing records in a secure area and limiting access to
authorized employees.
• Disposing of customer information appropriately:
» Designate a trained staff member to supervise the disposal
of records containing customer personal information.
» Shred or recycle customer information recorded on paper
and store it in a secure area until the recycling service picks
it up.
» Erase all data when disposing of computers, diskettes,
magnetic tapes, hard drives or any other electronic media
that contains customer information.
» Promptly dispose of outdated customer information within
record retention policies.
15
Examples of Technical Safeguards
 Technical safeguards are generally the responsibility of
central OIT personnel or departmental computing staff.
Departments, however, should be knowledgeable about
how their electronic customer information is safeguarded.
If additional controls are warranted, departments should
work with OIT to improve safeguards.
 Departments are responsible for alerting OIT to the
existence of customer information on networks.
16
Technical Safeguards (cont.)*
 Technical safeguards include:








*
Storing electronic customer information on a secure server that is
accessible only with a password - or has other security protections and is kept in a physically-secure area.
Avoiding storage of customer information on machines with an
Internet connection.
Maintaining secure backup media and securing archived data.
Using anti-virus software that updates automatically.
Obtaining and installing patches that resolve software
vulnerabilities.
Following written contingency plans to address breaches of
safeguards.
Maintaining up-to-date firewalls particularly if the institution uses
broadband Internet access or allows staff to connect to the network
from home.
Providing central management of security tools and keeping
employees informed of security risks and breaches.
Examples are for illustrative purposes only. Each department must identify safeguards
relevant to their situation.
17
Specific Technical Safeguards re:
Guidelines for Providing Secure
Data Transmission
 If you collect credit card information or other sensitive
financial data, use a Secure Sockets Layer (SSL) or other
secure connection so that the information is encrypted in
transit.
 If you collect information directly from consumers, make
secure transmission automatic. Caution consumers against
transmitting sensitive data, like account numbers, via
electronic mail.
 If you must transmit sensitive data by electronic mail,
encryption, although difficult to do, is necessary.
18
Specific Technical Safeguards re:
Managing System Failures
 Effective security management includes the
prevention, detection and response to attacks,
intrusions and other system failures, including
steps mentioned earlier and:
» Backing up data regularly and storing back-up
information offsite.
» Imaging documents.
» Shredding paper copies after imaging.
» Other reasonable measures to protect the
integrity and safety of information systems.
19
Oversee Service Providers
 Managers must only hire and retain service providers who are capable
of safeguarding customer data they handle or maintain on behalf of
the University.
 Managers who have concerns about an existing service provider
should contact OGC.
 The University Purchasing department requires service providers who
handle or maintain customer data and have contracts > $50,000 to
complete a GLBA form verifying compliance with the Safeguards Rule.
 OGC can assist departments with contract language to require
Safeguard Rules compliance by service providers with contract under.
20
Evaluate and Adjust Your
Safeguards
 Evaluate and adjust safeguards and
practices in light of results of:
• System testing and monitoring.
• Material changes to operations or business
arrangements.
• Any other circumstance that you know or have reason
to know may have a material impact on your
safeguards.
21
Roles and Responsibilities:
 Information Security Program Coordinator
• Maintain the primary Information Security Program document for
the University.
• Evaluate and adjust the Information Security Program based on
annual compliance certification information from colleges and
major administrative units, and as conditions change.
• Provide training and support documents to assist colleges and
administrative units to comply with the Safeguards Rule.
• Submit an annual report to the Controller on the status of the
Information Security Program, noting any changes to the
Program. The Coordinator will include a current list of colleges
and major administrative units and identify concerns or gaps in
compliance noted on annual compliance certification forms.
22
Roles and Responsibilities
(cont’d.):
 RRC Managers:
• Designate a key contact to work with the ISP Coordinator on all
GLBA Safeguards Rule matters.
• Ensure that the key contact carries out periodic risk assessments
and monitors the identified risks in your area.
• Establish and adhere to policies, standards and guidelines for the
safeguarding of private data, and ensure the employees with
access to covered data do the same.
• Ensure that new employees are made aware of the University’s
Information Security Program and its safeguarding requirements.
 Employees with Access to Covered Data:
• Adhere to policies, standards and guidelines for the safeguarding
of private data.
23
Roles and Responsibilities
(cont’d.):
 Chief Information Officer:
• Designate individuals who have responsibility and authority for
information technology resources.
• Establish and disseminate rules regarding access to and acceptable
use of information technology resources.
• Establish reasonable security measures to protect data and
systems.
• Monitor and manage system resource usage.
• Investigate problems and alleged violations of information
technology policies.
• Refer violations to appropriate University offices (Office of General
Counsel; University Police Department).
24
Resources
University Resources:

Controllers Office website

Public Access to University Information

Internal Access to University Information

Acceptable Use of Information Technology Resources

Financial Data and Systems Security

Managing Student Records

Securing Private Data, Computers, and Other Electronic Devices

Managing University Records and Information
Federal Trade Commission Resources:

Complying with the Safeguards Rule
25
Key Contacts
 Your department manager for specific procedural
questions in your area.
 The Controller’s Office for questions on
applicability of the GLBA Safeguards Rule to your
situation:
Contact [email protected] or 612-624-1617
 OIT for help with computer security issues:
Contact [email protected] or 1-HELP (1-4357)
26