| PurposeThe Gramm-Leach-Bliley Act (GLBA), as enforced by the Federal Trade Commission (FTC), along with agreements between the University and the United States Department of Education, require the University to ensure the security, integrity, and confidentiality of covered information and data, including student financial aid records and information. GLBA has requirements for both security and for privacy. The University is responsible for ensuring the security of information as outlined in the Act, and is considered in compliance with the privacy provision of GLBA via compliance with the Family Education Right and Privacy Act (FERPA).PolicyThis policy establishes the Information Security Program (Program), designed to ensure that administrative, technical, and physical safeguards are implemented by The University of Alabama to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle covered data and information in compliance with the FTC's Safeguards Rule under the GLBA.The Program provides the following elements:
- A qualified individual serves as the program coordinator who is responsible for overseeing, implementing and enforcing the University Program.
- Risk assessments identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
- Safeguards are designed and implemented to control the risks identified through risk assessments.
- The Program’s safeguards, key controls, systems and procedures, including those to detect actual and attempted attacks on or intrusions into information systems, are monitored and tested regularly.
- Policies and procedures ensure personnel are able to enact the Program.
- Oversight of service providers is maintained.
- The Program is evaluated and adjusted based on the results of the testing and monitoring performed pursuant to item number 4 above and any other material impact to the Program.
- The University’s Incident Response Plan is used to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the University's control.
- A qualified individual provides a written report to the GLBA Executive Committee.
Program Coordinator – Chief Information Security Officer (CISO) The CISO serves as the designated individual who oversees, implements and enforces the Program through the GLBA working committee. The GLBA Security Program’s working committee oversees and helps to execute the implementation and management of the Security Program.
GLBA Working Committee The GLBA Working Committee consists of the Director of Student Financial Aid, the Associate Director of Business Operations for Student Financial Aid, the Director of Student Account Services, the Assistant Director of Compliance and Data Analysis with Student Account Services, representatives from the Office of Counsel, the Executive Director of Institutional Compliance, the Director of Compliance Programs, representatives from the Office of Internal Audit, and the Chief Information Security Officer (CISO) or their designees. The GLBA Working Committee, under the direction of the Chief Information Security Officer, executed the implementation of the GLBA Security Program.
GLBA Executive Committee The GLBA Executive Committee consists of the Chief Administrative Officer, the Provost, the Vice President of Finance, the Vice Provost and Chief Information Officer, the Chief University Counsel, and/or their designees. The GLBA Working Committee will meet periodically with the GLBA Executive Committee to review and provide updates on the security program report.
Risk Assessments The Program maintains a risk register that identifies reasonably foreseeable internal and external risks to the security, confidentiality, integrity and availability of the University's information systems and covered data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
The risk assessment process includes:
- Criteria for the evaluation and categorization of identified security risks or threats faced by the organization;
- Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats; and
- Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
Periodically, additional risk assessments are performed to reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and reassess the sufficiency of current safeguards in place to control these risks.
Safeguards Safeguards have been designed and implemented to control the risks identified through the risk assessment. These safeguards include the following:
- Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to (a) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information and (b) limit authorized users’ access only to customer information that is necessary to perform their duties and functions;
- Identifying and managing the data, personnel, devices, systems, and facilities that enable the University to achieve its business purposes in accordance with their relative importance to business objectives and risk strategy;
- Encrypting all customer information held or transmitted both in transit over external networks and at rest. If the GLBA working committee determines that the encryption of customer information, either in transit over external networks or at rest, is not feasible, then the University may instead secure such customer information using effective alternative compensating controls as reviewed and approved by the CISO;
- Using secure development practices for in-house developed applications utilized by the University for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications utilized to transmit, access, or store customer information;
- Implementing multi-factor authentication for all individuals accessing any information system, unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls;
- Following the developed, implemented, and maintained procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained;
- Periodically reviewing the retention policy to minimize the unnecessary retention of data;
- Following the University’s adopted procedures for change management; and
- Utilizing the implemented policies, procedures and controls designed to monitor and log the activity of authorized users and detect unauthorized access to, use of, or tampering with customer information by such users.
Monitor Effectiveness of Safeguards The above-referenced safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems shall be regularly tested or otherwise monitored for their effectiveness.
For information systems, the monitoring and testing includes continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the University shall conduct:
- Annual penetration testing of its information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and
- Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in information systems based on the risk assessment, at least every six months, whenever there are material changes to operations or business arrangements, and whenever there are circumstances that may have a material impact on the information security program.
Policies and Procedures Policies and procedures are implemented to ensure that personnel are able to enact the University’s information security program by:
- Providing personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
- Utilizing the Office of Information Technology’s (OIT) qualified information security personnel to manage the information security risks and to perform or oversee appropriate aspects of the information security program;
- Providing information security personnel with security updates and training sufficient to address relevant security risks; and
- Verifying that key information security personnel take steps to maintain current knowledge of changing information, security threats, and countermeasures.
Service Providers The University shall oversee service providers, if any, by:
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information;
- Contractually requiring the University’s service providers to implement and maintain such safeguards; and
- Periodically assessing the University’s service providers based on the risk they present and the continued adequacy of their safeguards.
Evaluate and Adjust Security Program The Program will be evaluated and adjusted based on the testing and monitoring of the effectiveness of the safeguards, any material changes to the University’s operations or business arrangements, the results of risk assessments performed, or any other circumstances that may have a material impact on the University’s information security program.
Incident Response The University’s incident response plan has been established, written, and designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. The incident response plan addresses the following areas:
- The goals of the incident response plan;
- The internal processes for responding to a security event;
- The definition of clear roles, responsibilities and levels of decision-making authority;
- External and internal communications and information sharing;
- Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
- Documentation and reporting regarding security events and related incident response activities; and
- The evaluation and revision as necessary of the incident response plan following a security event.
GLBA Executive Committee Reporting The CISO will report in writing, regularly and at least annually, to the GLBA executive committee. The report shall include the following information:
- The overall status of the information security program and the University’s compliance with this Policy; and
- Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.
DefinitionsCovered data and information: Covered data and information for the purpose of this Program includes personal, non-public financial information (defined below) that is protected under the GLBA. Covered data and information include both paper and electronic records. Personal, non-public financial information: Information that The University of Alabama has obtained from a student or customer in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include the name of a student or student’s family members and their addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers, in both paper and electronic format.ScopeThe GLBA Information Security Program should be observed by students, faculty, staff, and contractors/suppliers. | |