Gramm-Leach-Bliley Act (GLBA)Safeguards Rule

Information Security Program Training

July 28th, 2021

Agenda

GLBA Overview Safeguards Rule Requirements Check Your Knowledge College Program Coordinator Additional Resources

GLBA Overview

Gramm-Leach Bliley Act (GLBA)

Federal law which mandates financial institutions, including higher education, to develop, implement and maintain administrative, technical and physical safeguards to protect the security, integrity and confidentiality of customer information.

Regulations include a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314).

Compliance with GLBA is required under the University's Federal Program Participation Agreement, and therefore a requirement in order to receive federal financial aid funds.

Enforced by the Federal Trade Commission (FTC).

Key Terms

Covered Data means (i) non-public personal identifiable (NPI) financial information about a Customer and (ii) any list, description, or other grouping of Customers (and publicly available information pertaining to them) that is derived using any non-public personal financial information. Covered Data is subject to the protections of GLBA, even if the Customer ultimately is not awarded any financial aid or provided with a credit extension. Covered Data includes such information in any form, including paper and electronic records. Examples include Social Security Number (SSN), credit card account numbers, bank account number, income and credit history, and information derived from personally identifiable financial information.

Customer means any individual (student, parent, faculty, staff, or other third party with whom the University interacts) who receives a Financial Service from the University for personal, family or household reasons that results in a continuing relationship with the University.

Financial Service includes offering or servicing student and employee loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, engaging in debt collection activities, and leasing real or personal property to individuals for their benefit.

Service Providers means any person or entity that receives, maintains, processes, or otherwise is permitted access to Covered Data through its direct provision of services to the University.

Financial Institution any institution that significantly engages in financial activities. CUNY significantly engages and provides financial services to students. As such, CUNY falls within the definition of "financial institution" under GLBA and must comply with the law's requirements.

Financial Institution - CUNY

CUNY significantly engages and provides financial services to students. As such, CUNY falls within the definition of "financial institution" under GLBA and must comply with the law's requirements.

Examples of CUNY Financial Services:

Student loans, including receiving

applications and the making and

servicing of loans

Receiving parent income tax returns

Collection of delinquent loans

Risks of Non-Compliance

Administrative enforcement action may be brought against any financial institutions for non-compliance.

Inability to receive federal financial aid funds.

GLBA Regulations

GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC) for higher education institutions.

Privacy Rule

According to the FTC, Colleges or Universities that are in compliance with the Federal Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g) and are also financial institutions shall be deemed to be in compliance with GLBA’s Privacy Rule (16 CFR 313.1).

The University’s FERPA policy addresses the FTC’s requirements relating to the Privacy Rules.

Examples include:Social Security Number (SSN)Credit card account numbers

Income and credit historyBank account information

Tax returnNames, addresses and telephone numbers derived from personally

identifiable financial information (e.g., names of students with outstanding loans)

Safeguards Rule

Unlike the Privacy Rule, the FTC has not made any exceptions to the Safeguards Rule; therefore, all Colleges or Universities must comply with each requirement.

The Safeguards Rule requires all financial institutions to develop an Information Security Program designed to protect customer financial information (Covered Data).

Safeguards Rules Objectives

The objectives of the Safeguards Rule are to:• Ensure the security and confidentiality of covered data,• Protect against any anticipated threats or hazards to the security or

integrity of such information and,• Protect against unauthorized access or use of such information that

could result in substantial harm or inconvenience to any customer.

Safeguards Rule Requirements

Safeguards Rule Requirements

Designate an employee(s) to coordinate the

program

1

Identify and assess risks to Covered Data

2

Design and implementation of safeguards

3

Oversee service

providers and contracts

4

Program review and

revision

5

1. Designate an Employee(s) to Coordinate the Program

The Central Office of Budget and Finance, led by SVC Sapienza and Central Office of Computing and Information Systems, led by VC Brian Cohen are the program coordinators and are responsible for:• Administering CUNY’s Information Security Program• Serving as a resource and liaison with the colleges• Disseminating relevant information and updates

Local college program coordinators have been designated by the college presidents.

2. Identify and Assess Risks to Covered Data

CUNY’s data owners and custodians shall actively seek to identify and address all potential technology security risks associated with Covered Data. Since technology changes over time, the possibility of new risks may arise.

University cybersecurity and IT staff monitor advisories, alerts and threat intelligence from a variety of sources that include vendors, cybersecurity trusted communities like the MS-ISAC and REN-ISAC, the U.S. Department of Homeland Security and the Federal Bureau of Investigation and public media reports for identification of new risks.

CUNY’s Office of Risk, Audit and Compliance shall incorporate continuous monitoring and identification of security risks and controls into its Annual Risk Assessment/Internal Control Review process.

The risk assessment should include consideration of risks in each relevant area of their operations, including:

Example of Risk Assessment:

2. Identify and Assess Risks to Covered Data (Cont’d)

2. Identify and Assess Risks to Covered Data (Cont’d)Examples of internal and external risks associated with the protection of Covered Data:

• Compromised system security as a result of unauthorized requests for or access to Covered Data (both paper and electronic data)

• Unauthorized release of Covered Data by third parties contracted by the University

• Interception of data during transmission• Loss of data integrity• Physical loss of data in a disaster• Corruption of data or systems• Unauthorized/Unsecured disposal of Covered Data

3. Design and Implementation of Safeguards

The Safeguards Rule requires that all financial institutions implement an Information Security Program to safeguard Covered Data.

The Information Security Program has four components:A. Employee Training and ManagementB. Information System SecurityC. Safeguarding Paper and Electronic RecordsD. Disposal of Records

3A. Employee Training and Management

CUNY staff in all departments that collect, retain, access, transmit or dispose of Covered Data shall receive a copy of the Gramm-Leach Bliley Act (GLBA) Financial Information Security Program Policy and the Safeguards Rule Training.

Each department director will distribute these documents to current employees and clarify how they relate to the department.

These documents will be part of new staff orientation, including transfer employees.

College Program Coordinators will ensure that each department director is aware of these responsibilities.

The University and College Program Coordinators will arrange for training as needed.

Some examples include:• Training staff on basic steps they must take to protect Covered Data• Ensuring staff are knowledgeable about applicable policies and expectations• Limiting access of Covered Data to employees who have a business reason

to have such information

3B. Information System Security

Access to Information Access to Covered Data through University and College networks

enterprise and stand-alone systems shall be limited to those employees who have a “strict need to know,” consistent with the individuals job responsibilities, per CUNY IT Security Procedures. (§II.3.(a))

Each employee with access to Covered Data is assigned a user name and password.

All databases and imaged documents containing Covered Data must be appropriately protected, including use of password or other authentication, encryption and other access restrictions as appropriate.

3B. Information System Security (Cont’d)

Security and Integrity of Records To the extent reasonably available, the University utilizes industry-

standard protocols and cybersecurity technologies, including:• firewalls, • intrusion prevention, • encryption, • anti-malware, • email security • and restricted physical access to its data centers

To protect the University's digital assets, everyone’s participation is required, in consultation with CUNY and College information technology departments, to ensure that reasonable and appropriate steps are taken to protect Covered Data and to safeguard the integrity of records in storage and transmission.

These steps include maintaining operating systems and applications, applying security-related updates in a timely manner after appropriate testing and reviewing overall protections on an ongoing basis.

Access to Covered Data shall be limited to those employees who have a job responsibility to have access to such information.

Reasonable care needs to be exercised for safekeeping of records. Supervisory staff should periodically monitor the effectiveness of

these safeguards to ensure they are working as intended. Some examples include:

• Secure physical records by locking file cabinets and offices when not in use

• Do not leave Covered Data unattended and unsecured• Referring calls or requests for Covered Data to staff trained to

respond to such requests• Being alert to fraudulent attempts to obtain Covered Data and

reporting these to management • Ensuring that storage areas are protected against destruction or

potential damage from physical hazards, such as fire or floods

3C. Safeguarding Paper and Electronic Records

3C. Safeguarding Paper and Electronic Records (Cont’d)• Password protect computers and systems with access to Covered

Data and log off when access is no longer needed• Secure computer records by not sharing your username or

password with anyone• Shut down and turn off computers at the end of each day where

possible (when working remotely, this may not be possible)• Using password activated screensavers• Using strong passwords, changing them periodically and not writing

them down• Encrypt Covered Data when transmitting or storing it electronically• Monitor systems for actual or attempted attacks, intrusions, or other

systems failures• Storing electronic Covered Data on a secure server that is

accessible only with a password or has other security protections and is kept in a physically secure area

3C. Safeguarding Paper and Electronic Records (Cont’d)• Maintaining secure backup media and securing archived data• Using anti-virus software that updates automatically• Obtaining and installing patches that resolve software vulnerabilities• Following written contingency plans to address breaches of

safeguards• Maintaining up-to-date firewalls particularly if the institution uses

broadband Internet access or allows staff to connect to the network from home

• Providing central management of security tools and keep employees informed of security risks and breaches

• Comply with other applicable University policies and procedures including, but not limited to:• CUNY’s Information Security Policies & Procedures• CUNY’s Records Retention Schedule

3D. Disposal of Records

Stored records containing Covered Data shall be maintained only until they become inactive or are no longer required under applicable rules and regulations.

When no longer active or required, records shall be destroyed in accordance with CUNY’s Records Retention Schedule governing the disposition of such records.

Paper records that are no longer required to be kept by the University shall be shredded using a cross cut shredder or other means so that the information cannot be read or reconstructed.

Per §III.14 of CUNY’s General IT Security Procedures Policy, whenever records containing Non-Public University Information are subject to destruction under the CUNY Records Retention and Disposition Schedule, the storage devices information must be securely overwritten or physically destroyed in a manner that prevents unauthorized disclosure. Users should contact their campus help desk for assistance in this destruction.

The designated Records Retention Officer at the University and at each College is responsible for administering a records management program, and should be consulted with any questions about the disposition status of records.

4. Oversee Service Providers and Contracts

Under the Safeguards Rule, CUNY is required to select and contract with service providers who will maintain safeguards to protect Covered Data and oversee their handling of the Covered Data.

Service providers who will collect, store and/or otherwise use or have access to University Covered Data must comply with applicable legal and the University’s requirements regarding protection of the Covered Data. Offices and departments wishing to contract for a service in which the provider will use or access Covered Data shall ensure that college procurement is aware that Covered Data will be involved so that the appropriate security review will be included in the procurement process and appropriate privacy and security language is included in the contract with the service provider.

One part of the security review of a potential service provider could be to require the service provider to provide a Service Organization Control report (SOC report) as part of its proposal. These reports are developed by the American Institute of Certified Public Accountants (AICPA) and can provide information about controls related to security, processing integrity, confidentiality and privacy that can be helpful when evaluated in conjunction with an internal risk assessment.

Colleges should inventory existing contracts with service providers who use or access Covered Data to confirm that such contracts contain appropriate privacy and information security language. The University Office of the General Counsel can be helpful in analyzing contract language.

5. Program Review and Revision

The Safeguards Rule mandates periodic review and revision of the Information Security Program.

• On an ongoing basis the Information Security Officer at the University and at each college keeps abreast of emerging threats and changes in technology and recommends necessary adjustments to cybersecurity infrastructure, policies and procedures to mitigate new risks.

• Each college program coordinator shall work with CUNY’s Office of Risk, Audit and Compliance / Computing and Information Services to reassess annually the other processes covered by the Information Security Program.

5. Program Review and Revision (Cont’d)

Annual Assessment The annual assessment will be accomplished primarily thorough the

annual Risk Assessment coordinated through CUNY’s Office of Risk, Audit and Compliance.

Completion of the Risk Assessment will require a collaboration between multiple entities on the campus, typically the business office and the IT area. Each will have parts of their own operations to assess and submit a Report indicating issues such as:• Changes or modifications to the existing systems of internal

control• Status of planned improvements• Types of control testing• Any applicable corrective changes

Test Your GLBA Knowledge

Question #1: According to the GLBA, CUNY must protect covered data that is printed on paper.

Question #2: According to the GLBA, CUNY must protect covered data that is maintained electronically.

Question #3: An employee should place paper listings of covered data in campus trash when they no longer use the information.

Question #4: If covered data is stolen, then an employee should keep this occurrence to themselfso as not to cause disruption to CUNY.

Question #5: If an employee believes that covered data has been or may be inappropriately released, then the employee should contact the Information Security Program Coordinator for his/her college.

Click here to take the quiz

Test Your GLBA Knowledge!

College Program Coordinators

College Program Coordinators

Help departments that collect, retain, access, transmit or dispose of Covered Data to implement the program

Help identify risks to security, confidentiality and integrity of Covered Data

Distribute relevant information, updates and training materials

Participate in the Annual Risk Assessment

Assure that Department Directors are aware of their responsibilities

Review the Information Security Program and make suggestions for changes and additions to the program

Additional Resource

Additional Resources

https://www.ftc.gov/tips-advice/business-enter/privacy-and-security/gramm-leach-bliley-act

CUNY Resources: https://Security.cuny.edu https://www2.cuny.edu/about/administration/offices/cis/information-

security/security-policies-procedures https://www2.cuny.edu/website/privacy-policy

Questions?