1. K-State home
  2. »Policies
  3. »PPM
  4. »3400 Computing and Information Technology
  5. »PPM Chapter 3415: Computing and Information Technology


Questions relating to the information in each chapter of the Policies and Procedures Manual should be directed to the office issuing the chapter.

That information is usually located at the end of each chapter.

For policy update questions, please contact policy@ksu.edu.

Computing and Information Technology

Gramm-Leach-Bliley Act Compliance Plan

Chapter 3415
Revised January 9, 2012

Table of Contents

.010 Purpose
.020 Scope
.030 Effective Date
.040 Authority
.050 Policy
.060 Definitions
.070 Roles and Responsibilities
.080 Information Security Program Elements
.090 Related Laws, Regulations, or Policies
.100 Questions/Waivers

.010 Purpose

This compliance plan ("Plan") describes K-State's safeguards to protect non-public, financial-related personal information ("covered information") in accordance with the requirements of the Gramm-Leach-Bliley Act of 1999 (GLBA). The Safeguards Rule of the GLBA, as defined by the Federal Trade Commission (FTC), requires financial institutions, which the FTC explicitly indicated includes higher education institutions, to have an information security program to protect the confidentiality and integrity of personal information.

These safeguards are provided to:

  1. Ensure the security and confidentiality of covered information.
  2. Protect against anticipated threats or hazards to the security or integrity of such information.
  3. Protect against unauthorized access to or use of covered information that could result in substantial harm or inconvenience to any customer.

This Information Security Plan also provides for mechanisms to:

  1. Designate an employee or employees to coordinate the information security program.
  2. Identify and assess the internal and external risks that may threaten covered information maintained by K-State.
  3. Design and implement safeguards to control the identified risks.
  4. Oversee service providers, including third party contractors, to ensure appropriate safeguards for covered information are maintained.
  5. Periodically evaluate and adjust the information security program as circumstances change.

.020 Scope

This policy applies to all K-State colleges, departments, administrative units, affiliated organizations and third party contractors that create, access, store or manage covered information.

.030 Effective Date

Approved November 2004; revised November 2011.

.040 Authority

This plan responds to the Gramm-Leach-Bliley Act of 1999 that mandates protection of customer information, which for universities is primarily student financial information. See section .060 Definitions for a definition of information covered by this policy.

.050 Policy

The University will develop, implement and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect covered information.

.060 Definitions

Covered Information
Information that K-State has obtained from a customer (e.g., a student) in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.
Information Security Program
The administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle covered information.
Service Providers
Any person or entity that receives, maintains, processes, or otherwise is permitted access to covered information through its direct provision of services to the University.

.070 Roles and Responsibilities

Chief Information Security Officer (CISO)
The CISO is responsible for coordinating and overseeing all elements of K-State's information security program. The CISO will work with appropriate personnel from other offices as needed (such as the Registrar's Office, Internal Audit, and the Division of Financial Services) to ensure protection of covered information.

.080 Information Security Program Elements

  1. Risk Assessment

    Under the oversight of the CISO, risk and privacy assessments are performed for all information systems that house or access covered information. These risk and privacy assessments shall address unauthorized access, use, disclosure, disruption, modification and/or destruction of information or the information system itself. Further, the assessments shall identify known potential threats, the likelihood of their occurrence and the magnitude of the impact of those threats should they occur.

    Internal and external risks at K-State include, but are not limited to:

    1. Unauthorized access of covered information by persons within or outside the University
    2. Compromised system security as a result of human error, vulnerabilities, infection by malicious software, or unauthorized system access
    3. Interception of data during transmission
    4. Loss of data integrity
    5. Physical loss of data in a disaster
    6. Errors introduced into the system
    7. Corruption of data or systems
    8. Unauthorized access through hardcopy files or reports
    9. Unauthorized disclosure of covered information through third parties

    Risk and privacy assessments are used to determine the likelihood and magnitude of harm that could come to an information system, the affected individual(s), and ultimately the University itself in the event of a security breach. By determining the amount of risk that exists, the University shall determine how much of the risk should be mitigated and what controls should be used to achieve that mitigation.

    Both risk and privacy assessments shall be performed prior to, or if not practical, immediately after acquisition of an information system (in the event that the information system is owned/operated by the University) or prior to initial establishment of service agreements (in the event that the information system is owned/operated by a third party on behalf of the University). Further, the risk and privacy assessments shall be reviewed and, where required, updated after three years or whenever a significant change is made to the information system, whichever comes first.

    Risk assessment should include consideration of risks in each of the following operational areas, in accordance with the requirements of the GLBA:

    1. Employee training and management

      Prior to being granted access to covered information, new employees in positions that require access to covered information (e.g., position in the Division of Financial Services, Registrar, and Student Financial Assistance) will receive training on the importance of confidentiality of student records, student financial information, and other types of covered information, and the risks of not providing appropriate protection. Furthermore, all employees receive annual training in general information technology security. Training also covers controls and procedures to prevent employees from providing confidential information to an unauthorized individual through social engineering or improper disposal of documents that contain covered information. All training will be reviewed and, where needed, updated at least annually.

      All new employees with access to covered information must pass a criminal background check as a condition of employment.

      Each department responsible for maintaining covered information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.

    2. Information systems

      Including network and software design, as well as information processing, storage, transmission, and disposal. See section .090 Related Laws, Regulations, or Policies for the policy framework that manages the risk related to information systems associated with covered information.

    3. Incident management

      Including detecting, preventing and responding to attacks, intrusions, or other systems failures. K-State's strategy for managing IT security incidents, including assessing risks, is described in the IT Security Incident Reporting and Response Policy and associated IT Security Incident Management.

  2. Designing and Implementing Safeguards

    Safeguards are necessary to mitigate and control the risks identified through risk assessment. Furthermore, the effectiveness of safeguards' key controls, systems, and procedures should be regular tested to ensure continued protection of covered information. The policy framework for K-State's information security program that governs the design, implementation, and maintenance of these safeguards is provided in section .090 Related Laws, Regulations, or Policies. Protection of covered information is explicitly encompassed by K-State's comprehensive information security program that protects all K-State information and technology assets, commensurate with size and complexity of the institution, the nature and scope of activities, and the sensitivity of information assets.

  3. Overseeing Service Providers

    In the process of choosing a service provider that will maintain or regularly access covered information, the selection and retention processes shall ensure the ability of the service provider to implement and maintain appropriate safeguards for covered information. Contracts with service providers may include the following provisions:

    1. An explicit acknowledgment that the contract allows the contract partner access to covered information.
    2. A specific definition or description of the covered information being provided.
    3. A stipulation that the covered information will be held in strict confidence and accessed only for the explicit business purpose of the contract.
    4. An assurance that the contract partner will protect the covered information it receives according to commercially acceptable standards and no less rigorously than it protects its own covered information.
    5. A provision providing for the return or destruction of all covered information received by the contract provider upon completion or termination of the contract.
    6. An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles K-State to terminate the contract without penalty.
    7. A provision ensuring that the contract's confidentiality requirements shall survive any termination of the agreement.
  4. Program Evaluation and Adjustment

    The CISO will periodically review and adjust the information security program as it relates to the GLBA requirements, with input from the University's Security Incident Response Team (SIRT) and relevant stakeholders. Program evaluation should be based on results of testing and monitoring of security safeguard effectiveness and reflect changes in technology and/or operations, evolving internal and external threats, and any other circumstances that have a material impact on the information security program. The Office of General Counsel and the Chief Information Officer must review any recommended adjustments.

.090 Related Laws, Regulations, or Policies

.100 Questions/Waivers

The Chief Information Officer is responsible for this plan. The CIO or designee must approve any exception to this plan. Questions relating to this plan should be directed to K-State's Chief Information Security Officer.