policies/ppmHomeSearch
policies/ppm

Gramm-Leach-Bliley Act Compliance Plan

Chapter 3415

Revised January 9, 2012

Table of Contents

.010 Purpose

.020 Scope

.030 Effective Date

.040 Authority

.050 Policy

.060 Definitions

.070 Roles and Responsibilities

.080 Information Security Program Elements

.090 Related Laws, Regulations, or Policies

.100 Questions/Waivers


.010 Purpose

This compliance plan ("Plan") describes Kansas State University's safeguards to protect non-public, financial-related personal information ("covered information") in accordance with the requirements of the Gramm-Leach-Bliley Act of 1999 (GLBA). The Safeguards Rule of the GLBA, as defined by the Federal Trade Commission (FTC), requires financial institutions, which the FTC explicitly indicated includes higher education institutions, to have an information security program to protect the confidentiality and integrity of personal information.

These safeguards are provided to:

This Information Security Plan also provides for mechanisms to:

.020 Scope

This policy applies to all University colleges, departments, administrative units, affiliated organizations and third party contractors that create, access, store or manage covered information.

.030 Effective Date

Approved November 2004; revised November 2011.

.040 Authority

This plan responds to the Gramm-Leach-Bliley Act of 1999 that mandates protection of customer information, which for universities is primarily student financial information. See section .060, Definitions, for a definition of information covered by this policy.

.050 Policy

The University will develop, implement and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect covered information.

.060 Definitions

  1. Covered Information - information that K-State has obtained from a customer (e.g., a student) in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

  2. Information Security Program - the administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle covered information.

  3. Service Providers - any person or entity that receives, maintains, processes, or otherwise is permitted access to covered information through its direct provision of services to the University.

.070 Roles and Responsibilities

  1. Chief Information Security Officer (CISO) - the CISO is responsible for coordinating and overseeing all elements of K-State's information security program. The CISO will work with appropriate personnel from other offices as needed (such as the Registrar's Office, Internal Audit, and the Division of Financial Services) to ensure protection of covered information.

.080 Information Security Program Elements

  1. Risk Assessment
    Under the oversight of the CISO, risk and privacy assessments are performed for all information systems that house or access covered information. These risk and privacy assessments shall address unauthorized access, use, disclosure, disruption, modification and/or destruction of information or the information system itself. Further, the assessments shall identify known potential threats, the likelihood of their occurrence and the magnitude of the impact of those threats should they occur.

    Internal and external risks at K-State include, but are not limited to:

    Risk and privacy assessments are used to determine the likelihood and magnitude of harm that could come to an information system, the affected individual(s), and ultimately the University itself in the event of a security breach. By determining the amount of risk that exists, the University shall determine how much of the risk should be mitigated and what controls should be used to achieve that mitigation.

    Both risk and privacy assessments shall be performed prior to, or if not practical, immediately after acquisition of an information system (in the event that the information system is owned/operated by the University) or prior to initial establishment of service agreements (in the event that the information system is owned/operated by a third party on behalf of the University). Further, the risk and privacy assessments shall be reviewed and, where required, updated after three years or whenever a significant change is made to the information system, whichever comes first.

    Risk assessment should include consideration of risks in each of the following operational areas, in accordance with the requirements of the GLBA:

    1. Employee training and management
      Prior to being granted access to covered information, new employees in positions that require access to covered information (e.g., position in the Division of Financial Services, Registrar, and Student Financial Assistance) will receive training on the importance of confidentiality of student records, student financial information, and other types of covered information, and the risks of not providing appropriate protection. Furthermore, all employees receive annual training in general information technology security. Training also covers controls and procedures to prevent employees from providing confidential information to an unauthorized individual through social engineering or improper disposal of documents that contain covered information. All training will be reviewed and, where needed, updated at least annually.

      All new employees with access to covered information must pass a criminal background check as a condition of employment.

      Each department responsible for maintaining covered information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.

    2. Information systems, including network and software design, as well as information processing, storage, transmission, and disposal. See section ".090 Related Laws, Regulations, or Policies" below for the policy framework that manages the risk related to information systems associated with covered information.

    3. Incident management, including detecting, preventing and responding to attacks, intrusions, or other systems failures. K-State's strategy for managing IT security incidents, including assessing risks, is described in the "IT Security Incident Reporting and Response Policy" and associated "IT Security Incident Management Procedures".

  2. Designing and Implementing Safeguards
    Safeguards are necessary to mitigate and control the risks identified through risk assessment. Furthermore, the effectiveness of safeguards' key controls, systems, and procedures should be regular tested to ensure continued protection of covered information. The policy framework for K-State's information security program that governs the design, implementation, and maintenance of these safeguards is provided in section ".090 Related Laws, Regulations, or Policies" below. Protection of covered information is explicitly encompassed by K-State's comprehensive information security program that protects all K-State information and technology assets, commensurate with size and complexity of the institution, the nature and scope of activities, and the sensitivity of information assets.

  3. Overseeing Service Providers
    In the process of choosing a service provider that will maintain or regularly access covered information, the selection and retention processes shall ensure the ability of the service provider to implement and maintain appropriate safeguards for covered information. Contracts with service providers may include the following provisions:

    1. An explicit acknowledgment that the contract allows the contract partner access to covered information;

    2. A specific definition or description of the covered information being provided;

    3. A stipulation that the covered information will be held in strict confidence and accessed only for the explicit business purpose of the contract;

    4. An assurance that the contract partner will protect the covered information it receives according to commercially acceptable standards and no less rigorously than it protects its own covered information;

    5. A provision providing for the return or destruction of all covered information received by the contract provider upon completion or termination of the contract;

    6. An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles K-State to terminate the contract without penalty; and

    7. A provision ensuring that the contract's confidentiality requirements shall survive any termination of the agreement.

  4. Program Evaluation and Adjustment
    The CISO will periodically review and adjust the information security program as it relates to the GLBA requirements, with input from the University's Security Incident Response Team (SIRT) and relevant stakeholders. Program evaluation should be based on results of testing and monitoring of security safeguard effectiveness and reflect changes in technology and/or operations, evolving internal and external threats, and any other circumstances that have a material impact on the information security program. The Office of General Counsel and the Chief Information Officer must review any recommended adjustments.

.090 Related Laws, Regulations, or Policies

  1. Operations and Management Security Policy

  2. Collection, Use and Protection of Social Security Numbers

  3. Identity Theft Prevention per the Federal Trade Commission's Red Flag Rules

  4. System Development and Maintenance Security Policy

  5. Physical and Environmental Security Policy

  6. Access Controls Security Policy

  7. IT Security Incident Reporting and Response Policy

  8. IT Security Incident Management Procedures

  9. Data Classification and Security Policy

  10. Media Sanitization and Disposal Policy

.100 Questions/Waivers

The Chief Information Officer (CIO/VP-ITS) is responsible for this plan. The CIO or designee must approve any exception to this plan. Questions relating to this plan should be directed to K-State's Chief Information Security Officer.

.
start of standard bottom bar
Home        Search        Directories        Calendar        Comments
Kansas State University
January 18, 2012