4.7.1 – The Gramm-Leach-Bliley Act (GLBA) Safeguard Policy
POLICY: It is the policy of Spoon River College (SRC) to be in full compliance with The Gramm-Leach-Bliley Act (GLBA) as it relates to the impact of financial institutions; the Privacy Rule and the Safeguards Rule. Colleges and universities are considered to be financial institutions under GLBA. GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are enforced by the Federal Trade Commission (FTC) for higher education institutions. Colleges and universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). (see Policy 9.1.4).
This policy applies to Spoon River College students and all college employees, including, but not limited to faculty, staff, consultants, or other third-party representative. The policies also apply to all individuals, whether authorized or not, who use the College’s Information Systems from any location. Use of SRC information systems, even when carried out on a privately-owned computer that is not managed or maintained by College, is governed by these policies
Compliance requirements: In order to be considered compliant with the Safeguards Rule, financial institutions must:
Conduct ongoing risk assessments of all areas of operation where CSI is used.
Design and implement a safeguards program to protect all CSI owned or entrusted to the College. This includes regular monitoring of these safeguards.
Select appropriate service providers when those service providers work with the College’s CSI.
Regularly evaluate and adjust the Information Security Program in light of changes in the College environment.
Provide ongoing training to employees on the proper handling of CSI.
Employees are required to change their password every 365 days using Microsoft’s complex password requirements.
Off-campus access to Spoon River College network resources is available via Virtual Private Network (VPN). by request only. Request for VPN access must be submitted to the IT help desk.
The College’s online services are protected by multifactor authentication (MFA) as required by the law.
Mitigation of Risks: Spoon River College (SRC) continuously assesses the potential risks (internal and external) to its Confidential and Sensitive Information (CSI). The College has taken the following steps to mitigate these risks:
A network firewall with Intrusion detection and prevention (IDP) has been implemented and is continuously monitored and adjusted.
Anti-virus software with Intercept X (advance detection) is running on all workstations and servers and is regularly updated. The updates are controlled at the network domain level.
Microsoft updates are performed regularly on all server and workstation operating systems as well as Microsoft Office applications.
An enterprise spam filtering software solution is in place to drastically reduce the amount of spam email and provide protection against malicious email that enters the College’s email system.
Administrative access is restricted to most of the workstations located on campuses including public/shared areas.
File level access rights are controlled on all network shared drives. File shares are available as follows:
H: drive: User’s home directory. Only the user has access to this share.
G: drive: Department share. Access is granted based on the employee’s department of employment.
I: drive: Cross functional teams. Access is granted based on team lead approval to individuals participating in various cross-functional teams.
R: drive: Cross function teams for shared reporting. Access is granted based on team lead approval to individuals participating in various cross-functional teams.
S: drive: Public area (read only). Hosts organizational documents such as policies, phone lists, etc. that employees can view, but not edit.
Note: The Director of Technology Services and System Administrators have access to all file shares on all servers.
Diligence Concerning Credit Card Information: Spoon River College accepts credit card and debit card payments for tuition, donations, and other financial transactions. Any merchant that accepts credit card payments is subject to the security requirements outlined in the Payment Card Industry Data Security Standards (PCI-DSS). All SRC employees that work with credit card transactions must adhere to the following security requirements.
Electronic Storage: SRC does not store any cardholder data electronically. Cardholder data includes:
The Primary Account Number (PAN) – 16-digit credit card number on the front of the card.
The expiration date of the credit card.
The service code, Card Validation Code, or value (CVC, CVC2, CVV2, etc.) – the 3-digit number found on the back of the card used for on-line transactions.
Personal Identification Number (PIN) – the number used for ATM transactions.
Any magnetic stripe information – which includes all of the above information.
Employees must never enter cardholder data into any electronic software system such as the college’s administrative system (CX) or any other type of database, spreadsheet or other electronic file. Credit Card data may not be stored on any laptop computer, any Personal Digital Assistant (PDA) device, any removable storage media such as a thumb drive, any office or public workstation, or any network drive.
Electronic Transmission: Spoon River College does not electronically transmit credit card information over its data network.
All on-line credit card transactions are handled by a third-party service provider. These providers are responsible for providing a secure web site to handle the transactions as well as storing the credit card data securely.
All “card present” transactions are handled using stand-alone terminals connected to analog phone lines
SRC employees are prohibited from sending credit card information using electronic communication methods such as e-mail, chat, or instant messaging.
Security and Compliance Committee: The Security and Compliance Committee is responsible for implementing and maintaining the Information Security Program.
Committee is comprised of the Chief Information Technology Officer/Information Security Officer, Director of Technology Services, Director of Financial Aid, Chief Financial Officer and Director of Human Resources. In implementing this program, the committee works closely with relevant academic and administrative organizational units across campus.
The responsibilities of the Committee include, but are not limited to:
Consulting with responsible offices to identify organizational units with access to covered data, ensure all such units are included within the scope of this Program, and maintain a current listing of these units.
Working with all relevant organizational units to identify potential and actual risks to the security and privacy of covered data; evaluate the effectiveness of current safeguards for controlling these risks; design and implement additional required safeguards; and regularly monitor and test the Program;
Working with appropriate organizational units to ensure adequate training and education programs are developed and provided to all employees with access to covered data; ensure existing policies and procedures that provide for the security of covered data are reviewed and adequate; and make recommendations for revisions to policy, or the development of new policy, as appropriate.
Consulting with responsible organizational units to identify service providers with access to covered data; ensure all such service providers are included within the scope of this Program and maintain a current listing of these service providers.
Reviewing the Information Security Program, including this and related documents, annually, and adjusting as needed.
Maintaining a current, written Program, that is available to the College community.
Risk identification and assessment related to Information systems, including network and software design as well as information processing, storage, transmission and disposal for both paper and electronic records. Risk assessments include system-wide risks, as well as risks unique to each area with covered data.