GLBA Compliance Program Policy

Purpose: To outline Pittsburg State University’s program to protect customer information and data and to comply with Federal Laws that apply to student financial information. This document outlines Pittsburg State University’s (the university) program to protect customer information and data and to comply with Federal Laws that apply to student financial information. The goal of this document is to define the university's Gramm-Leach-Bliley (GLB Act) Student Financial Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program, and to enhance the university’s ability to respond to likely future privacy and security regulations. While not limited to the following, these offices are known to be affected: Student Financial Assistance, Controller’s Office, Registrar’s Office, Cashiers and Student Accounts, Human Resources, and Information Technology Services.

Applies to: All faculty and staff of Pittsburg State University.

Statement:
The GLB Act, effective May 23, 2003, along with agreements between Pittsburg State University (the university), the United States Department of Education (Federal Student Aid Program Participation Pittsburg State University Policies and Procedures Agreement – PPA, and the Student Aid Internet Gateway Enrollment Agreement – SAIG), and the Family Educational Rights and Privacy Act (FERPA) addresses the safeguarding privacy, security, and confidentiality of customer information and data, which includes student financial aid records and information. Educational entities that engage in financial activities, such as processing student loans, are required to comply. The GLB Act and other pertinent legislation outlines standards of care for information security across all areas of data management practices both electronic and physical (employee, student, customer, alumni, donor, etc.). Therefore, the university must safeguard all personally identifiable financial records and information regardless of where it resides and covers employees and all other individuals or entities using these records and information for any reason.

Policy:

Categories of Information under the Program:

Information covered under the program is defined by three categories:

• Personal Identifiable Information (PII)– Also known as protected data, PII includes first and last name, social security number, date of birth, home address, home telephone number, academic performance record, physical description, medical history, disciplinary history, gender, and ethnicity.
• Financial Information – Information that the university has obtained from faculty, staff, students, alumni, auxiliary agencies and patrons in the process of offering financial aid or conducting a program. Examples include bank and credit card account numbers, and income and credit histories.
• Student Financial Information – Information that the university has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Examples include student loans, income tax information received from a student’s parent when offering a financial aid package, bank and credit card account numbers, and income and credit histories.

Departments and Documents Subject to Safeguard Guidelines:

This Program ensures that administrative, technical and physical safeguards are implemented by The university to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle covered data and information in compliance with the GLB Act. These safeguards are provided to:

• Ensure the security and confidentiality of covered data and information;
• Protect against any anticipated threats or hazards to the security or integrity of such information; and
• Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.

The university shall appoint an Information Security Program Coordinator(s), conduct risk assessments of likely security and privacy risks, maintain a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program as needed on an annual basis.

Procedure

• Employee Responsibilities and Access:
  The following restrictions apply to all personally identifiable financial records and information maintained by the university and are meant to safeguard the security of these records and to maximize the integrity of the information. University employees are responsible for ensuring that, within their areas of responsibility, appropriate enforcement of the GLB Act program will be maintained.
  
  • University employees are granted access to those data and information resources required to carry out the responsibilities of their position and may not access additional resources without authorization (in other words, employees may not access customer information unless they have a need to know that information to perform their job duties).
  • Access is determined based on the duties and responsibilities of each position and each employee is responsible for protecting their means of access from misuse. (for example, employees must not share their user name/password(s) with anyone else, or allow others to have access to their keys, etc.).
  • Employees shall not knowingly alter, destroy, or misuse customer information.
  • Employees must ensure that any release of customer information is conducted in an appropriate and secure manner (for example, employees should not release customer information without verifying the identity of the person(s) requesting the information, employees should use password protected file attachments and/or encrypted emails when transmitting confidential information, etc.).
• Security Requirements:
  Personally identifiable financial records and information, regardless of where it resides, must be maintained in a physically secure location with controlled access. Centralized and departmental computers and servers must have the appropriate level of physical and electronic security. The level of such security measures depends on the sensitivity of the data they process
• Risk Assessment:
  This Committee will perform an annual risk assessment for the university. The risk assessment will include all GLB Act requirements. The Committee will work with all relevant areas of the university to identify potential and actual risks to the security and privacy of the systems that contain student financial information.
• Training Requirements
  Each department subject to this program must complete the required GLB Act training. Department heads are responsible for ensuring that personnel are appropriately trained. Information security awareness training is also required for all staff working in GLB Act affected offices.
• Service Provider Arrangements:
  In the event the university contracts with a service provider to perform an activity in connection with any personally identifiable financial records and information, the university will take the following steps to ensure that the service provider performs its contracted activities in a secure manner:
  • Require that service providers have reasonable policies and procedures in place to insure the security and confidentiality of customer records and information; and
  • Require by contract, that all contracts with service providers contain language requiring the service providers to implement appropriate measures designed to ensure that customer information is kept confidential and that it is only used for the purposes set forth in the contract.