PurposeThe Gramm-Leach-Bliley Act (“GLBA”), together with the Federal Trade Commission (“FTC”) “Safeguards Rule,” regulates the security and confidentiality of customer information collected or maintained by or on behalf of financial institutions or their affiliates. Because Marymount Manhattan College is a financial institution under GLBA, by virtue of its processing and servicing student loans, the College has established an Information Security Plan (the “Plan”) to comply with GLBA and the Safeguards Rule. As required by the Safeguards Rule, the Plan is designed to ensure the security and confidentiality of applicable student information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information.
Policy StatementMarymount Manhattan College complies with, and requires its employees to comply with, all applicable federal, state, and local laws and regulations, as well as College policies and procedures, that govern information security, confidentiality, and privacy. This Information Security Plan incorporates, by reference, College-wide or departmental policies and procedures that address the security and confidentiality of data encompassed by the definition of “covered data,” below.
DefinitionsThe term Customer Information refers to any record containing nonpublic, personally identifiable financial information, whether in paper, electronic, or other form, that the College obtains from a student, a student’s parent(s) or spouse, a College employee, alumnus, or any other third party, in the process of offering a financial product or service. The term also applies to such information provided to the College by another financial institution, or such information otherwise obtained by the College in connection with providing a financial product or service. Examples of customer information include names, addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers. In general, the financial products or services offered by a college or university include making student loans and other miscellaneous financial services.
Covered data is defined as all information required to be protected under GLBA. This includes customer information, as well as financial information that the College, as a matter of policy, has included within the scope of this Plan, whether or not such information is covered by GLBA. Such information may include financial and personal identifying information obtained by the College outside of a financial service transaction covered by GLBA.
Service providers are defined as all third parties who are provided access to covered data. Examples of service providers include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers.
Information Security PlanGLBA requires financial institutions to develop, implement, and maintain a comprehensive information security plan that contains administrative, technical and physical safeguards appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of any customer information it handles. The five components of the plan require each institution to:
- Designate one or more employees to coordinate the safeguards;
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of the current safeguards for controlling these risks;
- Design and implement information safeguards to control the identified risks, and ensure that the effectiveness of these safeguards is regularly tested and monitored;
- Select service providers that are capable of maintaining appropriate safeguards and require them to implement and maintain such safeguards; and
- Evaluate and adjust the information security plan based on the results of the testing and monitoring, any material changes to operations, or any other circumstances that have or may have a material impact on the information security plan.
Information Security Plan Coordinator
The GLBA Information Security Plan Coordinator (the “Coordinator”) is responsible for implementing and maintaining this Plan. At Marymount Manhattan College, the Coordinator is the Chief Information Officer. In implementing this Plan, the Coordinator works closely with the Information Technology Office, the Office of Student Services the Controller’s Office, Human Resources, and all other relevant academic and administrative organizational units. The responsibilities of the Marymount Manhattan College Coordinator include, but are not limited to, the following:
- The Coordinator consults with responsible offices to identify organizational units with access to covered data, ensure that all such units are included within the scope of this Plan, and maintain a current listing of these units.
- The Coordinator works with all relevant organizational units to:
- Identify potential and actual risks to the security and privacy of covered data;
- Evaluate the effectiveness of current safeguards for controlling these risks;
- Design and implement additional required safeguards; and
- Regularly monitor and test the Plan.
- The Coordinator works with appropriate organizational units to ensure that adequate training and education programs are developed and provided to all employees with access to covered data, and that existing policies and procedures that provide for the security of covered data are reviewed and adequate.
- The Coordinator makes recommendations for revisions to policy, or the development of new policy, as appropriate.
- The Coordinator consults with responsible organizational units to identify service providers with access to covered data, ensure that all such service providers are included within the scope of this Plan, and maintain a current listing of these service providers.
- The Coordinator reviews the Plan, including this and related documents, annually, and make adjustments as needed.
- The Coordinator maintains a current, written Plan and make it available to the College community.
Risk Identification and Assessment
Under the guidance of the Coordinator, organizational units with access to covered data take steps to identify and assess internal and external risks to the security, confidentiality, and integrity of that data. At a minimum, this process considers the risks to covered data, and the safeguards currently in place to manage those risks, in each relevant area of College operations including: employee management and training; information systems, including network and software design; as well as information processing, storage, transmission, and disposal for both paper and electronic records; and security management, including the prevention, detection, and response to attacks, intrusions, or other systems failures.
The Coordinator establishes procedures for identifying and assessing risks in each relevant area of College’s operations outlined above. Each affected organizational unit, in consultation with the Coordinator, performs the risk identification and assessment, and identifies a responsible individual to serve as that unit’s contact person with the Coordinator. Risk assessments include system-wide risks, as well as risks unique to each area with covered data. The Coordinator ensures that risk assessments are conducted at least annually, and more frequently where required.
Information Safeguards and Monitoring
The Coordinator verifies that organizational units with access to covered data design and implement reasonable safeguards to control identified risks to the security, confidentiality, and integrity of that data, and that the effectiveness of these safeguards is monitored regularly. Such safeguards and monitoring include the following:
Employee Management and Training
Safeguards for information security include the management and training of those individuals with authorized access to covered data. In consultation with the Information Technology Office and other responsible organizational units, the Coordinator identifies categories of employees and others with access to covered data. The Coordinator works with Human Resources and other responsible organizational units to develop appropriate training and education programs for all affected current and new employees. These programs are a component of the New Employee Orientation Program conducted by Human Resources. Training and education may also include brochures, web sites, and other means of increasing awareness of the importance of preserving the confidentiality and security of covered data.
Information systems include network and software design, as well as information processing, storage, transmission, and disposal. Each affected organizational unit is to implement and maintain in writing administrative, technical, and physical safeguards to control the risks to information systems, as identified through the unit’s risk assessment process. Safeguards have been designed and implemented in accordance with the nature and scope of a unit’s activities and the sensitivity of the covered data to which it has access. The Coordinator, the Information Technology Office, and other responsible organizational units work with individual units as requested or appropriate in the design and implementation of safeguards.
Safeguards include: creating and implementing access limitations; using secure, password-protected systems, and encrypted transmissions within and outside the College for covered data; regularly obtaining and installing patches to correct software vulnerabilities; prohibiting the storage of covered data on transportable media (floppy drives, zip drives, etc); permanently removing covered data from computers, diskettes, magnetic tapes, hard drives, or other electronic media prior to disposal; storing physical records in a secure area with limited access; protecting covered data and systems from physical hazards such as fire or water damage; disposing of outdated records; and other reasonable measures to secure covered data during the course of its life cycle while in the College’s possession or control.
Security Management and Managing System Failures
In consultation with the Information Technology Office and other responsible organizational units, the Coordinator develops and implements effective procedures for preventing, detecting, and responding to actual and attempted attacks, intrusions, and other systems failures. Such procedures include implementing and maintaining current anti-virus software; maintaining appropriate filtering or firewall technologies; regularly obtaining and installing patches to correct software vulnerabilities; imaging documents and shredding paper records; regular data back up and off site storage; implementing incident response plans; and other reasonable measures. The Coordinator, working with the Information Technology Office, assists affected organizational units in implementing the appropriate security management procedures.
The Coordinator may elect to delegate to an appropriate individual in the Information Technology Office responsibility for monitoring and disseminating information related to the reporting of known security attacks and other threats to the integrity of networks utilized by the College.
Monitoring and Testing
In consultation with the Information Technology Office and other responsible organizational units, the Coordinator develops and implements procedures to test and monitor the effectiveness of information security safeguards. Monitoring levels are appropriate to the probability and potential impact of the risks identified, as well as the sensitivity of the information involved. Monitoring includes sampling, systems checks, systems access reports, and any other reasonable measures adequate to verify that Plan safeguards, controls, and procedures are effective.
- Employee Management and Training
Service Providers and Contract Assurances
The Coordinator, by survey or other reasonable means, is to identify service providers with access to covered data and the organizational units that provide this access. Working with these units, the Coordinator is to ensure that reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for covered data, and are to require service providers to implement and maintain such safeguards.
Periodic Review and Adjustment of Plan
The Coordinator, working with the Information Technology Office and other responsible organizational units, evaluates and adjusts annually this Plan in light of the results of the testing and monitoring described in paragraph (3)(d), above, as well as any material changes to operations or business arrangements, including changes in technology, the sensitivity of covered data, and the nature of internal and external threats to information security, and any other circumstances that may reasonably impact the Plan.
The Coordinator, in consultation with outside counsel, reviews the Plan annually to assure ongoing compliance with GLBA and the FTC Safeguards Rule, as well as consistency with other existing and future laws and regulations.