Gramm-Leach-Bliley Student Financial Information Security Program
This document outlines the University of Kansas, Lawrence, program to protect critical information and data and to comply with Federal Law on student financial information. The goal of this document is to define the University's Gramm Leach Bliley (GLB) Student Financial Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to enhance the University’s ability to respond to likely future privacy and security regulations. While not limited to the following, these offices are known to be affected: Student Financial Aid, the Comptroller’s Office, the Office of the University Registrar, and the Information Technology (IT) Security Office. The Chief of Staff in the Office of the Chief Information Officer coordinates the program. The University IT Security Policy and the Student Records Policy supplement this document. This document is based on the security program created by The Catholic University of America.
 The Financial Services Modernization Act of 1999 (also known as Gramm Leach Bliley (GLB) 15 U.S.C. §6801
GLB mandates that the University appoint a GLB Student Financial Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the GLB Information Security Program periodically.
I. GLB Student Financial Information Security Program Coordinators
In order to comply with GLB, the Provost has designated three administrative officers to coordinate the protection of student financial information: the Director of Financial Aid, the Comptroller, and the IT Security Officer. They will work together and with the Coordinator of IT Policy and Planning to assist the relevant offices of the University in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student financial information; to evaluate the effectiveness of the current safeguards for controlling these risks; to design and implement a safeguards program; and to regularly monitor and test the program. These three officers, together with the Coordinator of IT Policy and Planning, will evaluate the program periodically to make appropriate adjustments and to send educational reminders to the University community. Questions regarding interpretations and applicability of the GLB and implementing federal regulations will be coordinated with the Office of the General Counsel.
II. Risk Assessment and Safeguards
The IT Security Officer will work with all relevant areas of the University to identify potential and actual risks to security and privacy of the systems that contain student financial information. Each School or Department head, or designee, will conduct an annual data security review with guidance from the IT Security Officer for systems and from the Director of Financial Aid and Comptroller for data. Vice Provosts will be asked to identify any employees in their respective areas who work with covered data and information.
Information Technology bears primary responsibility for internal and external risk assessment, but all members of the University community are involved in risk assessment. The IT Security Officer, working in conjunction with the relevant University offices, will conduct regular risk assessments of systems, including but not limited to the categories listed by GLB.
The Coordinator of IT Policy and Planning, working in cooperation with relevant University departments, will develop and maintain a data handbook listing those persons or offices responsible for each covered data field in relevant software systems (financial, student administration, development, etc.). Information Technology is developing an authentication and authorization system that will permit access by designated members of the University community to covered data and information.
Information Technology will assure the physical security of all central systems that contain or have access to covered data and information and the network that is utilized to access the systems. Information Technology will work with other relevant areas of the University to develop guidelines for physical security of any covered servers in locations outside the central server area. Units will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, and other procedures that may expose the University to risks.
Information Technology has developed written plans and procedures to detect any actual or attempted attacks on covered systems and has developed incident response procedures for actual or attempted unauthorized access to covered data or information.
The IT Security Officer will periodically review the University's disaster recovery program for critical systems and present a report to the Provost. The Vice Provost for Student Success will periodically review the access protocols to covered data and present a report to the Provost.
III. Employee training and education
While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, Information Technology, the Director of Student Financial Aid, and the Comptroller will develop training and education programs for all employees who have access to covered data. These employees typically fall into three categories: professionals in information technology who have general access to all University data; data stewards; and those employees who use the data as part of their essential job duties.
IV. Oversight of Service Providers and Contracts
GLB requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. The Comptroller will develop and send form letters to all covered contractors requesting assurances of GLB compliance. Steps will be taken to ensure that all relevant future contracts include a privacy clause and that all existing contracts are in compliance with GLB.
V. Evaluation and Revision of the Information Security Program
GLB mandates that this Student Financial Information Security Program be subject to periodic review and adjustment. Processes such as data access procedures and the training program should undergo regular review in relevant offices of the University. The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with current laws and regulations. The Coordinator of IT Policy and Planning will remind relevant offices each year of the need to review policies and procedures.
Chief Information Officer
345 Strong Hall
1450 Jayhawk Blvd
Lawrence, KS 66045
Covered data and information for the purpose of this policy includes student financial information that is required to be protected under the Gramm Leach Bliley Act (GLB). Covered data and information includes both paper and electronic records.
Student financial information is that information the University has obtained from a student in the process of offering a financial product or service, or such information provided to the University by a financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.
5/23/2003: Approved by the Provost and Executive Vice Chancellor; revised 8/24/2004; updated 10/10/2008, 7/13/2012, 8/10/2012, 12/19/2012 (added Related Documents section).