Effective Date: | 06/01/2023 |
Qualified Individual: | Chief Privacy Officer, Mark Werling: privacy@iu.edu |
Review Cycle: | Annually |
Last Reviewed: | 06/01/2023 |
Jurisdiction: | University-wide |
Financial Information Security Program
Objectives
This document outlines how Indiana University complies with the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation called the Safeguards Rule (the Rule) (16 CFR Part 314) which requires the University to develop, implement, and maintain a comprehensive written Information Security Program to safeguard customer financial information.
The objectives are to:
- Ensure the security and confidentiality of customer financial information in compliance with applicable GLBA rules as published by the Federal Trade Commission;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Guard against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
This Program applies to any record containing nonpublic personal information about a customer (student or other individual), whether in paper, electronic, or other form, that is handled or maintained by the University or on behalf of the University, and that is obtained in connection with the provision of a financial service or product. Examples of such financial services and products include monthly tuition payment plans; federal, private, and institutional loans to students including the Federal Perkins Loan and Federal Plus Loan; and accounts credited and billed through the cashier’s office including student accounts.
Nonpublic personal information means personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
Coordination and Responsibility for the Information Security Program for GLBA
The Chief Privacy Officer (CPO) is designated as the individual responsible for overseeing, implementing, and enforcing this Program. The CPO may coordinate with others to oversee elements of the program such as the Chief Information Security Officer and the GLBA Governance Committee which provides oversight. Although ultimate responsibility for compliance lies with the coordinator, representatives from each of the operational areas are responsible for implementation and maintenance of the specified requirements of the security program in their specific operation. See Appendix A for the matrix identifying the business processes that are in scope for GLBA.
GLBA Governance Committee
The above referenced committee exists to ensure that this Financial Information Security Program is kept current and to evaluate potential policy or procedural changes driven by GLBA. Committee membership may change from time-to-time but will minimally include the Chief Privacy Officer as the chair, Chief Information Security Officer, University Information Policy Office, and representatives from Bursar, Comptroller, Financial Aid, Treasury, and system owners in UITS that manage financial application and services in scope. Other individuals may be added as deemed necessary.
Questions regarding GLBA impacts on business processes and policies should be directed to the Coordinator of the GLBA Program which is the Chief Privacy Officer at privacy@iu.edu. Questions regarding technical issues and risk assessments should be directed to the University Information Security Office at uisorisk@iu.edu.
Risk Assessments and Safeguards
There is an inherent risk in handling and storing any information that must be protected. Identifying areas of risk and maintaining appropriate safeguards can reduce risk. Safeguards are designed to reduce the risk inherent in handling protected information and include safeguards for information systems and the storage of paper.
Indiana University has a robust security program; associated policies and practices are detailed on the Information and Security website. These are not restated within this document.
A. Perform Risk Assessments
The Program is based on periodically performed risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Risks are prioritized using a matrix rating scale and top risks are either accepted, mitigated, transferred, or avoided, as appropriate.
B. Design and Implement Safeguards
The Program addresses the highest risks identified in the risk assessments by designing and implementing safeguards that will control those risks. The following safeguards are implemented as a part of this Program:
- Access controls that limit access only to authorized users and only to the information needed to perform their duties and functions;
- Asset management that identifies relevant data, devices, systems, and facilities upon which to apply appropriate controls;
- Encryption of information both in transit and at rest;
- Multi-factor authentication (MFA) or, where MFA is not feasible, compensating controls approved by the Qualified Individual including separate accounts and network segmentation;
- A written Data Retention Policy that outlines the secure disposal of data no longer needed to conduct business;
- Change management processes; and
- Logging and monitoring to detect unauthorized access or use of, or tampering with, information.
The University safeguards program can be found on the Information and Security website. This includes information on (1) safeguards, (2) governance, (3) principles, and (4) tools and resources.
IU policies around the safeguarding information include:
- DM-01: Management of Institutional Data
- DM-02: Disclosing Institutional Information to Third Parties
- ISPP-26: Information and Information System Incident Reporting, Management, and Breach Notification
- IT-07: Privacy of Electronic Information and Information Technology Resources
- IT-12: Security of Information Technology Resources
- IT-28: Cyber Risk Mitigation Responsibilities
C. Test and Monitor
The Program includes regular testing and monitoring of the effectiveness of key safeguards, including those to detect actual and attempted attacks on, or intrusions into, information.
Employee Training and Education
Employees handle and have access to protected information to perform their job duties. This includes permanent and temporary employees and student employees, whose job duties require them to access protected information or who work in a location where there is access to protected information. Departments are responsible for maintaining a high level of awareness and sensitivity to safeguarding protected information and supervisors and department representatives should periodically remind employees of its importance. Minor changes to office layout and practices could significantly compromise protected information if a culture of awareness is not present.
The data stewards and managers are responsible for ensuring that staff with access to restricted and critical data including customer financial data understand GLBA concepts and requirements. Training materials related to GLBA and data handling are available online.
In addition to general data protection and privacy training, and GLBA specific training, UITS distributes cybersecurity and privacy awareness to the University community through the emailed Monitor newsletter. Awareness activities include simulated phishing attacks and participating in National Cybersecurity Awareness Month. Annual cybersecurity training is required of all employees with access to financial data.
Oversight of Service Providers and Contracts
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. General Counsel, Procurement, and the University Data Stewards have assisted with language to ensure that all relevant service provider contracts comply with GLBA provisions. Contracts should be reviewed to ensure this language is included. [Service Provider] agrees to implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of customer information and further containing each of the elements set forth in § 314.4 of the Gramm-Leach-Bliley Standards for Safeguarding Customer Information (16 C.F.R. § 314). [Service Provider] further agrees to safeguard all customer information provided to it under this Agreement in accordance with its information security program and the Standards for Safeguarding Customer Information.
The GLBA contract due diligence is considered in various aspects of contract negotiation, including security control reviews.
The University only selects service providers that undergo a complete review to ensure compliance with maintaining appropriate safeguards of customer information.
- Rigorous third-party reviews
- Policy requiring reviews: DM-02: Disclosing Information to Third Parties
IU has standard contractual provisions for service providers that require providers to implement and maintain appropriate safeguards when managing data.
Evaluation and Revision of the Information Security Program
GLBA mandates that this Information Security Program be subject to periodic review and adjustment. Some of the governance groups that play a role in the evaluation and revision of the Information Security Program include:
The Information Security, Privacy, and Risk Council is a standing committee that provides broad oversight to support IU’s information security and privacy programs.
The University Data Management Council provides university-wide strategic planning, governance, and oversight for Indiana University’s institutional data.
GLBA Governance committee lead by the Chief Privacy Officer will evaluate and adjust the Program as needed, based the results of the testing and monitoring performed; any material changes to operations or business arrangements; the results of risk assessments performed; or any other circumstances that may have a material impact on the Program. In addition to assessments of products and servicing and the safeguards in place to secure customer information, access to this data and training requirements for data handling are evaluated and revised as needed.
This Financial Information Security Program is reevaluated regularly in order to ensure ongoing compliance with existing and future laws and regulations.
Establish an Incident Response Plan
UITS has a written incident response plan recognized nationally which is designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information. For more information, see ISPP-26 Information and Information System Incident Reporting, Management, and Breach Notification.
Report Regularly to Governing Body
The Qualified Individual prepares and delivers an annual report, with appropriate partners, on the overall status of the Financial Information Security Program and IU’s compliance with GLBA.
Definitions
CUI (Controlled Unclassified Information) means information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Customer Information means any record containing nonpublic personal information as defined in 16 C.F.R. § 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution] or [its] affiliates. An example would be information that a student provides on the Free Application for Federal Student Aid (FAFSA).
Financial Product or Service means
(i) any product or service that a financial holding company could offer by engaging in a financial activity; and
(ii) Financial Service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service.
Information security program means the administrative, technical, or physical safeguards used to collect, process, store, and dispose of customer information.
Non-Public Personal Information means
(i) Personally identifiable financial information and
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 C.F.R. § 313.3(n) (1).
Personally Identifiable Financial Information means any information:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to the consumer.
Protected Information refers to personally identifiable financial information which is covered by GLBA.
Examples of services or activities that IU may offer that the FTC is Likely to Consider as a Financial Product or Service include but are not limited to:
- Financial aid (FAFSA data/tax returns for verification)
- Direct deposit banking information
- Making/Servicing/Collecting loans/tuition, including payment plans
- From 12 CFR § 225.28: employee benefits counseling/financial counseling/career counseling (if financial information)
Service provider means any person or entity that receives, processes, or otherwise is permitted access to customer information through its direct provision of services to IU.
Appendix A
Appendix A - Business Processes Considered In-Scope Under GLBA
Matrix updated as of June 1, 2023
Process | Free Application for Federal Student Aid (FAFSA) receipt of electronic transmissions |
VPSS | Office of Student Financial Aid |
Contact | Director of Financial Aid |
Rationale | Information pertaining to student financial aid eligibility is received and stored. |
Process | Loans – There are a variety of both federal and private student and parent loan programs available |
VPSS | Office of Student Financial Aid |
Contact | Director of Financial Aid |
Rationale | Student loans are considered a financial product or service. |
Process | Campus Based Loans - Servicing and Collection |
UC | Office of the University Controller oversees the Third Party Vendor Relationship for servicing campus based loans |
Contact | Receivables and Collections and Third Party Vendor Relationship |
Rationale | Student loans are considered a financial product or service. The vendor relationship and associated security of data is contained within the contract. |
Process | Payment Plans |
OVPFAA | Bursar |
Contact | Bursar |
Rationale | Represents offering “credit” for tuition and fee payments through deferment of amounts due beyond due date. Includes fee for service. |
Process | Accounts receivable, student loan administration, internal collection activities, associated credit reporting, and/or collection agency referrals |
OVPFAA | University Controller, Treasurer and third party vendors |
Contact | Controller, Treasurer, Bursar |
Rationale | KFS and other systems utilized to bill and collect on general university A/R, student loans, past due tuition and fee amounts, and failed payments. For third party vendors, appropriate contracts have been negotiated. |
Revision History
Established 06/01/2023
Revised 06/01/2023 in cooperation with GLBA Governance Committee
Copyright © 2023 Indiana University. All Rights Reserved.