Gramm-Leach-Bliley Act Security Plan
The Financial Services Modernization Act of 1999 (also known as Gramm Leach Bliley Act (GLBA) 15 U.S.C. §6801) governs the use, sharing, and collection of financial information. It requires “financial institutions” to take steps to protect customers’ nonpublic personal information. Because Ohio State and higher education institutions like Ohio State participate in financial activities such as making student loans, the Federal Trade Commission's regulations consider them financial institutions and subject to certain GLBA regulations. Higher education institutions must comply with the Safeguards Rule of GLBA however they are exempt from the Privacy Rule by being compliant with the Family Educational Rights and Privacy Act (FERPA).
This document is The Ohio State University Gramm Leach Bliley Act (GLBA) Security Plan. The goal of this document is to provide an outline to assure ongoing compliance with federal regulations related to the Safeguards Rule of GLBA. The University Bursar is responsible for the GLBA Security Plan and its periodic review. While not limited to the following, these offices are known to be covered under the scope of GLBA regulations to the extent they have access to in scope data: Office of the University Bursar, Student Financial Aid, Office of the Controller, the Office of the University Registrar, and the Office of the Chief Information Officer. The University’s Security Framework and Privacy and Release of Student Education Records Policy, which addresses FERPA compliance at Ohio State, supplement this document.
GLBA mandates that the University:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the University’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program, and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the University’s business or operations, or the results of security testing and monitoring.
For purposes of GLBA, covered data is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages. Emergency faculty loans are also considered in scope. Covered data resides in the University’s Student Information System, eReports and the Data Warehouse.
I. Information Security Program Coordinator
The Chief Information Security Officer is the Information Security Program Coordinator for the University. The GLBA Information Security Program is part of the larger University Information Security Program.
The GLBA Information Security Program is evaluated periodically to make appropriate adjustments and educational reminders are sent to the University community. Questions regarding interpretations and applicability of the GLBA and implementing federal regulations is coordinated with the Office of the University Bursar.
II. Risk Assessment and Safeguards
Covered data is housed in several systems therefore multiple areas of the University are responsible for assessing risks and putting safeguards in place to protect customer’s information. The Office of the University Bursar and the Office of the Chief Information Officer work together to identify and assess risks to (a) customer information including detection, prevention and response to attacks, intrusions and other system failures, (b) information systems, including network and software design, as well information processing, storage, transmission and disposal, and (c) employee training and education, and in each case, put safeguards in place to address those risks and regularly test those safeguards to make sure they are effective.
III. Employee training and education
While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, the Office of the University Bursar has developed and implemented GLBA training for all employees who have access to covered data. These employees typically fall into three categories: professionals in information technology; data stewards; and those employees who use the data as part of their essential job duties. New employees must successfully complete GLBA training as well as pass a quiz in order to gain access to student financial or financial aid data. In addition, current employees that have access to student financial or financial aid data must complete GLBA training and pass a quiz at least once every fiscal year. Current employees that do not complete the training by the required deadline have their access removed and must complete the training as well as pass the quiz before access is restored.
Note: In FY20 the yearly training requirement was paused during a review by a working group that assessed the scope and training for related compliance trainings across campus. The expectation was that the new training and scope would replace the existing requirements however the working group unexpectedly paused their effort in March 2020 and will resume at a future date. Normal training requirements will resume in FY21 and remain in place until the working group’s recommendations are implemented.
IV. Oversight of Service Providers and Contracts
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Vendors who will have access to covered data must undergo a security risk assessment to identify and document risks associated with them transmitting and/or storing customer data. Appropriate data security provisions are included in contracts with such vendors.
V. Evaluation and Revision of the Information Security Program
GLBA mandates that the Information Security Program be subject to periodic review and adjustment as a result of the risk assessments and material changes to the University’s operations or business. Processes such as data access procedures and the training program undergo regular review in relevant offices of the University.