Overview
This document summarizes the University of Miami's ("University") comprehensive information security program ("Program") as mandated by the Federal Trade Commission's Safeguards Rule and the Gramm-Leach-Bliley Act ("GLBA"). This Program is undertaken in alliance with the Office of General Counsel, Office of the Treasurer, Information Technology ("IT"), Office of the Registrar, Office of Financial Assistance Services and the University's Compliance Committee through the Office of the Vice Provost for Research. While these practices mostly affect Information Technology, they may impact diverse areas of the University, including but not limited to Treasury Operations, the Office of the Registrar, Office of Financial Assistance Services, Athletics, Institutional Advancement, and others as well as third party contractors such as student loan billing and collections services. The goal of this document is to define the Program as required by the GLBA and to provide an outline to ensure ongoing compliance with federal regulations related to the Program. This program is in addition to any other University policies and procedures that may be required pursuant to other federal and state laws and regulations, including Family Educational Rights and Privacy Act ("FERPA").
Scope of Program
The Program applies to (i) any record containing nonpublic personal information about a student or other third party who has a continuing relationship with the University, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the University and (ii) any record containing nonpublic personal information pertaining to customers of other financial institutions that have provided such information to the University. For these purposes, the term nonpublic personal information shall mean:
- Personally identifiable financial information, defined as any information (i) a student or other third party provides in order to obtain a financial product or service from the University, (ii) about a student or other third party resulting from any transaction with the University involving a financial product or service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial product or service to that person.
- Any list, description or other grouping that is derived using any personally identifiable financial information that is not publicly available.
For the purpose of this policy, offering financial products and services includes offering student loans, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include without limitation, information a student provides to obtain a loan or other financial product or service, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format. The fact that a student or third party has obtained a financial product or service from the University is also financial information.
Pursuant to this Program, administrative, technical and physical safeguards will govern access, collection, distribution, processing, protection, storage, use, transmittal, disposal or other handling of information covered under GLBA.
Gramm-Leach-Bliley Act Requirements
GLBA mandates that the University (i) designate an employee(s) to coordinate the Program, (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of covered information, giving consideration to operations such as employee training and management, information systems, and potential system failures, attacks and intrusions, (iii) design and implement information safeguards to control the risks identified through risk assessment, (iv) oversee service providers and contracts, and (v) evaluate and adjust the Information Security Program periodically.
Designation of Representative(s)
The Gramm-Leach-Bliley Compliance Committee ("GLBCC") shall be responsible for coordinating and overseeing the Program. This committee will consists of administrators from the Office of General Counsel, IT, Treasury Operations, Financial Assistance Services and the Registrar. The GLBCC may designate other representatives of the University to oversee and coordinate particular elements of the Program. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the chair of the GLBCC.
The GLBCC will act as a consultant to and coordinate Program activities with Schools and Departments that have access to or maintain information that is covered by GLBA ("Data Custodians"). Each Data Custodian must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of account information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement an administrative, technical and physical safeguards program, regularly monitor and test the program and report to the GLBCC.
Risk Assessment and Safeguards
The University intends, as part of the Program, to (i) identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic personal information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and (ii) assess the sufficiency of any safeguards in place to control these risks. The GLBCC will work with all Data Custodians and other areas of the University to identify potential and actual risks to security and privacy of information.
Each Data Custodian will conduct an annual data security review, with guidance from the GLBCC. IT will ensure that procedures and responses are appropriately reflective of those widely practiced at other national research universities.
The University has discontinued usage of social security numbers as student identifiers. Social security numbers are considered protected information under both GLBA and the FERPA. By necessity, student social security numbers remain in the University student information system. The GLBCC will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are still used, and in what instances, if any, students are inappropriately being asked to provide a social security number. This assessment will cover University employees as well as subcontractors such as student loan billing and collection services.
IT will develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks.
IT will develop plans and procedures to detect and prevent any attempted attacks, intrusions or other failures on central systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.
The GLBCC and IT Security will provide Data Custodians who maintain their own servers with plans and procedures they must follow to detect any attempted attacks or intrusions on central systems and incident response procedures for actual or attempted unauthorized access to covered data or information.
Designing and Implementing Safeguards
The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The GLBCC will, on a regular basis, assist Data Custodians in implementing safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
This evaluation will include assessing the effectiveness of the University's current policies and procedures relating to system access, the use of the University's network, network security, documentation retention and destruction. The GLBCC will also coordinate with IT to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems, implementing patches or other software fixes designed to deal with known security flaws.
Employee Training and Management
While the directors and supervisors in the Data Custodian offices are ultimately responsible for ensuring compliance with information security practices, the GLBCC will consult with relevant offices to evaluate the effectiveness of the University's employee training and practices relating to access to and use of covered information. Employees with access to covered information typically fall into three categories: professionals in information technology who have general access to all university data, Data Custodians who have access to specific systems, and those employees who use data as part of their essential job duties.
Oversight of Service Providers
The GLBCC shall consult with those responsible for the procurement of third party services and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic personal information of students and other third parties to which they will have access. In addition, the GLBCC will work with the Office of General Counsel to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. These standards shall apply to all existing and future contracts entered into with such third party service providers.
Program Review and Revision
This Program is subject to review and revision by the GLBCC, based on the risk assessment results, to ensure compliance with existing and future laws and regulations. Technology security should undergo quarterly review by IT. Other processes, such as data access procedures and training should undergo regular reviews by the GLBCC.
Program Questions
Questions regarding the University's GLBA policy or regarding information security may be e-mailed to: GLBA@miami.edu
