This document summarizes the University of Miami's ("University") comprehensive information security program ("Program") as mandated by the Federal Trade Commission's Safeguards Rule and the Gramm-Leach-Bliley Act ("GLBA"). This Program is undertaken in alliance with the Office of General Counsel, Office of the Treasurer, Information Technology ("IT"), Office of the Registrar, Office of Financial Assistance Services and the University's Compliance Committee through the Office of the Vice Provost for Research. While these practices mostly affect Information Technology, they may impact diverse areas of the University, including but not limited to Treasury Operations, the Office of the Registrar, Office of Financial Assistance Services, Athletics, Institutional Advancement, and others as well as
The Program applies to (i) any record containing nonpublic personal information about a student or other third party who has a continuing relationship with the University, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the University and (ii) any record containing nonpublic personal information pertaining to customers of other financial institutions that have provided such information to the University. For these purposes, the term nonpublic personal information shall mean:
For the purpose of this policy, offering financial products and services includes offering student loans, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include without limitation, information a student provides to obtain a loan or other financial product or service, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format. The fact that a student or third party has obtained a financial product or service from the University is also financial information.
Pursuant to this Program, administrative, technical and physical safeguards will govern access, collection, distribution, processing, protection, storage, use, transmittal, disposal or
GLBA mandates that the University (i) designate an employee(s) to coordinate the Program, (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of covered information, giving consideration to operations such as employee training and management, information systems, and potential system failures, attacks and intrusions, (iii) design and implement information safeguards to control the risks identified through risk assessment, (iv) oversee service providers and contracts, and (v) evaluate and adjust the Information Security Program periodically.
The Gramm-Leach-Bliley Compliance Committee ("GLBCC") shall be responsible for coordinating and overseeing the Program. This committee will
The GLBCC will act as a consultant to and coordinate Program activities with Schools and Departments that have access to or maintain information that is covered by GLBA ("Data Custodians"). Each Data Custodian must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of account information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement an administrative, technical and physical safeguards program, regularly monitor and test the program and report to the GLBCC.
The University intends, as part of the Program, to (i) identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic personal information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and (ii) assess the sufficiency of any safeguards in place to control these risks. The GLBCC will work with all Data Custodians and other areas of the University to identify potential and actual risks to security and privacy of information.
Each Data Custodian will conduct an annual data security review, with guidance from the GLBCC. IT will ensure that procedures and responses are appropriately reflective of those widely practiced at other national research universities.
The University has discontinued usage of social security numbers as student identifiers. Social security numbers are considered
IT will develop a plan to ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks.
IT will develop plans and procedures to detect and prevent any attempted attacks, intrusions or other failures on central systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information.
The GLBCC and IT Security will provide Data Custodians who maintain their own servers with plans and procedures they must follow to detect any attempted attacks or intrusions on central systems and incident response procedures for actual or attempted unauthorized access to covered data or information.
The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or
This evaluation will include assessing the effectiveness of the University's current policies and procedures relating to system access, the use of the University's network, network security, documentation
While the directors and supervisors in the Data Custodian offices are ultimately responsible for ensuring compliance with information security practices, the GLBCC will consult with relevant offices to evaluate the effectiveness of the University's employee training and practices relating to access to and use of covered information. Employees with access to covered information typically fall into three categories: professionals in information technology who have general access to all university data, Data Custodians who have access to specific systems, and those employees who use data as part of their essential job duties.
The GLBCC shall consult with those responsible for the procurement of
This Program is subject to review and revision by the GLBCC, based on the risk assessment results, to ensure compliance with existing and future laws and regulations. Technology security should undergo quarterly review by IT. Other processes, such as data access procedures and training should undergo regular reviews by the GLBCC.
Questions regarding the University's GLBA policy or regarding information security may be e-mailed