ASU header home link email link search link
Information Security Web Site
major pages

 

 

 
ABC index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

ASU Compliance with the Gramm-Leach-Bliley Act and the FTC Safeguards Rule

Executive Overview | Compliance Measures | Employee Education and Training | Overseeing Service Providers | Information Systems | Managing System Failures

I.EXECUTIVE OVERVIEW

A.What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA) requires "financial institutions" as defined by the Federal Trade Commission (FTC), to protect and secure constituent information such as names, social security numbers, addresses, account and credit card information. The GLBA sets forth extensive privacy rules which the University is deemed to be in compliance with because of its adherence to the provisions of the Family Education Rights and Privacy Act (FERPA). The GLBA also establishes a Safeguards Rule, from which the University is not exempt, that requires the University to protect and safeguard constituent information.

B.What is the FTC Safeguards Rule?

The Safeguards Rule requires financial institutions to secure constituent information. It requires the University, as a financial institution, to develop a written information security plan that describes its program to protect constituent information.

C.Why does the GLBA apply to Augusta State University?

The GLBA applies to the University because the University is considered a "financial institution" due to the financial activities in which it engages, such as processing financial Aid, taking tuition, etc.

D.What is the Scope of this Security Plan?

This Plan applies to all "constituent information" which is defined as any personally identifiable, nonpublic information that the University handles or maintains about an individual in the process of offering a financial product or service, or such information provided to the University by another financial institution. Such constituent information is covered whether it is in paper, electronic or other form. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package and other miscellaneous financial services. Examples of constituent information include addresses, phone numbers, bank and credit card information, income and credit histories and social security numbers.

E. What are the Primary Goals of this Security Plan?

The primary goals of this Security Plan are to: Designate one or more employees to coordinate the Security Plan

  • Identify and assess the risks to constituent information and evaluate the effectiveness of current procedures in place
  • Design and implement a safeguards program
  • Review and update the safeguards to ensure continued compliance with current federal requirements

top

II.COMPLIANCE MEASURES

A. Designating Employees to Coordinate the Security Plan

The University has formed an Information Security Advisory Committee (ISAC) which is responsible for coordinating this Plan. The ISAC is a cross campus team representing the major work centers, business activities, and information technology staff. In addition, every University department that handles or maintains constituent information is responsible for designating an individual who is responsible for coordinating safeguard measures and monitoring security risks within their department.

B.Identifying and Assessing the Risks to Constituent Information in Relevant Areas of the University

Every University department that handles or maintains constituent information is responsible for identifying the type of information, the form of the information and the security risks within their department and taking appropriate measures to mitigate those risks.

Potential security risks to constituent information include the following:
  • Computer systems vulnerable to electronic break-ins
  • Paper forms vulnerable to office break-ins after hours
  • Paper forms and computer systems left unattended or accessible during business hours
  • Paper forms containing constituent information that are accessible to all employees

C.Evaluating the Effectiveness of the Current Safeguards in Place

Current safeguards taken to protect constituent information include the following:
  • Computer access limited by system ID's and passwords
  • Paper reports in file cabinets accessible only to staff in office who need access
  • Offices that are locked after hours
  • File cabinets that are locked
  • Data backed up nightly
  • Passwords that expire periodically and employees must then reset them
  • Passwords not posted in publicly viewable places
  • Vulnerability scanning of systems containing constituent information
  • Antivirus protection maintained on computer systems
  • Firewalls installed on computer network
  • Separation of constituent information from recycling and shredding of those records
  • Referring calls or other requests for constituent information to designated individuals and being alert to fraudulent attempts to obtain this information
  • Keeping constituent information stored in appropriate filing cabinets and clear of areas with public access
  • Constituent information accessible only by staff with "need to know"
  • Promissory notes locked in storage for safe keeping after data entry

The following University policies also address the safeguarding of information:

Augusta State University Security Agreement for Computing Accounts:
http://www.aug.edu/its/policies/Security_Agreement.html
Employ security measures to protect University computers from unauthorized access, compromises and attacks

Augusta State University Computer and Network Usage Policy:
http://www.aug.edu/its/policies/acpol.html
Access to networks and computer systems owned or operated by Augusta State University imposes certain responsibilities and obligations and is granted subject to University policies and local, state, and federal laws.

The effectiveness of the above safeguards is dependent upon

  • Universal application throughout the University
  • University employees being responsible for complying with the above safeguards
  • Implementation of additional safeguards as described below

D.Implementing Supplemental Measures

Additional safeguard measures that are recommended to supplement current safeguards include the following:

  • Lock file cabinets containing constituent information
  • Designate a staff member to supervise the disposal of records containing constituent information
  • Use appropriate oversight or audit procedures to detect the improper disclosure or theft of constituent information
  • Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain constituent information
  • Have the University Information Security Officer conduct security reviews to identify whether additional security measures are required to protect constituent information processed and stored on University computer systems
  • Maintain inventories of all computer systems
  • Reduce paper forms and documents through increased web access to this information
  • Centralized files
  • Off-site storage retention of critical files and documents
  • Implement measures to ensure unauthorized persons cannot access University computer systems when left unattended
  • Avoid using Social Security numbers as primary identification number

E.Safeguards Reviews and Updates

Individuals responsible for coordinating this Plan will conduct periodic reviews of this Plan to ensure federal compliance, review current safeguards, and incorporate new safeguards that are adopted for implementation.

top

III. EMPLOYEE EDUCATION AND TRAINING

A. Brochure - Information Security Guidelines

An electronic brochure entitled The Gramm-Leach-Bliley Act: Information Security Awareness Training has been produced by Information Technology Services to advise employees of their responsibility to protect constituent information and university computer systems from unauthorized access and compromises.

B.Departmental Procedures

Departments that process or maintain constituent information are responsible for conducting training for employees who handle such information in the course of their job duties. This training should include physical handling and disposition of non-electronic documents containing constituent information as well as proper procedures to follow in processing and storing electronic information and documents.

top

IV.OVERSEEING SERVICE PROVIDERS

The University will take reasonable steps to select and retain service providers who maintain appropriate safeguards for constituent information. The University Procurement Office will take steps to ensure that all relevant contracts include a privacy clause and are in compliance with the GLBA.

top

V. INFORMATION SYSTEMS

The FTC defines information systems as including network and software design, and information processing, storage, transmission, retrieval and disposal. Guidelines on how to maintain security throughout the life cycle of constituent information-from data entry to data disposal are as follows:

A. Storage of Physical and Electronic Records

  • Store records in secure areas and make sure that only authorized employees have access to these areas
    Current and proposed additional safeguards would meet these guidelines.

B.Secure Data Transmission

  • Provide for secure data transmission when collecting or transmitting constituent information
    Current and proposed additional safeguards would meet these guidelines.

C. Disposal of Sensitive Information

  • Dispose of constituent information in a secure manner
    Current and proposed additional safeguards would meet these guidelines.

D.Oversight and Audit Procedures

  • Use appropriate oversight or audit procedures to detect the improper disclosure or theft of constituent information
    Current and proposed additional safeguards would meet these guidelines.

E. Inventory and Security Reviews of Computer Systems

  • Maintain inventories of all computer systems and conduct security reviews on annual basis
    Current and proposed additional safeguards would meet these guidelines.

top

VI. MANAGING SYSTEMS FAILURES

A.Prevention, Detection and Response to Attacks, Intrusions or Other System Failures

  • Maintain up-to-date and appropriate programs and controls through
    • Computer security incident response plans
    • Installing security patches on computer systems
    • Using anti virus software that updates automatically
    • Using firewalls where appropriate
    • Centrally managed intrusion detection systems

Current safeguards, as well as existing Augusta State University Information Security programs and procedures, meet these guidelines.

B.Preservation of Security and Integrity of Sensitive Data in the Event of System Failures

  • Back up all constituent and financial data regularly
    Current and proposed additional safeguards meet this guideline.

C.Prevention of Unauthorized Access to Sensitive Data

  • Maintain systems and procedures to ensure that access to nonpublic constituent information and financial data is granted only to legitimate and valid users
    Current and proposed additional safeguards meet this guideline.

D.Notification and Reporting in the Event of Sensitive Data Compromises or Loss

  • Notify constituents promptly if their nonpublic personal information is subject to loss, damage, or unauthorized access
  • University departments are responsible for notifying their constituents in the event that inadvertent disclosures occur.

top

Return to ASU Home | Information Security Home

A member of the University System of Georgia
Augusta State University • 2500 Walton Way • Augusta, Georgia 30904 - 2200

Last Modified: June 20, 2006 by NBH

Send comments about this website to Information Technology Services.

More info about ASU Admissions Academics Athletics Library Information Technology