Purpose

The Federal Trade Commission (FTC) requires financial institutions to establish policies and procedures for safeguarding customer financial information by complying with the Gramm-Leach-Bliley Act (GLBA).  The GLBA also includes specific requirements regarding the privacy of customer financial information.  The FTC has ruled that being in compliance with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirement of the GLBA, but does not satisfy the safeguarding provisions.  This procedure focuses on the safeguarding of customer information.

Objectives

  1. Ensure the security and confidentiality of customer/student records and information
  2. Protect against any anticipated threats to the security or integrity of such records
  3. Protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer

Risk Assessment

The following is a list of threats to customer financial information that will be mitigated through the implementation of this plan:

  1. Unauthorized access to data through software applications
  2. Unauthorized use of another user’s account and password
  3. Unauthorized viewing of printed or computer displayed financial data
  4. Improper storage of printed financial data
  5. Unprotected documentation usable by intruders to access data
  6. Improper destruction of printed material

Financial Information Security Plan

  1. Electronic access to customer financial information is protected by at least two levels of usernames and passwords: domain logins (Microsoft active directory) and logins tied to specific databases.
  2. Servers containing sensitive financial data are protected by local firewall as well as an additional security gateway server with firewall which includes intrusion protection/prevention.
  3. Individual computers are secured with a comprehensive, up-to-date anti-virus and malware software solution with ransomware protection.
  4. Passwords are not to be shared by other users.
  5. Access to financial customer information on the network is restricted to certain workstations in the administration offices and is safeguarded with access rights granted by the IT department and the campus database administrator to only the files relevant to that user for his/her work.
  6. All users must log off their computers when they are away from their work area.
  7. Computers used to display financial information are not to be left unattended with that information still displayed.
  8. Placement of computers is to be done in such a way as to prevent casual viewing by unauthorized personnel.
  9. Access to administrative areas as well as server/data storage is secured by only giving authorized individuals keys to the exterior door. A key request form must be completed by the employee and approved by the relevant administrative supervisor before the Physical Plant Office gives a key to the individual.   Lost or stolen keys are to be reported to the relevant supervisor and the Physical Plant Office.
  10. Printed copies of financial information are to be handled only by authorized personnel and kept in areas with restricted access.
  11. Printed copies of financial information are not to be left in the open on desks when desks are unattended for extended periods of time.
  12. Printed documentation is kept in lockable file cabinets in the Business Office area and the exterior door to the Business Office is locked during non-business hours.
  13. Printed copies of financial information are shredded when no longer needed.
  14. Calls or requests for information are referred to responsible individuals who are aware of and who have been trained in the above protocols.
  15. Fraudulent attempts to obtain information will be reported to the business office and/or IT office as applicable.
  16. Disciplinary measures, up to and including termination, may be imposed for breaches of this plan.

Training of Staff

Training for new staff will include an explanation of the purpose of the GBLA and a copy of this plan. Each staff member will sign that he/she has received a copy of this plan and that he/she understands his/her responsibilities under this plan.  This statement will be filed in the Business Office.  In addition, all other applicable protocols, as mentioned above, must be completed before access is granted to customer financial data.