Information Security Program
The Gramm-Leach-Bliley Act (GLB), or Financial Modernization Act of 1999, includes protections for privacy of consumer’s confidential financial information held by financial institutions. In 2003, higher education institutions were considered financial institutions under federal law, as determined by the Federal Trade Commission. The Safeguards Rule of the GLB Act requires institutions to implement a written comprehensive information security program protecting consumer records.
The Connecticut Department of Higher Education (DHE), to the extent that it engages in certain financial transactions and collection of confidential financial information (CFI) in its administration of student aid and other federal and state programs, has determined that it is subject to the Safeguard Rule of the GLB Act, as advised by the Office of the Attorney General for the State of Connecticut.
The GLB Safeguard Rule requires the Department of Higher Education to develop standards for administrative, technical and physical security procedures for certain information. Such standards will: “ensure the security and confidentiality of customer records and information; protects against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.” (16 CFR Part 314)
GLB Act Safeguards Requirements
In order to accomplish these objectives, GLB requires the following:
§ Designate one or more employees to coordinate the Information Security Program;
§ Assess risks to the security of customer information;
§ Design and implement safeguards to address risks, and test and monitor their effectiveness over time;
§ Adjust the program to address developments.
The Connecticut Department of Higher Education has reviewed its current security standards and will ensure compliance with the provisions of the GLB Safeguard provisions related to the administrative, technical and physical safeguarding of customer information. The Department’s security program takes into account DHE’s size and complexity, the nature and scope of its activities, and the sensitivity of its customer information.
The Information Security Program Committee (ISPC), appointed by the Commissioner and under the supervision of the Associate Commissioner for Finance and Administration, is charged with coordinating the Department’s Information Security Program (ISP). The ISPC is responsible for risk assessment, design, implementation and adjustment of safeguarding policies and procedures, and for employee training. It is imperative that all staff members within DHE understand and maintain the ISP within his or her specific operation.
DHE recognizes that it has both internal and external risks. These risks include, but are not limited to:
§ Unauthorized access to CFI within DHE records by employees or others
§ Unauthorized requests for access to DHE records
§ Interception of data during transmission
§ Loss of data in a disaster
§ Corruption of data or systems
§ Misplacement or loss of paper records
§ Compromise of data from disposal of records
§ Unauthorized or unintended disclosure of electronic or printed CFI
At least annually, the DHE will conduct an assessment of all areas of operation for potential risks and evaluate current precautions in place. Areas will include: employee training and management; information systems, including network and software design; information processing, storage and disposal; detecting, preventing and responding to attacks, intrusions or other system failures. The ISP will be modified based upon the findings of these assessments.
Design and Implementation of a Safeguarding Program
DHE’s ISP includes four categories of safeguards:
A. Employee Training and Management
All Department employees will receive training in data privacy and security at least annually, and all employees are required to sign the Department’s Confidentiality Agreement. Associate Commissioners, Directors, and Associate Directors and other program managers of activities and systems that utilize CFI must be especially vigilant in ensuring their employees understand and have adequate training in data privacy and security. Each new employee will receive appropriate training regarding the importance of information security during orientation, including in the proper use of computer information and passwords. Appropriate training includes controls and procedures to prevent employees from providing CFI to unauthorized parties, and methods for proper disposal of documents containing CFI.
At least annually, each department within DHE will provide training to all employees to remind them of the importance of data security and to ensure that the safeguarding procedures and controls are followed. Training activities may be modified on a department basis, depending on the risks perceived, scope and types of activities, and access to confidential customer information within each department.
In the case of temporary workers, a supervisor will provide adequate training regarding the identification and protection of CFI to protect against disclosure.
B. Information System Security
Access to CFI through DHE information systems and networks is limited to individuals who have a legitimate business reason to access such information and who are authorized by the Commissioner. Access controls are implemented at the user, application, system and network layers to ensure access to CFI is implemented consistently with regulations, DHE’s ISP and other acceptable use policies.
DHE will take reasonable and appropriate steps, consistent with the ISP, current technological capabilities and industry recognized “best practices,” to ensure that all confidential customer information is stored, accessed, processed and transmitted as securely as possible and to safeguard the confidentiality, integrity and authorized availability of any and all records.
These steps include but are not limited to:
§ Maintaining the network- and host-based integrity of systems through consistent and timely updates and patches;
§ Utilization of anti-virus software, where appropriate;
§ Routinely monitoring system health and availability;
§ Routinely monitoring and mitigating the risks associated with known network- and host-based vulnerabilities as well as monitoring and responding to network- and host-based threats;
§ Ensuring separation of privileges with regard to confidential customer information access; and
§ Documented and controlled incident response and escalation processes.
All CFI is maintained on secured hosts behind DHE firewalls. To the extent reasonably available, encryption technology will be utilized for both storage and transmission of all confidential customer information. Routine audits and system tests will be made to ensure that safeguards are in-place and effective.
C. Physical Security of Paper Records
Only employees who have a business reason for CFI and who have been authorized by the Commissioner will have access to any physical paper records. All physical records will be kept in a locked office or in locked files as reasonable. The files will be locked at a minimum of each night. Sound business practice dictates that the files also will be locked whenever an authorized employee is not present with the files.
D. Disposal of Records
DHE will only keep physical paper records and electronic documents for as long as they are being actively used by the Department, or as necessary to comply with state or federal law, audit compliance guidelines, or the State of Connecticut policy for record retention.
Paper documents that are no longer required to be kept by DHE will be shredded at the time of disposal. Electronic documents will be deleted and magnetic media will be erased.
Review and Revision of Information Security Program
GLB mandates that this program be subject to periodic review and adjustment. With respect to the security of information resources, the technology is constantly evolving so the expectation is that DHE will continuously monitor the technology and make adjustments as necessary to preserve the infrastructure. The remainder of the processes required by this program will be reassessed by the ISPC at least annually.
Rev 1.0 1/5/07