Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Similar documents
An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Regulation P & GLBA Training

Red Flags/Identity Theft Prevention Policy: Purpose

FTC SAFEGUARDS RULE. Gramm-Leach-Bliley Act Effective 5/23/2003

Annual Report on the Status of the Information Security Program

Red Flags Program. Purpose

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Post-Secondary Institution Data-Security Overview and Requirements

IDENTITY THEFT PREVENTION Policy Statement

University of North Texas System Administration Identity Theft Prevention Program

Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014)

Employee Security Awareness Training Program

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Ouachita Baptist University. Identity Theft Policy and Program

Checklist: Credit Union Information Security and Privacy Policies

Data Compromise Notice Procedure Summary and Guide

Identity Theft Prevention Program. Effective beginning August 1, 2009

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Identity Theft Prevention Policy

Data Security Essentials

( Utility Name ) Identity Theft Prevention Program

UCOP ITS Systemwide CISO Office Systemwide IT Policy

[Utility Name] Identity Theft Prevention Program

Why you MUST protect your customer data

Cyber Security Program

Red Flag Policy and Identity Theft Prevention Program

SECURITY & PRIVACY DOCUMENTATION

GLBA. The Gramm-Leach-Bliley Act

Subject: University Information Technology Resource Security Policy: OUTDATED

Online Privacy & Security for the Mortgage Industry

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Information Technology Standards

Cybersecurity in Higher Ed

Element Finance Solutions Ltd Data Protection Policy

Office Name: Enterprise Risk Management Questions

UTAH VALLEY UNIVERSITY Policies and Procedures

COMMENTARY. Information JONES DAY

Protecting Your Gear, Your Work & Cal Poly

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Data Security: Public Contracts and the Cloud

Creative Funding Solutions Limited Data Protection Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Mobile Device policy Frequently Asked Questions April 2016

Table of Contents. PCI Information Security Policy

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Information Security Policy

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

DATA STEWARDSHIP STANDARDS

Learning Management System - Privacy Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Information Security Management Criteria for Our Business Partners

Access to University Data Policy

Seattle University Identity Theft Prevention Program. Purpose. Definitions

HIPAA Security Rule Policy Map

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

HELPFUL TIPS: MOBILE DEVICE SECURITY

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Data Backup and Contingency Planning Procedure

Frequently Asked Question Regarding 201 CMR 17.00

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

The Common Controls Framework BY ADOBE

Baseline Information Security and Privacy Requirements for Suppliers

City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

IAM Security & Privacy Policies Scott Bradner

GLBA, information security and incident response a compliance perspective

Data Security Policy for Research Projects

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

EXHIBIT A. - HIPAA Security Assessment Template -

Complying with the. Federal Trade Commission Rule. Concerning. Standards for Safeguarding Customer Information

GM Information Security Controls

UWTSD Group Data Protection Policy

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

HIPAA Federal Security Rule H I P A A

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Information Classification & Protection Policy

Prevention of Identity Theft in Student Financial Transactions AP 5800

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Policies and Procedures Date: February 28, 2012

Standard for Security of Information Technology Resources

Subject: Kier Group plc Data Protection Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Information Technology General Control Review

Emsi Privacy Shield Policy

A practical guide to IT security

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Media Protection Program

Trust Services Principles and Criteria

Keeping It Under Wraps: Personally Identifiable Information (PII)

DATA PROTECTION POLICY THE HOLST GROUP

Transcription:

Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1

Objectives for GLBA Training GLBA Overview Safeguards Rule Additional Resources GLBA Definitions 2

What is GLBA? The Gramm Leach Bliley Act (GLBA) is a comprehensive, federal law affecting financial institutions. The law requires financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect the security, integrity, and confidentiality of customer information. The Federal Trade Commission (FTC) enforces compliance with GLBA. The FTC may bring an administrative enforcement action against any financial institution for non-compliance with the GLBA. 3

What is GLBA? Purdue University significantly engages in student loan making and provides other financial services to student customers. As such, Purdue falls within the definition of financial institution under the GLBA and must comply with the law s requirements. Financial Institution means any institution the business of which is engaging in financial activities. 4

What is GLBA? Examples of Purdue University Financial Products and Services Covered Under GLBA: Student loans, including receiving application information, and the making and servicing of such loans Financial advisory services (very limited at Purdue) Collection of delinquent loans Check cashing services Tax planning (very limited at Purdue) Obtaining information from a consumer report Career counseling services for those seeking employment in finance, accounting or auditing 5

What is GLBA? The GLBA is composed of several parts, including: the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314). 6

GLBA Privacy Rule The FTC has officially stated that any college or university that complies with the Federal Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g) and that is also a financial institution subject to the requirements of GLBA shall be deemed to be in compliance with GLBA s privacy rules if it is in compliance with FERPA (16 CFR 313.1). 7

GLBA Safeguards Rule The FTC has not made a similar exception for an institution of higher education with respect to the Safeguards Rule. The Safeguards Rule requires all financial institutions to develop an information security program designed to protect customer information. Purdue University must comply with the Safeguards Rule. 8

GLBA Safeguards Rule The objectives of the Safeguards Rule are to: Insure the security and confidentiality of customer information; Protect against any anticipated threats or hazards to the security or integrity of such information; and Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. 9

GLBA Safeguards Rule Information Security Program means the administrative, technical, or physical safeguards used by a financial institution to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. Under Purdue s Information Security Program, a GLBA-covered department must assume responsibility for assuring adequate safeguards are in place within its area of responsibility. 10

GLBA Safeguards Rule The Information Security Program must include: Designation of staff to coordinate the safeguards program Identification and assessment of risks in each relevant area of the operation and an evaluation of the effectiveness of current safeguards Design and implementation of a safeguards program including regular monitoring and follow-up Selection of appropriate service providers including inclusion of contract language designed to protect customer information handled by third party service providers Evaluation and adjustment of the program in light of relevant circumstances and changes in business. 11

GLBA Safeguards Rule There are three types of safeguards that must be considered when a Purdue department implements safeguards to protect the security, confidentiality, and integrity of customer information : Administrative Safeguards Technical Safeguards Physical Safeguards 12

GLBA Safeguards Rule Administrative Safeguards include developing and publishing polices, standards, procedures, and guidelines, and are generally within the direct control of a department. Examples include: Reference checks for potential employees Confidentiality agreements that include standards for handling customer information Training employees on basic steps they must take to protect customer information (see detail later slide) Assure employees are knowledgeable about applicable policies and expectations Limit access to customer information to employees who have a business need to see it Impose disciplinary measures where appropriate 13

GLBA Safeguards Rule Physical Safeguards are generally within a department s control and include: Locking rooms and file cabinets where customer information is kept Using password activated screensavers Using strong passwords Changing passwords periodically and not writing them down Encrypting sensitive customer information in transit and at rest Referring calls or requests for customer information to staff trained to respond to such requests Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies 14

GLBA Safeguards Rule Physical Safeguards also include: Ensure that storage areas are protected against destruction or potential damage from physical hazards, like fire or floods Store records in a secure area and limit access to authorized employees Dispose of customer information appropriately:» Designate a trained staff member to supervise the disposal of records containing customer personal information» Shred or recycle customer information recorded on paper and store it in a secure area until the confidential recycling service picks it up» Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contains customer information» Promptly dispose of outdated customer information according to record retention policies 15

GLBA Safeguards Rule Technical Safeguards include the configuration of computing infrastructure and are generally the responsibility of centralized or departmental/zone IT computing staff. Departments should be knowledgeable regarding how their digital customer information is safeguarded. If additional technical controls are warranted, departments should work with IT staff to improve safeguards. Departments are also responsible for alerting IT staff to the existence of customer information on networks 16

GLBA Safeguards Rule Technical safeguards include: Storing electronic customer information on a secure server that is accessible only with a password - or has other security protections - and is kept in a physically-secure area Avoiding storage of customer information on machines with an Internet connection Maintaining secure backup media and securing archived data Using anti-virus software that updates automatically Obtaining and installing patches that resolve software vulnerabilities Following written contingency plans to address breaches of safeguards Maintaining up-to-date firewalls particularly if the institution uses broadband Internet access or allows staff to connect to the network from home Providing central management of security tools and keep employees informed of security risks and breaches 17

GLBA Safeguards Rule In addition to developing their own safeguards, financial institutions are responsible for taking steps to ensure that their affiliates and service providers safeguard the customer information in their care. Affiliate means any company that controls, is controlled by, or is under common control with another company. Service Provider means any person or entity that receives, maintains, processes, or otherwise is permitted to access customer information through its provision of services directly to a financial institution. 18

PUID Purdue University uses the PUID as a unique identifier in many business transactions. The PUID is classified as sensitive University data and must be protected as such under the data handling guidelines. Information about the PUID is available at: https://www.purdue.edu/apps/account/iamo/purdue_puid.jsp 19

Resources GLBA/HIPAA Information Security Program Committee http://www.purdue.edu/securepurdue/programs/index.html Many of Purdue s existing IT policies address some of the compliance issues raised in the GLBA Safeguards Rule. http://www.purdue.edu/policies/information-technology/ Purdue Social Security Number policy http://www.purdue.edu/policies/information-technology/viib7.html All Purdue policies http://www.purdue.edu/policies/ 20

Resources SecurePurdue website for links to information security policies, standards, and best practices. http://www.purdue.edu/securepurdue/bestpractices/ SecurePurdue website for links on identity theft and identity protection. http://www.purdue.edu/securepurdue/bestpractices/theft.html University Data Handling Classifications and Guidelines. http://www.purdue.edu/securepurdue/bestpractices/dataclass 1.html 21

Resources Additional guidance regarding GLBA is available at: http://www.ftc.gov/privacy/privacyinitiatives/glbact.html 22

Resources Additional Questions? Contact your manager for specific procedural questions in your area. Contact IT Security & Policy for information regarding risk assessments, educational materials, and questions about computer security at itap-securityhelp@purdue.edu Contact Purdue s Chief Information Security Officer for questions about the GLBA/HIPAA Program Committee. 23

GLBA Definitions GLBA Definitions 24

GLBA Definitions Customer Information is any record containing non-public personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates. 25

GLBA Definitions GLBA applies to customer information obtained in a variety of situations, including: Information provided to obtain a financial product or service; Information about a customer resulting from any transaction involving a financial product or service between the institution and a customer; Information otherwise obtained about a customer in connection with providing a financial product or service to the customer. 26

GLBA Definitions Non-Public Personal Information means personally identifiable financial information that is: Provided by a consumer to a financial institution; Resulting from any transaction with the consumer or any service performed for the consumer; or Otherwise obtained by the financial institution. The term also includes any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiable financial information that is not publicly available. 27

GLBA Definitions Examples of Non-public Personal Information (NPI) Include: Social Security Number (SSN) Financial account numbers Credit card numbers Date of birth Name, address, and phone numbers when collected with financial data Details of any financial transactions 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback