Policy Title:  Graham-Leach-Bliley Act (GLBA) Policy

Policy Number:   7.1                         
____________________________________________________________________________________

Purpose:

This GLBA Policy (this Policy) summarizes the College’s comprehensive written information security program (the Program) mandated by the Federal Trade Commission’s (FTC) Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA).

In particular, this Policy describes the Program elements by which the College (i) ensures the confidentiality, integrity, and availability of covered records; (ii) protects against anticipated threats or hazards to the security of such records; and (iii) protects against the unauthorized access or use of such records that could result in substantial harm or inconvenience to the College or associated individuals. The Program incorporates by reference the College’s policies and administrative regulations enumerated below and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, the Family Educational Rights and Privacy Act (FERPA).

Definitions

Capitalized terms not defined in this Policy have the meaning set forth in the Board Policy 7.0 Information Security.

  1. Customer Information

Means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, which is handled or maintained by or on behalf of you or your affiliates. In the case of the College, students are considered “customers.”

  1. Encryption

Means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.

  1. Information Security Program

Means the administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Customer Information.

  1. Information System

Means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing Customer Information or connected to a system containing Customer Information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contains Customer Information or that is connected to a system that contains Customer Information.

  1. Multi-factor Authentication

Means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.

  1. Nonpublic Personal Information

Means: (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

  1. Penetration Testing

Means a test methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside College Information Systems.

  1. Security Event

Means an event resulting in unauthorized access to, or disruption or misuse of, and Information System, information stored on such Information System, or Customer Information held in physical form.

  1. Service Provider

Means any person or entity that receives, maintains, processes, or otherwise is permitted access to Customer Information through its provision of services directly to a financial institution that is subject to this part.

Scope:

The Program applies to Nonpublic Personal Information about a customer of the College contained in any record, whether in paper, electronic, or other form, which is handled or maintained by or on behalf of the College or its affiliates. For these purposes, the term Nonpublic Personal Information shall mean any information: (i) a student provides in order to obtain a financial service from EWC, (ii) about a student or other third party resulting from any transaction with EWC involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.

Policy:

The College will protect, to the extent reasonably possible, the privacy, security, and confidentiality of personally identifiable financial records and information. This Policy applies to all personally identifiable financial records and information and covers Personnel, Contractors, and all other individuals or entities using these records and information for any reason. This Policy also establishes an expectation that members of the College community act in accordance with this Policy, relevant laws, contractual obligations, and the highest standards of ethics.

Elements of the Program:

  1. Designation of Representatives: EWC’s Chief Information Officer (CIO) is designated as the Program Officer who shall be responsible for coordinating and overseeing the Program. The Program Officer may designate other representatives of EWC to oversee and coordinate particular elements of the Program. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the Program Officer or his/her designees.
  2. Risk Identification and Assessment. EWC recognizes that it is exposed to both internal and external risks including, but not limited to:
  • Misuse or unauthorized access of Nonpublic Personal Information
  • Compromised system security
  • Interception of data during transmission
  • Loss of data and data integrity

EWC, as part of the Program, will undertake to identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of Nonpublic Personal Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and assess the sufficiency of safeguards in place to control those risks. The risk assessment will be written and will include criteria for evaluating risks and threats. In implementing the Program, the Program Officer will establish procedures for identifying and assessing such risks in each relevant area of EWC’s operations.

The Program Officer shall periodically perform risk assessments that reexamine the reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic personal information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and reassess the sufficiency of any safeguards in place to control those risks.

  1. Design and Implement Safeguards. The risk assessment and analysis described above shall apply to all methods of handling or disposing of Nonpublic Personal Information, whether in electronic, paper or other form. The Program Officer will, on a regular basis, design and implement safeguards to control the risks identified through such assessments by:
  1. Implementing and periodically reviewing access controls. EWC will determine and periodically reevaluate who has access to Customer Information and whether such authorized user has a legitimate business need for it.
  2. Knowing what EWC has and where it is. EWC will conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
  3. Encrypting Nonpublic Personal Information in transit and at rest. EWC will protect data classified as confidential and highly sensitive as defined in the Information Classification Administrative Regulation by encrypting it in transit and at rest.
  4. Assessing applications. EWC will, to the extent applicable, adopt secure development practices for developing its own applications to store, access, or transmit Nonpublic Personal Information and implement procedures for evaluating the security of third-party applications EWC utilizes to transmit, access, or store Nonpublic Personal Information.
  5. Implementing Multi-factor Authentication for users authorized to access Nonpublic Personal information on the College’s system.
  6. Disposing of Nonpublic Personal Information securely. EWC will dispose of Nonpublic Personal Information no later than two years after the most recent use of it to serve the customer, in compliance with the State of Wyoming Document Retention Schedule, or as required by applicable law. The Program Officer or his/her designee will periodically review EWC’s data retention schedule to minimize the unnecessary retention of data.
  7. Anticipating and evaluating changes to EWC’s system or network. EWC’s change management procedure is designed to provide a safe and orderly process for making changes that may affect EWC’s systems and networks.
  8. Maintaining a log of Authorized User’s activity and detecting unauthorized access. EWC will implement procedures and controls to monitor when Authorized Users are accessing systems that contain Nonpublic Personal Information and detect unauthorized access.
  1. Monitor and Test Safeguards. EWC will regularly test its procedures for detecting actual and attempted attacks.

For Information Systems, testing may be accomplished through continuous monitoring of the system and/or through annual Penetration Testing, as well as vulnerability assessments, including system-wide scans every six (6) months designed to test for publicly known security vulnerabilities.

In addition, EWC will conduct testing of its environment whenever there are material changes to its operations or business arrangements and whenever there are circumstances EWC knows or has reason to know may have a material impact on the College’s Program.

  1. Train Staff. EWC will ensure its staff are able to enact its Program by:
    1. Providing security awareness training that is updated as necessary to reflect risks identified by the risk assessment; (Security Awareness Training Policy)
    2. Utilizing qualified information security personnel either employed by EWC or an affiliate or Service Provider sufficient to manage its security risks and to perform or oversee the Information Security Program;
    3. Providing information security personnel with security updates and training sufficient to address relevant security risks; and
    4. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.

Oversee Service Providers. Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be needed to provide resources that EWC determines not to provide on its own.

The Program Officer will coordinate with those responsible for the third-party service procurement activities among the IT Department and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those Service Providers that are capable of maintaining appropriate safeguards for Nonpublic Personal Information of students and other third parties to which they will have access.

In addition, the Program Officer will work with EWC’s legal counsel and/or other designated institutional officials to develop and incorporate standard, contractual protections applicable to third-party Service Providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of EWC legal counsel and/or other designated institutional official.

The Program Officer will periodically assess third-party Service Providers based on the risk they present and the continued adequacy of these safeguards.

  1. Adjustments to Program. The Program Officer is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the EWC’s operations or other circumstances that may have a material impact on the Program.
  2. Create a Written Incident Response Plan. The Program Officer shall oversee the development of a written incident response plan designed to promptly respond to and recover from, any security event potentially resulting in unauthorized access to or misuse of information stored on EWC’s system or maintained in physical form.

The incident response plan will address the following areas:

  1. The goals of the plan;
  2. The internal processes for responding to a security event;
  3. Clear roles, responsibilities, and levels of decision-making authority;
  4. Communications and information sharing both inside and outside EWC;
  5. A process to fix any identified weaknesses in EWC’s systems and controls;
  6. Procedures for documenting and reporting security events and EWC’s response; and
  7. The evaluation of the security event and a revision of the incident response plan and Program based on what is learned.
  1. Program Officer to report to Board of Trustees. The Program Officer will at least annually provide a written report to the EWC Board of Trustees that will include: 1) an overall assessment of EWC’s compliance with its Information Security Program, and 2) specific topics related to the Program, including risk assessment, risk management and control decisions, Service Provider arrangements, test results, Security Events and how EWC responded, and recommendations for changes in the Information Security Program.

 

References:

Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801-6809, §§ 6821-6827 Federal Education Rights and Privacy Act (FERPA), §20 U.S.C. § 1232g; 34 CFR Part 99

 

Revision History:

Original Adoption Date: 11/09/21

Revision Date(s): 12/12/23

Date Reviewed, no change: