Pursuant to BPM 110, the Curators of the University of Missouri will protect, to the extent reasonably possible, the privacy, security, and confidentiality of personally identifiable financial records and information(1).
This program applies to all personally identifiable financial records and information regardless of where it resides and covers employees and all other individuals or entities using these records and information for any reason. This program also establishes an expectation that members of the university community act in accordance with this program, relevant laws, contractual obligations, and the highest standards of ethics.
The goals for this program are as follows:
- To ensure employees have access only to the relevant data needed to conduct university business;
- To ensure the security and confidentiality of customer(2) records and information;
- To safeguard and prevent unauthorized access to personally identifiable financial records and information maintained by the university;
- To comply with existing university policies, standards, guidelines and procedures; and
- To comply with applicable federal, state and local regulations.(3)
The Gramm-Leach-Bliley (GLB) Act (4) requires financial institutions to take steps to ensure the privacy, security and confidentiality of customer records. Because higher education institutions engage in financial activities, such as making Federal Perkins Loans, Federal Trade Commission (FTC) regulations consider them financial institutions for GLB Act purposes.
The GLB act dictates several specific requirements regarding the privacy of customer financial information. Under the regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provision of the GLB Act if they are in compliance with the Family Educational Right and Privacy Act (FERPA). However, higher education institutions are subject to the Safeguards Rule of the Act related to the administrative, technical, and physical safeguarding of customer information.
The Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA)(5) requires financial institutions to develop and maintain a security plan to protect the confidentiality and integrity of personal information. The university’s program seeks to (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. This program, originally developed in 2003, set forth a plan to assess existing risks to customer information including ways to manage and control the existing risks, and to monitor third-party outsourcing arrangements to ensure compliance with university policies and procedures.
In 2008, the Vice President for Information Technology revised this program through the development and implementation of a comprehensive Information Security Program(6) applicable for all university entities. This program is intended to address relevant information assets across the system to ensure that appropriate safeguards are in place. The goals of the information security program are to:
- Protect the university's IT systems and information assets from unauthorized access, alteration, disclosure or destruction.
- Ensure the reliability and availability of the university's IT systems and information assets.
- Ensure the privacy of faculty, staff and student information and that of other university customers or associates.
- Identify and prevent identity theft.
- Protect the reputation of the university and ensure compliance with federal and state laws and regulations.
- Establish resources and guidelines that allow all individuals within the university community to practice good data stewardship.
The GLBA Program is a component of the Information Security Program(7).
The following definitions apply to this program:
Customer: an individual who has obtained a financial product or service from the university to be used primarily for personal, family or household purposes and who has a continuing relationship with the university. Examples of activities which create customer relationships with the university could include obtaining a loan from the university or having a loan for which the university has servicing rights or responsibility.
Customer Information: non-public personal information about an individual who has obtained a financial product or service from the university for personal, family or household reasons, that results in a continuing relationship with the university. Examples would be any extension of credit by the university for household, personal or family purposes, such as an extension of credit for tuition, fees, housing, medical services, etc; the making and/or servicing of loans and/or financial aid. These situations are subject to GLB, even if the individual ultimately is not awarded any financial aid or provided with a credit extension, in which case their non-public personal information would still be protected under GLB.
Information Security Program(8): A program developed, maintained and enforced by the office of the Vice President for Information Technology to ensure that the information assets of the university are maintained securely.
any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its direct provision of services to the university.
Workplace Information Security Manual (WISM): A checklist which GLBA affected departments must complete, designed to identify and correct weaknesses in the area of information security within a given department or workplace.
- Employee Responsibilities and Access:
The following restrictions apply to all personally identifiable financial records and information maintained by the university and are meant to safeguard the security of these records and to maximize the integrity of the information. University employees are responsible for ensuring that, within their areas of responsibility, appropriate enforcement of the GLB program will be maintained.
- University employees are granted access to those data and information resources required to carry out the responsibilities of their position and may not access additional resources without authorization (in other words, employees may not access customer information unless they have a need to know that information to perform their job duties).
- Access is determined based on the duties and responsibilities of each position and each employee is responsible for protecting their means of access from misuse. (for example, employees must not share their user name/password(s) with anyone else, or allow others to have access to their keys, etc.).
- Employees shall not knowingly alter, destroy, or misuse customer information.
- Employees must ensure that any release of customer information is conducted in an appropriate and secure manner (for example, employees should not release customer information without verifying the identity of the person(s) requesting the information, employees should use password protected file attachments and/or encrypted emails when transmitting confidential information, etc.).
- Security Requirements:
Personally identifiable financial records and information, regardless of where it resides, must be maintained in a physically secure location with controlled access.
Centralized and departmental computers and servers must have the appropriate level of physical and electronic security. The level of such security measures depends on the sensitivity of the data they process. The security measures implemented must be in compliance with the requirements of the UM Information Security Program(9).
- Audit Requirements:
Each department subject to this program must perform an annual risk assessment by completing the Workplace Information Security Manual (WISM). The manual must be completed within the first quarter of every calendar year and submitted no later than March 31st.
The completed WISM must be returned to the appropriate designated business unit’s Gramm-Leach-Bliley (GLB) representative. The GLB representative will review the WISM for completeness and accuracy and will forward the manual to the UM System GLB Coordinator.The UM System Coordinator and the UM Chief Information Security Officer (CISO) will be responsible for reviewing each completed WISM and will identify unresolved security risks that departments must address.
- Program Administration:
Responsibility for developing, implementing and updating this program lies with the Gramm-Leach-Bliley (GLB) committee members. The committee consists of a UM System Coordinator, appointed by the Vice President for Finance, and a representative from the Office of the Vice President for Information Technology. A representative from the Office of the General Counsel shall serve as an ex officio member of the GLB Committee. The committee also includes individuals appointed by the chancellors of each campus or their respective designees.
GLB committee members are responsible for completion of the annual risk assessment for their respective business unit(s) and for ensuring appropriate training resources are available to university departments. The UM System Coordinator will report to the Vice President for Finance at least annually on the status of the program.
- Committee Members.
Gramm-Leach-Bliley (GLB) committee members are responsible for the implementation of the GLB activities. Campus GLB committee members are the primary point of contact for department administrators. The UM system coordinator is responsible for coordinating the activities system-wide, working with Counsel and the CISO.
- Training Requirements.
Each department subject to this program must complete the required GLB training. Department heads are responsible for ensuring that personnel are appropriately trained.
Information security awareness training is also required for all staff working in GLBA affected offices. Training can be obtained by contacting the Information Security Officer (ISO) at each business unit. A listing of the ISOs can be found at http://infosec.missouri.edu/admin/iso.html.
- Service Provider Arrangements:
In the event the university contracts with a service provider to perform an activity in connection with any personally identifiable financial records and information, the University will take the following steps to ensure that the service provider performs its contracted activities in a secure manner:
- Require that service providers have reasonable policies and procedures in place to insure the security and confidentiality of customer records and information ; and
- Require by contract, that all contracts with service providers contain language requiring the service providers to implement appropriate measures designed to ensure that customer information is kept confidential and that it is only used for the purposes set forth in the contract.
Any exceptions to this program must be approved by the president upon the recommendation of the Vice President for Information Technology and the Vice President for Finance. Questions regarding this program should be referred to the UM System Coordinator or the UM Chief Information Security Officer.