GRAMM- LEACH- BLILEY ACT INFORMATION SECURITY PROGRAM: SUGGESTED TO DO LIST

  

_____  Assess which departments have GLBA nonpublic financial information.

• Staff/Administrative Departments
• Financial Aid
• Alumni Development Office
• Credit Card Affiliations, if applicable (in which the institution lend credit to the cardholder)
• Human Resources/Benefits
• Admissions Office / Registrar
• Athletic Departments (scholarships)

 

_____  Evaluate the departments’ current confidentiality policies and procedures. 

** Consider whether the current policies & procedures may be incorporated into the GBLA Program without significant revision keeping in mind that the rule provides that the Program may consist of several documents provided that they are all accessible and compiled in one place by the Program Coordinator(s).

• Which employees have access?  
• What and/or how much do they have access to?
• How do they protect it (electronic records vs. paper documents)?
• In filing cabinets?
• While in use (hard copy files and electronic records)

 

_____  Designate an Information Security Plan Coordinator (or Co-coordinators)

 

_____  Identify Third-Party Service Providers

• Which service providers have access to GLBA covered information?
• Review contracts of those service providers to discover what language they contain.
• If necessary, consult the TBR Office of General Counsel for form “amendments” to give to the service providers stating that they will comply with the GLBA safeguarding rule in their handling of the institution’s customers’ nonpublic financial information.

 

_____  Identify “reasonably foreseeable internal and external risks” to disclosure of customers’ nonpublic financial information.

• Hard copies (current/in use & storage)
• Electronic copies (storage & transmission)

     _____ Develop a training program (in conjunction with Human Resources) 

·         Determine frequency of training

·         Determine who gets trained

·         Employees with regular access to customers’ nonpublic financial information (at a minimum)

·         Departmental heads / All employees (optional )

     _____  Implement safeguards

• Hard copies (current/in use)
• Limiting access
• Locked filing cabinets as appropriate
• Hard copies (storage)
• Stored by institution (ensure method is secure)
• Stored by service provider (contract amendments)
• Electronic copies
• Stored on local  server and / or diskettes
• Transmitting documents
• Email – content

 

                     _____ Develop methods to detect and prevent security breaches

• Consider developing an incident response system to record breaches / failures to the safeguard measures in the Security Information Program

 

_____  Suggested Frequency of Periodic Evaluations/Risk Assessments

·         Computer/Technology Risk Assessment – Bi-annually (includes monitoring and testing)

·         Data access procedures – Annual

·         Employee training program – Annual

·         Overall Information Security Program– Annual