Policies 
    
    Oct 18, 2024  
HELP
Policies

1051 Gramm-Leach-Bliley Act Required Information Security Program Policy

Facebook this Page (opens a new window)
Tweet this Page (opens a new window)

Return to {$returnto_text} Return to: Bay College Policies

It shall be the policy of the Bay de Noc Community College Board of Trustees, that Bay College maintains security of information Bay de Noc Community College (“Institution”) obtains as a result of providing a financial service to a student, past or present, that is handled by or on behalf of the Institution or its affiliates. This policy summarizes the Institution’s comprehensive written Information Security Program (“Program”) as required by the Federal Trade Commission’s Safeguards Rule and the Gramm - Leach - Bliley Act (“GLBA”.)

Procedure:

1051.1 Designation of Representatives

The Institution’s Director of Information Technology is designated as the Program Officer who shall be responsible for coordinating and overseeing the Program. The Program Officer may designate other qualified representatives of the Institution to oversee and coordinate elements of the Program. The President is responsible for direction and oversight of the Program Officer.

1051.2 Risk Identification and Assessment

The Institution intends the Program to be based on identification and assessment of reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of Nonpublic Financial Information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. The Institution’s written risk assessment includes:

  1. criteria for the evaluation and categorization of identified security risks or threats;
     
  2. criteria for the assessment of confidentiality, integrity, and availability of the Institution’s information systems and Nonpublic Financial Information; and
     
  3. requirements describing how identified risk will be mitigated or accepted based on the risk assessment and how the Program will address the risks.

In implementing the Program, the Program Officer will establish procedures for identifying and assessing such risks, including implementation of safeguards to control the risks identified through assessment, in each relevant area of the Institution’s operations, including: 

  • Employee training and management.  The Program Officer will coordinate with Institution representatives to evaluate the effectiveness of the Institution’s procedures and practices relating to access to and use of protected records to ensure that personnel are able to enact the information security program by implementing policies and procedures as follows:
    • Provide personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
    • Utilize qualified information security personnel employed by the Institution or an affiliate or service provider sufficient to manage information security risks and to perform or oversee the information security program;
    • Provide information security personnel with security updates and training sufficient to address relevant security risks; and
    • Verify that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.

  • Information Systems and Information Processing and Disposal. The Program Officer will coordinate with all relevant departments to assess the risks to Nonpublic Financial Information associated with the Institution’s information systems, including network and software design, information processing, and the storage, transmission, and disposal of protected information.  This evaluation will include the following:

    • Identifying and managing the data, personnel, devices, systems, and facilities that enable the Institution to achieve business purposes in accordance with their relative importance to business objectives and risk strategy;
       
    • Review of the Institution’s policies:
  • Reporting a Security Breach 1050.3
  • Internet and IT Resources Acceptable Use 1050.5
  • Record Retention and Disposal Policy 1071

The Program Officer will also coordinate assessment of procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws. 

  • Detecting, Preventing and Responding to Attacks.  The Program Officer will coordinate with all relevant departments to evaluate procedures for and methods of detecting, preventing, and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies.  The Program Officer may opt to delegate to a representative of the Information Technology Department the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by the Institution. 

The Program Officer will periodically coordinate additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Nonpublic Financial Information that could result in unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.

 

1051.3 Designing and Implementing Safeguards

The risk assessment and analysis described above shall apply to all methods of handling or disposing of protected information, whether in electronic, paper, or other form.  The Program Officer will, on a regular basis, implement safeguards to control the risks identified through such assessments and to continuously monitor and regularly test the effectiveness of such safeguards.  Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures. Safeguards minimally include:

  1. Protection by encryption of all Nonpublic Financial Information held or transmitted by the Institution both in transit over external networks and at rest, or to the extent infeasible, secure such Nonpublic Financial Information using effective alternative compensating controls reviewed and approved by the Program Officer;
     
  2. Adoption of secure development practices for in-house developed applications utilized by the Institution for transmitting, accessing, or storing Nonpublic Financial Information and procedures for evaluating, assessing, or testing the security of externally developed applications the Institution utilizes to transmit, access, or store Nonpublic Financial Information;
     
  3. Authenticating and permitting access only to authorized users to protect against the unauthorized acquisition of Nonpublic Financial Information, including implementation of multi-factor authentication for any individual accessing any information system, unless the Program Officer has approved in writing the use of reasonably equivalent or more secure access controls;
     
  4. Limiting authorized users’ access only to Nonpublic Financial Information they need to perform their duties and functions, or, in the case of customers, to access their own information; 
     
  5. Development, implementation, and maintenance of procedures for the secure disposal of Nonpublic Financial Information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained;
     
  6. Periodic review of the Institution’s data retention policy to minimize the unnecessary retention of data;
     
  7. Adoption of procedures for change management;
     
  8. Implementation of policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, Nonpublic Financial Information by such users; and
     
  9. Regular testing or monitoring of the effectiveness of the safeguards implemented.

1051.4 Overseeing Service Providers

The Program Officer shall coordinate with those responsible for the third-party service procurement activities among the Department of Information Technology and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for Nonpublic Financial Information of students to which they will have access.  In addition, the Program Officer will work with the Vice President of Finance and Operations to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards.  Such providers will be periodically assessed based on the risk they present and the continued adequacy of their safeguards. Any deviation from these standard provisions will require the approval of the Vice President of Finance and Operations. 
 

1051.5 Adjustments to Program

The Program Officer is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to the Institution’s operations or other circumstances that may have a material impact on the Program.

1051.6 Incident Response Plan

The goals of the Incident Response Plan are to promptly respond to and recover from, any security event materially affecting the confidentiality, integrity, or availability of Nonpublic Financial Information in the Institution’s control.

If any Nonpublic Financial Information is accidentally or intentionally exposed to any unauthorized entity without the consent of the student, a security breach is likely to have occurred. In the event of such a security breach, the Institution is responsible for reporting all details of the breach to the U.S. Department of Education, and to the Federal Trade Commission in certain circumstances. To aid in the creation of this report, the following steps shall be taken:

  1. Each department must report an incident or suspected incident to the Program Officer.
     
  2. The Program Officer and Director of Financial Aid will determine if a reportable breach has occurred.
     
  3. If a reportable breach is determined to have occurred, the Program Officer will notify the VP of Student Services with details of the breach and recommendations for reporting. The Program Officer and Director of Financial Aid will work with the reporting department to limit the impact of the breach.
     
  4. Once a reportable breach has occurred, the communication flow shall be as follows:
    1. A Maxient case is created in the Maxient system to track response.
    2. Legal Counsel is contacted to review the breach.
    3. The DOE is contacted in accordance with the Data Breach procedure located in the Financial Aid Office.
    4. The Senior Leadership Team will be notified of the breach.
    5. A Jenzabar Notepad Action will be placed on each affected person’s record for sending correspondence through the Letter Flow function.
    6. The Letter Flow process is completed by the Records and Registration Office.
       
  5. The Program Officer will determine how identified weaknesses in information systems and associated controls will be remediated.
     
  6. In the event of a reportable breach, information will be documented as follows:
    1. A Maxient case will be created to track response.
    2. Jenzabar Notepad item will be added to all records affected by the breach.
       
  7. The Program Officer will evaluate the response plan following a security event and make revisions as necessary.
     
  8. The Program Officer will report in writing, no less frequently than annually, to the Institution’s Board of Trustees, the following information:
    1. The overall status of the Program and the Institution’s compliance; and
    2. Material matters related to the Program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s response thereto, and recommendations for changes in the Program.
       
  9. A report will be submitted to the U.S. Department of Education by the Director of Financial Aid.
     
  10. Any further action required will be determined by the Program Officer, Director of Financial Aid, and VP of Student Services.

 

 

 

Approval Dates:

Policy Origin Date:
05/15/2024

Procedure Origin Date:
05/15/2024

Return to {$returnto_text} Return to: Bay College Policies


Facebook this Page (opens a new window)
Tweet this Page (opens a new window)
Catalog Navigation
  Catalog Home
  Bay College Policies
  My Portfolio