Gramm-Leach-Bliley Act (GLBA) Compliance at ECU

Overview

The intent of this particular article is to summarize how the various components of the ECU Information Security Program are in accord with, and support compliance with, the provisions in the revised Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). This document references supporting documentation, additional materials, and applicable policies and guidelines, some of which are sensitive and not a matter of the public record.

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA), or Financial Services Modernization Act of 1999, was enacted November 12, 1999, and requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission (FTC) enforces compliance with GLBA and may bring an administrative enforcement action against any financial institution for non-compliance. Although the law was not originally enacted with a focus on higher education, the scope of GLBA – institutions that offer consumers financial products or services like loans or financial advice – applies to higher education institutions, specifically to collection, storage, and use of student financial records containing personally identifiable information. The operations of a university like ECU includes granting financial aid, providing student loans, providing payment plans to students, parents, and patients, and the storage, transmission, and sharing of nonpublic personal information (NPI). The FTC defines NPI as personally identifiable financial information about an individual that an organization collects in connection with providing a financial product or service, unless that information is otherwise publicly available. Examples of customer financial information could include, but are not limited to, account numbers, tax information, loan payoff amounts, income and credit histories, social security numbers, and date/location of birth.

Major GLBA Components

Major GLBA components enacted to govern the collection, disclosure, and protection of consumers’ nonpublic personal information include the Financial Privacy Rule, Safeguards Rule, and Pretexting Rule.

Financial Privacy Rule. The Financial Privacy Rule requires institutions to provide privacy notices and to comply with certain limitations on disclosure of nonpublic personal information. In their GLBA guidance EDUCAUSE (2018) stated, “colleges and universities are deemed to be in compliance with the GLBA Privacy Rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA).” ECU addresses FERPA compliance through formal policy in the university’s FERPA Regulation. FERPA compliance is monitored by the Office of the Registrar which oversees access to student educational records. The Associate Vice Chancellor and University Registrar is assigned responsibility as Data Steward for the Student Information domain, and the Director of Financial Aid is assigned responsibility as Data Steward for the Financial Aid domain. Because ECU has health care components that provide services to patients with financial services offered such as payment plans, GLBA compliance at ECU considers other data privacy use cases besides FERPA.

Safeguards Rule. The Safeguards Rule requires all financial institutions to develop an information security program designed to protect nonpublic, private information. Such an information security program should include elements reasonably designed to achieve three key objectives: a) ensuring the security and confidentiality of customer information, b) protecting against anticipated threats to the security or integrity of such information, and c) protecting against unauthorized access to or use of such information that could result in harm to any customer (National Archives, 2002).

The FTC has not made a similar exception for an institution of higher education with respect to the Safeguards Rule as it has for the Financial Privacy Rule. Institutions like ECU must have a formal information security program designed to protect customer information, and the program must consider three types of safeguards important for GLBA compliance, including Administrative Safeguards, Technical Safeguards, and Physical Safeguards. The FTC published a revised Safeguards Rule (FTC, 2022a) in the Federal Register on December 9, 2021, making December 9, 2022 the deadline for institutions to achieve compliance with the new requirements. The deadline was later extended to June 9, 2023 (FTC, 2022b). The revision was intended to make sure the Rule keeps pace with current technology while providing more concrete guidance for institutions with respect to core data security principles.

Pretexting Rule. The Pretexting Rule is designed to counter identity theft. It requires that institutions have mechanisms in place to detect and mitigate against unauthorized access to nonpublic personal information (such as impersonating a student to request private information by phone, email, or other means).

 

ECU Information Security Program and GLBA Safeguards Rule Compliance

As mentioned above in the Overview, this article highlights how the various components of the ECU Information Security Program are in accord with, and support compliance with, the provisions and requirements in the revised Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). The university’s program is intended to meet the following requirements of the GLBA Revised Safeguards Rule that will be discussed in the following sections below:

  • Designate a qualified person to oversee the information security program
  • Implement appropriate safeguards and conduct a risk assessment
  • Limit and monitor who can access sensitive customer information
  • Encrypt sensitive information
  • Train personnel
  • Maintain an incident response plan
  • Periodically assess the security practices of service providers
  • Implement multi-factor authentication to protect sensitive information

The ECU Information Security Program, as described in the ECU Information Security Regulation, serves to protect university information from unauthorized and/or unlawful access, use, destruction, or loss, while helping to ensure the integrity and availability of data and IT resources at ECU. Various components work together and serve as pillars in supporting the university’s integrated program, including policies and standards, guidance on employee security best practices, security awareness and education, cyber security defense capabilities, information security risk management, vulnerability management, and security incident response.

An important aspect of the ECU Information Security Program is the integration of relevant compliance regulations into the overall program. To support compliance with the GLBA Safeguards Rule, the program is designed to achieve key GLBA objectives such as ensuring the security and confidentiality of customer information, protecting against anticipated threats to the security or integrity of such information, and protecting against unauthorized access that could result in harm to any customer. The program implements administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information. The revised Safeguards Rule outlines requirements that should be covered in an institution’s Information Security Program (EDUCAUSE, 2021; FTC, 2022a; FTC, 2022b), and our program and its components are designed to meet such requirements.

Designate a qualified person to oversee the information security program

The Information Security Program is highlighted in university policy, in the ECU Information Security Regulation (ECU, 2016), which outlines, under Roles and Responsibilities, how the Chief Information Security Officer (CISO) has responsibilities for managing the Information Security Program. The regulation summarizes some of the essential program elements that should be coordinated or managed by the CISO, including policies and standards, promotion of security awareness, guidance on employee security best practices, information security risk management, and security incident response functions.

The Information Security Office has developed a comprehensive document, Components of ECU Information Security Program, that summarizes the university’s approach to information security and the various components that serve as pillars in supporting the university’s program. To complement the comprehensive overview document, supporting information organized and stored securely has been developed to provide stakeholders with a user friendly way to access related documentation on program component: policies; standards and safeguards; information security risk management; information security guidelines, awareness, and training; security incident response; vulnerability management; and data governance. The CISO has presented Components of ECU Information Security Program to the Data Stewardship Committee, the Information Resources Coordinating Council (IRCC), and the Board of Trustees ARMCE (Audit, Risk Management, Compliance, and Ethics) Committee. The CIO and CISO regularly report to the ECU Board of Trustees ARMCE (Audit, Risk Management, Compliance, and Ethics) Committee on information security and cyber security matters, with confidential information presented in closed session.

Implement appropriate safeguards and conduct a risk assessment

On an annual basis, ITCS conducts an Enterprise Information Security Risk Assessment to identify information-related threats to ECU’s critical business processes, which if realized might impair the University’s capability to fulfill its mission and key objectives. The goal of this risk assessment is to provide actionable intelligence to university decision makers on the treatment, avoidance, acceptance, and management of information risks. The emphasis is on highlighting a prioritized list of threats and high-level assessment of consequences, with general attack scenarios, including calculation of relative risk along with recommendations.

ECU has developed the GLBA Data Inventory and Risk Assessment process to assist departments with complying with GLBA requirements, completing a periodic inventory of GLBA covered data and where it’s stored, and completing a risk assessment of the department’s application of appropriate safeguards to protect customer information. The GLBA Data Inventory and Risk Assessment should be completed or reviewed annually, with the process coordinated by the Information Security Office in consultation with data stewards. The risk assessment examines administrative, technical, and physical safeguards, and addresses risk, safeguards, how safeguards are monitored, and whether they’re sufficient.

The departmental GLBA risk assessments are considered as inputs into the annual Enterprise Information Security Risk Assessment, which is conducted each year by the Information Security Office. As mentioned above the CISO shares the Enterprise Information Security Risk Assessment annually with the university’s Enterprise Risk Management Committee and Data Stewardship Committee, and presents regular cyber security updates to the BOT ARMCE committee.

Limit and monitor who can access sensitive customer information

UNC System Office Policy 1400.3 on User Identify and Access Control, and the related standard developed by the UNC System, requires that constituent institutions have sufficient access control reviews over systems with sensitive data. At ECU, a standard for data classification has been approved based on four levels of data. ECU is recognizing “sensitive information” as covered in the 1400.3 Standard to be equal to the ECU classification levels of Level 3 and Level 4 in the ECU Data Classification Levels.

ECU has a formal University Data Governance (https://datagovernance.ecu.edu/) program to help ensure the formal management of data assets within an organization, and provide guidance to the ECU community on safeguarding data in their custody and areas of responsibility. In February 2020, efforts through the ECU data governance process, including work within the Data Steward Committee, led to publishing the ECU Access Control Standard (https://datagovernance.ecu.edu/user-access-control-standard/). Data Stewards are responsible for documenting their control processes for information systems that house sensitive information within their area, ensuring the access control activities, including regular access review, are conducted, and attesting to compliance.

Encrypt sensitive information

Guidance related to cryptographic controls has been developed by the Information Security Office and incorporated into Best Practices in Information Security for IT Support Staff, published to the ITCS website. Standards concerned with ISO 27002 10.1.1 Policy on the use of cryptographic controls are addressed as follows: Section 5.3, Application and data security on p. 33; Section 5.4, Network Security on p. 34; and Section 6.4 Backup of critical or sensitive university information systems on p. 38. The majority of university owned and managed end user machines are configured with encrypted hard drives.

Train personnel

Per ECU policy (Information Security Regulation) all ECU employees are required to complete information security awareness training within 30 days of employment and university designated refresher training at least once every two years. The official university designated information security training course is Employee Best Practices in Information Security Training which is available online in Cornerstone, the university’s HR learning management system. A course on GLBA compliance from InfoSec IQ will be published in Cornerstone early in 2023.

Maintain a security incident response plan

ECU maintains various capabilities to protect against threats to IT systems and data, allowing for monitoring of logs and alerts and analysis of security indicators, to help the university better detect attempted cyber attacks and respond faster to potential security incidents. ECU’s Cyber Security Incident Response Plan is designed to provide formal guidance to the university in handling security incidents. The plan assists ITCS with identifying, reporting, and mitigating security incidents involving university IT resources and data, and in determining when a security incident becomes a data breach. The Information Security Office and or Office of Emergency Management facilitates periodic cyber security tabletop exercises with various participants designed to test incident response preparedness.

The Cyber Security Operations Center (CSOC) team within the Information Security Office is responsible for detecting, analyzing, and facilitating the university’s response to cyber security threats. In documenting the details for incidents CSOC uses a standardized Security Incident Report (SIR) template. Standard operating procedures provide consistency for incident response functions. Members of the Security Incident Response Team (SIRT) utilize various specialized security tools to handle and respond to incidents and to reduce risks to ECU’s network.

Periodically assess the security practices of service providers

ECU policy (Software and Data Collection Services Acquisition Regulation) requires that all software, cloud solutions, or data collection services must be reviewed by ITCS for reasons of compatibility, duplication of existing services, security, accessibility, and risks associated with its use. In alignment with this university policy, ITCS evaluates new and existing technology for departments through the Technology Security Assessment (TSA) process. Systems associated with sensitive data are subject to more in-depth review, with verification of compliance regarding HIPAA, FERPA, SSN/PII, GLBA, PCI, and other sensitive data types. Any use of software, cloud solutions, or data collection services that will be associated with sensitive data must be approved by the relevant data steward(s), compliance committee such as Identify Theft Protection Committee, and the CIO (or designee). Data that is in scope for GLBA compliance may pertain to one or more sensitive data types.

All departments/units and employees are responsible for ensuring that the review process is triggered, whether software or services are acquired via requisition/purchase order process, through university ProCard, or acquired through a grant or at no cost. The TSA is also required when the department already owns the technology, but it has never been assessed, or the technology’s use case has changed. Cloud-based solutions utilizing sensitive data are reviewed on an annual basis (or during the renewal cycle).

Implement multi-factor authentication to protect sensitive information

As a constituent institution of the University of North Carolina System, UNC System Standard 1400.3 on User Identity and Access Control applies to ECU. This standard requires security controls for user identity and access control to help protect university IT systems and data, including multi-factor authentication (MFA) to protect sensitive information. By 1/15/21 (and every 3 years thereafter), institutions were required to submit to the UNC System a report with details regarding their user identity and access control program including measures implemented such as MFA to protect sensitive information.

ECU submitted the report ECU Compliance Plan for UNC System Standard 1400.3 to the UNC System on 1/7/21. This plan provides an overview of ECU’s compliance with access control standards, while summarizing gaps, risk acceptance, and recommendations. The plan will be reviewed on an annual basis and considered as input into the annual risk assessment and reporting process. The Enterprise Information Security Risk Assessment Report summarizes progress in implementing MFA to protect sensitive information.

References

East Carolina University. (2016, May 23). Information security regulation. University Policy Manual. https://www.ecu.edu/prr/08/05/08

EDUCAUSE. (2018). Gramm-Leach-Bliley Act (GLB Act). Policy and Law. https://library.educause.edu/topics/policy-and-law/gramm-leach-bliley-act-glb-act

EDUCAUSE. (2021, December 2). Policy analysis: Revised, highly prescriptive FTC Safeguards Rule. Educause Review. https://er.educause.edu/articles/2021/12/policy-analysis-revised-highly-prescriptive-ftc-safeguards-rule

Federal Trade Commission. (2022a, May). FTC Safeguards Rule: What your business needs to know. Business Guidance. https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Federal Trade Commission. (2022b, November). Compliance deadline for certain revised FTC Safeguards Rule provisions extended to June 2023. Business Guidance. https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023

National Archives. (2002). Part 314 – Standards for safeguarding customer information. Code of Federal Regulations. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314