Creighton's Gramm-Leach-Bliley Act Security Plan
Effective May 23, 2003
Overview
Creighton University has implemented a security program to address the Standards for Safeguarding Customer Information codified in 16 CFR 314 of the Gramm-Leach-Bliley Act (GLBA). The intent of this program is to provide confidentiality and security of nonpublic financial information, protect against foreseeable threats to the security of this information, and protect against unauthorized access or use of this information. This program incorporates the University’s policies and standards and is in addition to other University policies that may be required by other federal and state laws and regulations.
Designated Program Representative
The University’s Information Security Officer is designated as the GLBA Security Program Representative who shall be responsible for coordinating and overseeing the GLBA Security Program. Any questions regarding the implementation of the GLBA Security Program or the interpretation of this document should be directed to the Program Representative.
Scope of the Program
The GLBA Security Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the University, whether in paper, electronic or other form that is handled or maintained by or on behalf of the University. For the purposed of the GLBA Security Program, nonpublic financial information shall mean any information that meets any of the following criteria:
- Information a student or other third party provides in order to obtain a financial service from the University.
- Information about a student or other third party resulting from any transaction with the University involving a financial service.
- Information obtained about a student or other third party in connection with providing a financial service to that person.
Elements of the GLBA Security Program
Assessment of Reasonably Foreseeable Risks
The University intends, as part of the GLBA Security Program, to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. In implementing the GLBA Security Program, the Program Representative will establish procedures for identifying and assessing such risks in each relevant area of the University’s operations, including:
- Employee training and management. The Program Representative will coordinate employee training covering areas of general information security practices, information security awareness, and University Policy and Standards adherence. The University’s policies and standards in this area, include:
- Data Classification Policy
- Data Classification Standard
- Security Awareness Training Polic
- Information Systems and Information handling. The Program Representative will assess the risks to nonpublic financial information associated with the University’s information systems, including network and software design, as well as, information processing, storage, transmission and disposal of nonpublic financial information. These risks will be evaluated in based on the University’s Policies and Standards. The University’s Policies and Standards in this area include:
- Information Security Philosophy
- Acceptable Use Policy
- Data Classification Standard
- Security Incident Response. Consistent with the provisions of the Information Security Philosophy, and the University’s Information Security Policies and Standards, the Program Representative will evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions, or other system failures. The University’s Policies and Standards in this area include:
- Information Security Philosophy
- Incident Response Policy
- Incident Response Plan
- Audit Trail Policy
Implementation of Security Controls
Based on results of risk assessments and as directed by the University’s Policies and Standards, the University’s Information Security Officer will recommend and implement administrative, physical, and technical safeguards to mitigate reasonably foreseeable risks. In addition, the Program Representative will coordinate the regular testing and monitoring of the effectiveness of the University’s Policies and Standards as they apply to the GLBA Security Program.
Overseeing Service Providers
The Program Representative shall coordinate with those responsible for third party service agreements to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties. In addition, the Program Representative will work with the General Counsel’s Office to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards.
Adjustments
The Program Representative is responsible for evaluating and adjusting the GLBA Security Program based on the risk assessment activities, as well as any material changes in the University’s operations or other circumstances that may have a material impact on the security program.
Plugged In highlights go here, news, initiatives, spotlight, designed to draw the user who is done finding or browsing, further into our content.