Engaging with the Safeguards Rule
PCC’s approach to satisfying GLBA requirements related to the Safeguards Rule is structured around addressing the following:
1. Defining scope of the program
PCC places the highest value on its customers’ information. We understand and accept our responsibility as custodians of their data. We respect and protect the privacy of our students, faculty, staff, and other third parties. And we value the relationships and sense of security we maintain with our customers.
For the purpose of this program, “customer information” is defined as any record containing nonpublic personal information about a customer of the college, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the college or its affiliates.
What is covered “nonpublic personal information”?
In this case, nonpublic personal information means personally identifiable financial information about a student or other third party, where such information is obtained in connection with the provision of a financial service or product by PCC and that is maintained by PCC or on PCC’s behalf.
Nonpublic personal information means:
- Information that a student or other third party provides in order to obtain a financial service or product from the college;
- Information about a student or other third party resulting from any transaction with the college involving a financial service or product; or
- Information otherwise obtained about a student or other third party in connection with providing a financial service or product to that person.
For example, nonpublic personal information includes bank and credit card numbers, income and credit histories; as well as names, addresses, and Social Security numbers associated with financial information.
Why is PCC engaging with GLBA?
An Institute of Higher Education, like PCC, that engages in financial activities (e.g. processing student loans) is considered by the Federal Trade Commission (FTC) to be a financial institution and is therefore required to be compliant with GLBA.
In 2015, compliance with the GLBA Safeguards Rule, 16 CFR 314.4 (b), was included in Title IV Program Participation Agreement by Department of Education. This directly tied PCC’s ability to process student financial aid to GLBA.
The Safeguards Rule requires covered entities to consider risks in each relevant area of their operations, including:
- Employee training and management
- Information systems, including network and software design, as well as information processing, storage, transmission and disposal, and
- Detecting, preventing, and responding to attacks, intrusions, or other systems failures
In 2015 and 2016 the Dept. of Education sent “Dear Colleague” letters to PCC urging compliance. In 2017 and 2018, the Dept. of Education’s Office of Federal Student Aid drafted federal single audit guidance. It is anticipated that the federal single audit guidance will become final within the coming years.
How is PCC engaging with GLBA?
PCC’s Information Security Program (ISP) has been developed to ensure and protect our customers’ covered nonpublic personal information, as well as PCC institutional data. This includes hard copy (paper), electronic, or other forms of records; data; systems; services; and infrastructure components which are handled or maintained by or on behalf of the college or its affiliates.
In accordance with GLBA Safeguards Rule requirements and regulations issued by the Federal Trade Commission pursuant to that rule, PCC’s ISP encompasses the following objectives:
- Ensure the security and confidentiality of our customers’ nonpublic personal information (e.g., names, addresses, Social Security numbers, etc.).
- Protect the security and integrity of customer and institutional information against anticipated hazards or threats.
- Protect customer and institutional information from unauthorized access or use which could result in substantial harm or inconvenience.
In order to maintain and deliver these objectives, PCC utilizes a holistic approach with defined goals, which include:
- Designating a team of employees to implement, coordinate, and manage information security.
- Establishing routines for conducting risk assessments of systems and services, both internal and external, that could potentially lead to unauthorized disclosure or misuse of confidential information.
- Establishing, coordinating, and managing safeguards to mitigate identified risks.
- Requiring third-party service providers to implement and maintain established confidentiality protocols.
- Periodically evaluating and modifying the ISP to ensure continuing protection of confidential information.
2. Implementing an Information Security Program
The ISP is undertaken at the behest of PCC’s Board of Directors and monitored by the Information Security Oversight Committee (ISOC). It is designed to protect the confidentiality, integrity, and availability (or “CIA,” the guiding principle of information security management) of PCC’s information assets – data, systems, services, and infrastructure components – and seeks to protect any record containing customer information (see Appendix A).
The goals for the ISP are as follows:
- Assure regulatory compliance with federal, state, and local law across all PCC departments.
- Limit access to customer information to employees who have a business need to see it.
- Ensure the security and confidentiality of customer records.
- Safeguard and prevent unauthorized access to personally identifiable financial data.
- Align with existing PCC policies, standards, guidelines, and procedures.
- Ensure appropriate employee training and management.
- Ensure information systems security best practices.
- Detect, prevent, and remediate attacks, intrusions, or other information security risks.
3. Designating employee
PCC’s Chief Information Security Officer is the designated ISP Coordinator for PCC. The ISP Coordinator acts under the independent oversight of ISOC.
4. Performing risk assessments
The ISP Coordinator is a standing member of PCC’s Risk Council and ensures that GLBA-related risks are included in the overall College-wide Risk Management Program.
Additionally, PCC intends, as part of the ISP, to undertake a risk assessment to identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. At a minimum, the risk assessment will include consideration of risks in each relevant area of PCC operations, including:
- Employee training and management
Consider the effectiveness of current employee training and management procedures relating to the access and use of covered information.
- Information systems, information processing, and disposal
Assess the risks to covered information associated with information systems, as well as information processing, storage, transmission, and disposal. - Detecting, preventing, and responding to attacks and system failures
Consider procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures. - Designing and implementing safeguards
Safeguards will be designed and implemented in order to controls the risks identified through the GLBA risk assessment. The ISP Coordinator in collaboration with appropriate institutional representatives will monitor the effectiveness of the safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures. It is the College’s intent to use the National Institute of Standards and Technology (NIST) NIST 800-171 as a model to assess and address gaps in safeguards, as appropriate.
Focus areas
When identifying areas of focus, look for changes since the last review (refer to Appendix B). The Federal Trade Commission provides general guidance for complying with the Safeguards Rule.
5. Employee training and management
PCC safeguards for security will include management and training of those individuals with authorized access to covered data. This includes training in FERPA, PCC’s Information Security and Acceptable Use policies, procedures and practices relating to access to and use of customer information, and specific training in accordance with GLBA accountability.
- Employees with access to covered data must abide by PCC policies and procedures governing covered data, as well as any additional practices or procedures established by their department heads or directors.
- The ISP Coordinator will designate individuals who have the responsibility and authority for information technology resources, establish and disseminate enforceable rules regarding access to and acceptable use of Information Technology resources, establish reasonable security policies and measures to protect data and systems, monitor and manage system resource usage, and investigate problems and alleged violations of covered information. The ISP Coordinator will refer violations or non-compliance to appropriate offices such as the ISOC, legal counsel, President or Board of Directors, Internal Auditor, or Human Resources for resolution or disciplinary action.
Curriculum
It is essential that every employee who has access to or uses covered data have at least annual training on GLBA compliance. PCC is in the process of developing GLBA training materials which will include:
- Covered data and data ownership
- Confidentiality, integrity, and availability
- Physical security
- Access controls
- Encryption
- Social engineering
- Policies
- Fraud
6. Overseeing service providers
Consistent with the provisions of GLBA, PCC takes reasonable steps to select and retain service providers that maintain appropriate safeguards for covered data and information.
For technology products and services, the IT purchasing team works closely with the college purchasing and contracts teams to ensure that all IT purchases and contracts are processed in accordance with applicable Federal and State laws and PCC purchasing standards.
New vendor relationships are subject to information security, cyber insurance coverage, and accessibility reviews. Specifically, such reviews are geared toward ensuring methods for selecting and retaining service providers that are capable of maintaining appropriate safeguards for covered information.
In the course of business, PCC may appropriately share covered data with third parties. Such activities may include collection of data, transmission of documents, transfers of funds, destruction of documents or equipment, or other similar services. The ISP will ensure that reasonable steps, including consultation with legal counsel, are taken to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and requiring service providers by contract to implement and maintain such safeguards.
7. Evaluating and adjusting the ISP
The ISP is maintained based on the principles of continual risk management. Risks change with time, as business and the environment changes. As a result, strong controls will degrade over time and are subject to eventual failure. In addition, countermeasures may introduce new risks.
The overall information security program is periodically evaluated and adjusted to reflect changing college business, measurements of program effectiveness, and lessons learned from the implementation of security safeguards.
8. Program governance
Enforcement
Violation of the ISP may result in disciplinary action, up to and including termination of employment.
Exceptions
Any exceptions to the GLBA ISP must be approved by the College President upon the recommendation of the ISP Coordinator.
Resources
Program questions
Questions regarding the GLBA Program or regarding information security may be emailed to: CIO@pcc.edu
Approval
Approved by Michael Northover, Chief Information Officer and Chief Information Security Officer, April 30, 2019
Program review
This program will be reviewed and updated as needed, at least annually, based on the recommendations of the ISP Coordinator.
Personal, non-public information
There are several terms used to identify similar sets of protected data.
PCC policy uses the term “controlled sensitive data” which is equivalent to, but more encompassing than, “personal, non-public information”.
Additionally, Personally Identifiable Information (PII) is a critical subset of protected data, but does not cover all categories of data protected under GLBA.
GLBA regulation also uses the terms “covered data” and “sensitive customer data”.
More details regarding the use and meaning of these terms can be found in Appendix A.