|
|
|
Gramm-Leach-Bliley Act of 1999 (GLBA)
Overview: This document summarizes Neosho County Community College’s
comprehensive written information security policy (the "policy")
mandated by the Federal Trade Commission's Safeguards Rule and the Gramm-Leach-Bliley
Act ("GLBA"). In particular, this document describes the Program
elements pursuant to which the Institution intends to (i) ensure the
security and confidentiality of covered records, (ii) protect against
any anticipated threats or hazards to the security of such records, and
(iii) protect against the unauthorized access or use of such records or
information in ways that could result in substantial harm or
inconvenience to customers. The policy incorporates by reference, the
College’s existing policies and procedures and is in addition to any
College policies and procedures that may be required pursuant to other
federal and state laws and regulations, including, without limitation,
FERPA.
[ Back to Top ]
Designation of Representatives: The institution's chief information
officer is designated as the program officer who shall be responsible
for coordinating and overseeing the policy. The chief information
officer at NCCC is the dean of planning and operations. The program
officer may designate representatives of the Institution to oversee and
coordinate particular elements of the policy. Any questions regarding
the implementation of the program or the interpretation of this document
should be directed to the program officer or his or her designees.
[ Back to Top ]
Scope of Policy: The policy applies to any record containing nonpublic
financial information about a student or other third party who has a
relationship with the Institution, whether in paper, electronic or other
form that is handled or maintained by or on behalf of the Institution or
its affiliates. For these purposes, the term nonpublic financial
information shall mean any information (i) a student or other third
party provides in order to obtain a financial service from the
Institution, (ii) about a student or other third party resulting from
any transaction with the Institution involving a financial service, or
(iii) otherwise obtained about a student or other third party in
connection with providing a financial service to that person.
[ Back to Top ]
Elements of the Policy:
Risk Identification
and Assessment
The Institution intends, as part of the policy, to undertake to identify
and assess external and internal risks to the security, confidentiality,
and integrity of nonpublic financial information that could result in
the unauthorized disclosure, misuse, alteration, destruction or other
compromise of such information. In implementing the policy, the program
officer will establish procedures for identifying and assessing such
risks in each relevant area of the Institution's operations, including:
[ Back to Top ]
Employee Training and Management
The program officer will coordinate with representatives in the
Institution's student/financial services and financial aid offices to
evaluate the effectiveness of the Institution's procedures and practices
relating to access to and use of student records, including financial
aid information. This evaluation will include assessing the
effectiveness of the Institution's current policies and procedures in
this area.
[ Back to Top ]
Information Systems and Information Processing and Disposal
The program officer will assess the risks to nonpublic financial
information associated with the Institution's information systems,
including network and software design, information processing, and the
storage, transmission and disposal of nonpublic financial information.
This evaluation will include assessing the Institution's current polices
and procedures relating to acceptable use policy, information technology
security policy, and records retention policy. The program officer will
also assess procedures for monitoring potential information security
threats associated with software systems and for updating such systems
by, among other things, implementing patches or other software fixes
designed to deal with known security flaws.
[ Back to Top ]
Detecting, Preventing and Responding to Attacks
The program officer will evaluate procedures for and methods of
detecting, preventing and responding to attacks or other system failures
and existing network access and security policies and procedures, as
well as procedures for coordinating responses to network attacks and
developing incident response teams and policies.
Designing and Implementing Safeguards.
[ Back to Top ]
Overseeing Service Providers
The risk assessment and analysis described above shall apply to all
methods of handling or disposing of nonpublic financial information,
whether in electronic, paper or other form. The program officer will, on
a regular basis, implement safeguards to control the risks identified
through such assessments and to regularly test or otherwise monitor the
effectiveness of such safeguards. Such testing and monitoring may be
accomplished through existing network monitoring and problem escalation
procedures.
[ Back to Top ]
Overseeing Service Providers
The program officer shall coordinate with those responsible for the
third party service procurement activities among the department of
technology services and other affected departments to raise awareness
of, and to institute methods for, selecting and retaining only those
service providers that are capable of maintaining appropriate safeguards
for nonpublic financial information of students and other third parties
to which they will have access.
[ Back to Top ]
Adjustments to Program
The program officer is responsible for evaluating and adjusting the
program based on the risk identification and assessment activities
undertaken pursuant to the program, as well as any material changes to
the Institution's operations or other circumstances that may have a
material impact on the program.
[ Back to Top ]
|
