Gramm Leach Bliley Act

The Gramm Leach Bliley Act (GLBA) is a law that applies to financial institutions and includes privacy and information security provisions that are designed to protect consumer financial data. This law applies to how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments and/or financial aid) containing personally identifiable information. GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are applicable to educational institutions. Universities are deemed in compliance with the GLBA Privacy Rule if they maintain compliance with the Family Educational Rights and Privacy Act (FERPA). WTAMU’s FERPA compliance information can be found here. The following information on this site shall summarize the West Texas A&M University’s information relevant to the GLBA Safeguards Rule.

The University will implement and maintain a comprehensive Information Security Program. The Program will include administrative, technical, and physical safeguards implemented based on risk. These safeguards may be included in existing University rules, policies and procedures as well as the implementation of the DIR Security Control Catalog.

GLBA Program Elements:

Designation of Responsibility: As defined in University Policy 29.01.99.W1 the Information Security Officer (ISO) is responsible for coordinating and overseeing the University Security Program, including elements related to GLBA. Any questions regarding the implementation of the program or the interpretation of this document should be directed to the ISO.

Risk Assessment: The University will conduct periodic risk assessments to identify and assess the risks to the security and confidentiality of university data. Appropriate updates to the Information Security Program shall be made based on the results of these assessments.  See IT Security Control Catalog RA-3 Risk Assessment.

Regular Security Testing: Regular security testing and assessments, such as vulnerability assessments and penetration testing, should be conducted to identify and address vulnerabilities and weaknesses in the security program. See IT Security Control Catalog PM-6 Measures of Performance and PM-14 Testing, Training, and Monitoring.

Ongoing Monitoring: Continuous monitoring of the information security program is essential to detect and respond to security threats and vulnerabilities promptly. See IT Security Control Catalog PM-6 Measures of Performance and PM-14 Testing, Training, and Monitoring.

Incident Response Plan: The University maintains an incident response plan to address any security incidents or data breaches.  A copy of the Incident Response Plan shall be maintained on the University intranet.  See IT Security Control Catalog Incident Response Controls Family (IR-1 through IR-9).

GLBA Program Safeguards:

Access Controls: Access to university data will be restricted to authorized personnel who require access as part of their job responsibilities. Access controls, including user authentication and authorization, will be implemented, and regularly reviewed. See IT Security Control Catalog Access Controls Family (AC-1 through AC-22) and Identification and Authentication Controls Family (IA-1 through IA-11).

System and Data Inventory: IT shall implement proper inventory of systems and data used for critical business functions.   See IT Security Control Catalog PM-5 Systems Inventory.

System Development and Acquisition: The University shall adopt secure development practices for all in-house development. Formal processes are in place for acquisition that include appropriate security evaluations.  See IT Security Control Catalog System and Services Acquisition Controls Family (SA-1 through SA-22).

Multi-Factor Authentication: Implementation of Multi-factor Authentication (MFA). See IT Security Control Catalog IA-2(1) Multifactor Authentication to Privileged Accounts and IA-2(2) Multifactor Authentication to Non-Privileged Accounts.

Data Encryption: Appropriate data encryption shall be employed for sensitive financial data. See IT Security Control Catalog SC-13 Cryptographic Protections.

Employee Training: All employees receive Information Security training upon hire and again annually. See IT Security Control Catalog AT-2 Security Awareness and Training.

Third-Party Service Providers: Third-party service providers shall be required to enter into written contracts that include provisions for safeguarding university data and maintaining compliance with applicable laws and regulations. See IT Security Control Catalog SA-4 Acquisition Process.

Records Retention and disposal: The University has established a records retention and disposal process in accordance with Texas A&M University System records management regulation 61.99.01,and applicable Texas Records Management Law further implementation details are available here. Proper disposal of all physical media shall be documented and processed by IT.  See IT Security Control Catalog SR-12 Component Disposal.

Change Management: Changes to University production systems shall be documented, reviewed, tested and approved prior to implementation. See IT Security Control Catalog CM-4 Impact Analyses and CM-5 Access Restrictions for Change.

Event Logging: The University shall implement appropriate monitoring and logging on systems to detect unauthorized access and modification of data.See IT Security Control Catalog Accountability Audit and Risk Management Controls Family (AU-1 through AU-12)