Gramm-Leach-Bliley Act (GLBA) Information Security Program Policy

Owned by Micah Schaafsma
Last updated: Nov 21, 2023 by Guo, Chiyao (Deactivated)
4 min read

Statement and Purpose

Table of Contents

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (34 CFR 314.4) mandates the protection of consumer information's security, integrity, and confidentiality. This policy outlines the establishment and maintenance of an Information Security Program as required by the Gramm-Leach-Bliley Act (GLBA) to protect the security and confidentiality of customer non-public personal information (NPI) at Seattle Pacific University. This program is designed to safeguard customer information and ensure compliance with GLBA regulations.

Certain terms in this policy are defined at the end of the policy.

Entities Affected By This Policy

All University faculty and staff.

Reason for Policy

This program is designed to safeguard student and constituent information and ensure compliance with GLBA regulations as required by the Department of Education.


Policy Version: 1.0

Responsible Office: Office of Business and Finance
Responsible Executive:  AVP for Information Technology

Effective Date: June 9, 2023
Last Updated:  Nov 1, 2023

Information Security Program

I. Risk Assessment and Audit

Seattle Pacific University conduct regular audits of the Information Security Program through risk assessments with the help of a third party against the NIST 800-171 standard to identify and assess risks to customer information. These assessments evaluate the types of customer information collected, sources of information, and methods used for processing and storing such information. 

II. Security Policies and Procedures

Seattle Pacific University maintains comprehensive information security policies and procedures based on the risk assessment.  These policies address data access, data sharing, network security, and the overall protection of NPI. See related policies: Identity Theft Prevention Program - Red Flags Rule, Website Privacy PolicyRegulated Data, Institutional Data Policy, and the Regulated Data Chart

III. Designation of Coordinator

Seattle Pacific University has designated the Asst. VP for Information Technology to coordinate the Information Security Program.  The designated coordinator is responsible for overseeing the program, ensuring compliance, and making necessary adjustments.

IV. Employee Awareness Training

Seattle Pacific University provides annual security awareness training to employees to promote understanding of security policies and procedures. Employees are educated on the importance of protecting customer information (see Security Awareness Training Program). Departments must also ensure that all employees are aware of the applicable policies and procedures related to protected information.

V. Oversight and Monitoring

Seattle Pacific University regularly monitors and tests its information security.  This is done during annual risk assessments and security is actively monitored by a 24/7/365 security operations center service. Adjustments to the program are made in response to changes in technology, the sensitivity of customer information, and evolving security threats.

VI. Incident Response Plan

Seattle Pacific University maintains a written Computer Security Incident Response Plan to address data security breaches.  The plan outlines the steps to be taken in the event of a breach, including notification of affected customers and regulatory authorities.  

VII. Service Provider Oversight

If Seattle Pacific University shares customer information with third-party service providers, it will ensure that these providers maintain safeguards for customer information.  Contracts with service providers include requirements for maintaining the security and confidentiality of customer information and are part of the SPU Vendor Assessment Policy and the /wiki/spaces/POL/pages/36569939.

VIII. Secure Information Disposal

Seattle Pacific University has established procedures for the secure disposal of customer information that is no longer needed. The Institutional Data Policy outlines high level obligations and various departments have more detailed data retention / destruction policies based on their business operations and regulatory requirements.  These procedures are intended to prevent unauthorized access to discarded information.

IX. Board Oversight

The board of trustees of Seattle Pacific University reviews and approves the program, receive regular updates on its status, and address any identified deficiencies or vulnerabilities.

X. Compliance and Enforcement

Non-compliance with this policy and associated GLBA requirements will result in appropriate disciplinary actions. Seattle Pacific University will maintain records of GLBA compliance efforts and related documentation.


Definition of Terms

TermDefinition
ConsumerIn accordance with the GLBA, a 'consumer' is defined as an individual who obtains financial products or services from a financial institution primarily for personal, family, or household purposes. This term also includes the legal representative of such an individual (refer to 15 U.S.C. § 6809(9))
Customer InformationAccording to the GLBA FTC Safeguard Rules §314.2.b, customer information refers to any record, in paper, electronic, or other form, that contains non-public personal information as defined in 16 CFR 313.3(n) about a customer of a financial institution. Such records are handled or maintained by you or your affiliates.
Information Security ProgramAccording to the FTC Safeguard Rules §314.2.c, an Information Security program refers to the measures taken to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information, including administrative, technical, and physical safeguards.
Non-public Personal InformationThe GLBA safeguards the privacy of non-public personal information, which encompasses various types of sensitive data such as personal addresses, phone numbers, health information, financial information, driver's license numbers, bank account information, credit card numbers, credit reports, loan applications, loan details, social security numbers, tax returns, the SPU ID number, and more. See Data Classification Levels
Personally Identifiable Information (PII)PII encompasses any information that relates to an identified or identifiable living individual. It includes various data elements that, when collected together, can lead to the identification of a specific person.
ProcessingThe term 'processing' encompasses any operation or series of operations performed on personal data, whether automated or not. These operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making the data available, alignment or combination, restriction, erasure, or destruction.
Service ProviderIn the context of data protection, a third party refers to a natural or legal person, public authority, agency, or body that is not the data subject, controller, processor, or anyone under the direct authority of the controller or processor who is authorized to process personal data.

Related Policies and Procedures