The Gramm Leach Bliley Act

 

Purpose

To ensure that all required elements are in place for Wesleyan to be fully compliant with the Gramm-Leach Bliley Act (GLBA) including the Federal Trade Commission’s (FTC’s) Safeguards Rule as described at https://www.ftc.gov/legal-library/browse/rules/safeguards-rule .

Scope

This policy applies to all Wesleyan information systems that are covered under the FTC Safeguards Rule

Policy

 Information security program objectives

Wesleyan’s information security program strives to:

  • Ensure the security and confidentiality of customer information;
  • Protected against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

Information security program responsibility

The Chief Information Security Officer (CISO) is responsible for developing, overseeing, implementing, enforcing, and maintaining Wesleyan’s information security program.

Annual risk assessment

The CISO will perform an annual risk assessment covering systems housing Wesleyan’s customer information whether stored in Wesleyan information systems or service provider information systems.  The risk assessment will strive to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and to assess the sufficiency of any safeguards in place to control these risks.

The risk assessment will be written and shall include:

  • Criteria for the evaluation and categorization of identified security risks or threats Wesleyan faces;
  • Criteria for the assessment of the confidentiality, integrity, and availability of Wesleyan's information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats Wesleyan faces; and
  • Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

Implementation of safeguards

The CISO will oversee the implementation of safeguards to address risks identified in the annual risk assessment.  These safeguards may include, but are not limited to, the following:

  • Access controls to authenticate users and authorize them to use only those resources needed to perform their job functions;
  • Identification and management of the systems in accordance with their relative importance to conducting Wesleyan’s business operations;
  • Encryption of customer data in transit and at rest, and if encryption at rest is not possible alternative compensating controls will be used instead;
  • Secure development practices for in-house developed application used by Wesleyan to transmit, access, or store customer information;
  • Procedures for evaluating, assessing, or testing the security of externally developed applications used by Wesleyan to transmit, access, or store customer information;
  • Use of multi-factor authentication by authorized users for access to customer information;
  • Procedures for secure disposal of customer information when the customer information no longer needs to be retained;
  • Periodic review of the Wesleyan University Record Retention Policy;
  • Procedures for change management; and
  • Procedures to log access and modification of customer information by authorized users

Regular testing of controls

Wesleyan will perform annual penetration testing and monthly vulnerability assessments of Covered Wesleyan Systems.

Security awareness training

The CISO will provide annual security awareness training.  The training will be updated as necessary to reflect risks identified by the risk assessment.  The CISO will stay up to date on changing information security threats and countermeasures.

Service providers

All Covered Third-Party Vendors will have their information security safeguards reviewed prior to engaging their services.  All contracts with Covered Third-Party Vendors will require that they maintain appropriate and reasonable information security safeguards.  Safeguards used by Covered Third-Party Vendors will be annually reviewed by the CISO.

Evaluation and adjustment of information security plan

The CISO will evaluate, and if necessary adjust, the information security plan whenever the CISO identifies any circumstances that may have a material impact on the information security program. 

Incident response plan

The CISO will maintain a written incident response plan.  The incident response plan will contain:

  • The goals of the incident response plan;
  • Internal processes for responding to a security event;
  • Definitions of clear roles, responsibilities, and levels of decision-making authority;
  • Procedures for external and internal communications and information sharing;
  • Procedures for remediating any identified weaknesses in information systems; and
  • Procedures for evaluating and revising the incident response plan following a security event

Annual report

The CISO will produce an annual report for the Board of Trustees on key aspects of the information security program which will include a written risk assessment about Wesleyan's customer information.

Exceptions

Any exceptions to this policy require written approval from the General Counsel and the Vice President of Information Technology Services & Chief Information Officer.  Any exceptions must be reapproved in writing annually.

Appendix

Definitions

Information system – definition taken from § 314.2 (j) of the Safeguards Rule:

Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contains customer information or that is connected to a system that contains customer information.

Customer information – definition taken from § 314.2 (d) of the Safeguards Rule:

Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

Nonpublic personal information - definition taken from § 314.2 (l) (1) of the Safeguards Rule:

Nonpublic personal information means:

(i) Personally identifiable financial information; and

(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

Covered Wesleyan Systems

The following have been identified as Covered Wesleyan Systems:

  • Flywire
  • PeopleSoft (student module)
  • PeopleSoft (finance module)
  • PowerFAIDS

Covered Third-Party Vendors

The following have been identified as Covered Third-Party Vendors:

  • ECSI
  • Reliant
  • CRS
  • CBHV

Approval History

 2023-03-27       Policy adopted