GLBA Information Security Program
About This Policy
- Effective Date
- Last Updated
- Policy Owner
- Information Technology
- Responsible Office
- Information Technology
Reason for Policy
Pursuant to the Gramm Leach Bliley Act (GLBA) Safeguards Rule codified at 34 CFR 314.4, the Federal Trade Commission required the adoption of an Information Security Program no later than June 9, 2023 to develop, implement and maintain safeguards to protect the security, confidentiality, and integrity of customer financial records and related non-public personally identifiable financial information. Certain activities conducted by Montclair State are subject to the GLBA. The GLBA does not contain an exemption for colleges or universities.
Applicability of Policy
This policy applies to any College, Division, department or unit of Montclair State, any Service Provider of Montclair State, and any Related Entities of Montclair State, that collects, stores or processes Covered Data in connection with the delivery of Financial Services (as defined below in this Policy). This obligation is in addition to any other University policies and procedures adopted pursuant to international law or U.S. federal and state laws and regulations for the protection of personal data, including the Family Educational Rights and Privacy Act (FERPA).
By way of example, the type of Covered Data regulated by the GBLA includes the following:
- Information provided by an applicant or student to obtain a loan or extension of credit from the University, a private lender, or the federal government;
- Information provided by a student to regularly receive refunds or make payments by wire transfer or debit card;
- Information from a consumer report regarding a student to receive a loan;
- Information from an employee or student to license real property from the University;
- Account balance information, payment history, overdraft history, credit or debit card purchase information;
- Any information provided by a student in connection with collecting on or servicing an account;
- Personal information collected through an internet cookie for the provision of Financial Services (as defined below) by the University.
The following offices within the University handle Covered Data in the delivery of Financial Services:
- Enrollment (Admissions, Financial Aid, Student Accounts)
- Residence Life
- Information Technology
Objective of The Program
The objectives of the Program are to: 1) protect the security and confidentiality of Covered Data; 2) protect against anticipated threats or hazards to the security or integrity of Covered Data; and 3) protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to an individual.
“Covered Data” means (i) non-public personal financial information about a Customer and (ii) any list, description, or other grouping of Customers (and publicly available information pertaining to them) that is derived using any non-public personal financial information. Examples of Covered Data include bank and credit card account numbers, income and credit histories, tax returns and social security numbers and lists of public information such as names, addresses and telephone numbers derived in whole or in part from personally identifiable financial information (e.g., names of students with outstanding loans). Covered Data is subject to the protections of GLBA, even if the Customer ultimately is not awarded any financial aid or provided with a credit extension. Covered Data does not include aggregated personal information that has been de-identified or anonymized.
“Customer” means any person (student, parent, faculty, staff, or other third party with whom the University interacts) who receives a Financial Service from the University for personal, family or household reasons that results in a continuing relationship with the University.
“Financial Service” includes offering or servicing student loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, reviewing credit reports in connection with providing a loan to a student or prospective student, engaging in debt collection activities, and leasing real or personal property to students for their benefit.
“Related Entities” means the following types of entities and their subsidiaries, if legally separate from the University: auxiliary corporations, not-for-profit organizations to receive charitable contributions or for any other purpose, for-profit organizations for the creation of academic units or research and development purposes. For the avoidance of doubt, Related Entities include the Montclair State University Foundation, Inc. and will include Bloomfield College of Montclair State University.
“Service Provider” means any person or entity that receives, maintains, processes, or otherwise is permitted access to Covered Data through its direct provision of Financial Services to the University. For the avoidance of doubt, Service Provider includes software-as-a-service providers who contract with the University and Related Entities to receive Covered Data for the delivery of Financial Services. Service Providers also include any person or entity that administers any aspect of the University’s participation in U.S. Department of Education Title IV programs.
1. Designation of Qualified Individual Responsible for Overseeing and Implementing Program
The Vice President for Information Technology (VPIT), or designee, shall: (1) coordinate the Program, (2) identify internal and external risks to the security and confidentiality of Covered Data and evaluate current safeguards, (3) design and implement safeguards to control the identified risks and regularly test and monitor the effectiveness of these safeguards, (4) oversee the assessment of security provided by contracted Service Providers, and (5) evaluate the effectiveness of the Program.
The VPIT or designee shall also designate an appropriate individual(s) to serve as the University Program Coordinator, who will administer this Information Security Program for the University and serve as the primary resource and liaison with Montclair State’s Divisions, departments, units, Service Providers and Related Entities for addressing issues related to the GLBA Safeguards Rule and disseminating relevant information and updates.
2. Risk Assessment
Prior to the adoption of this Program, Montclair State performed an information security risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Covered Data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of information and the sufficiency of safeguards in place to control these risks. Specifically, Montclair recognized the following internal and external information security risks include but are not limited to:
- Unauthorized access of Covered Data and information by someone other than the owner of the Covered Data
- Compromised system security as a result of system access by an unauthorized person of data during transmission
- Loss of data integrity
- Physical loss of data in the event of a disaster
- Errors introduced into the system
- Corruption of data or systems
- Management of account users in systems maintained by the University and SaaS providers
- Unauthorized access of Covered Data by employees
- Unauthorized requests for Covered Data
- Unauthorized access through hardcopy files or reports
- Unauthorized transfer of Covered Data through third parties
Recognizing that this may not represent a complete list of the risks associated with the protection of covered data, and that new risks are created regularly, VPIT will actively monitor appropriate cybersecurity advisory literature for identification of risks in the future and ensure that information security risk assessments are performed periodically in the future.
Safeguards to Control Risks Identified Through Risk Assessment
The following are a list of current safeguards implemented, monitored and maintained by the University which are reasonable and sufficient to provide security and confidentiality to Covered Data. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.
1. Employee Management and Training
References and/or background checks (as appropriate depending upon position) of new employees working in areas that have access to Covered Data are performed. New employees who handle Covered Data receive proper training on the importance of confidentiality of student records, student financial information and all other Covered Data, and the proper use of computer information and passwords. Thereafter, all employees are required to complete annual training in cybersecurity and FERPA to ensure compliance. Cybersecurity awareness training also includes controls and procedures to detect and identify ransomware, phishing and social engineering tactics to prevent employees from providing Covered Data to an unauthorized individual. These training efforts minimize risk and safeguard Covered Data and information. Security updates are regularly distributed to all employees to raise awareness and test vulnerability to social engineering tactics.
2. Physical Security
Montclair has addressed the physical security of Covered Data by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to employees with a legitimate business need for such information. Furthermore, each department responsible for maintaining Covered Data is instructed to take steps to protect such information from viewing by unauthorized persons, destruction, loss or damage.
3. Information Systems
Access to Covered Data and information via Montclair’s on campus computer information system or licensed SaaS systems is limited to those employees and faculty who have a legitimate business reason to access such information. The University has policies and procedures in place to complement the physical and technical safeguards in order to provide security to Montclair’s IT information systems. These policies and procedures, listed as related policies below, are also listed on the University’s website. The management of University servers storing or processing Covered Data and information have also been transferred entirely to the VPIT and are all housed in a secure data center.
Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, Montclair does not use social security numbers as student identifiers but instead uses a net ID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented and legitimate business need.
Covered Data is protected by encryption when transmitted by the University in transit over external networks or stored and at rest. The University has also implemented or will implement multi-factor authentication for any systems that processes or stored covered data unless the VPIT, or designee, has approved in writing the use of reasonably equivalent secure access controls.
4. Management of System Failures
IT has developed written policies and procedures to assist in detecting any actual or attempted attacks on Montclair’s on campus IT systems, and evaluating the security of third parties providing off-campus IT systems. A written Data Breach Response Protocol provides written procedures for responding to an actual or attempted unauthorized access to Covered Data, and is available upon request to the VPIT.
5. Oversight of Service Providers
GLBA requires Montclair to take reasonable steps to select and retain Service Providers who maintain appropriate safeguards for Covered Data by contractually requiring Service Providers to implement and maintain such safeguards. Montclair’s Security Official reviews and approves a HECVAT1 prepared by a Service Provider who has or will have access to Covered Data, and works with University Counsel, as appropriate, to ensure that the Service Provider’s contracts contain appropriate terms to protect the security of Covered Data. Purchasing units are responsible for managing the Service Provider’s contract and also account management by removing users when their access to Covered Data is terminated. The University Program Coordinator shall periodically reassess the continued adequacy of safeguards provided by Service Providers to Covered Data based upon the risks presented.
6. Retention and Disposal of Records Containing Covered Data
Records containing Covered Data shall be retained and destroyed in accordance with Montclair’s Records Retention and Destruction Policy.
7. Detection and Testing
The VPIT or designee shall ensure that University IT systems that collect, store and process Covered Data shall:
- a) be designed to monitor and log the activity of authorized users and detect unauthorized access or use of or tampering with Covered Data by such users;
- b) be regularly or continually tested or monitored to evaluate the effectiveness of key controls, systems, and procedures, including those that detect actual and attempted attacks on or intrusions;
- c) no less than annually be subject to penetration testing based upon the above identified risks in accordance with a risk assessment; and
- d) no less than every 6 months or whenever circumstances present a reason to determine the potential for a material impact upon the University’s IT systems, perform a vulnerability assessment that includes system scans or reviews of IT systems reasonably designed to identify publicly known security vulnerabilities.
Continuing Evaluation and Adjustment
This Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the Program will be the responsibility of the University Program Coordinator, who will assign specific responsibility for technical, logical, physical, and administrative safeguards implementation and administration as appropriate. The University Program Coordinator, in consultation with University Counsel, will review the standards set forth in this Program and recommend updates, revisions and adjustments as may be necessary to reflect changes in technology, the sensitivity of Covered Data, and internal or external threats to information security.
Account Management: Account Management – Policies and Procedures – Montclair State University
Client Use Administrative Rights: Client Use Administrative Rights Policy (Faculty) – Policies And Procedures – Montclair State University
Data Classification and Handling: Data Classification And Handling – Policies And Procedures – Montclair State University
Google Drive Usage Guidelines: Google Drive Usage Guidelines – Policies And Procedures – Montclair State University
HECVAT Cloud Vendor Assessment: Higher Education Cloud Vendor Assessment – Information Technology Division – Montclair State University
Network Access and Usage: Network Access And Usage Policy – Policies And Procedures – Montclair State University
Password Management Policy: Password Management Policy – Policies And Procedures – Montclair State University
Record Retention and Destruction Policy: Record Retention And Destruction Policy – Policies And Procedures – Montclair State University
Responsible Use of Computing: Responsible Use Of Computing – Policies And Procedures – Montclair State University
Secure Directory Access: Secure Directory Services Access – Policies And Procedures – Montclair State University
Security Incident Response Framework: Security Incident Response Framework (External) – Policies And Procedures – Montclair State University