Gramm-Leach-Bliley Act (GLBA); Information Security & Acceptable Use Policy & Procedure

  • Procedure Type: Information Technologies
  • Procedure Title: GLBA; Information Security & Acceptable Use 
  • Procedure Number: NA
  • Office Responsible: Information Technologies & Resources
  • Related Policies: NA
  • Related Procedures: NA
  • Related Laws: Gramm-Leach Act, 15 U.S.C.A § 6801 et seq.
  • HLC Criterion: NA

1. Policy Statement |This IT Security Policy outlines the measures and procedures adopted by Oakland Community College to comply with the Gramm-Leach-Bliley Act (GLBA) and to ensure the protection and confidentiality of sensitive financial information. This policy applies to all faculty, staff, students, and third-party service providers who access, handle, or manage financial and personal data.

2. Objectives

    • Ensure the security and confidentiality of customer information.
    • Protect against anticipated threats or hazards to the security or integrity of such information.
    • Guard against unauthorized access to or use of such information that could result in substantial harm or inconvenience.

3. Scope | This policy covers all financial and personal information maintained by Oakland Community College, including but not limited to:

    • Student financial aid information
    • Employee payroll and benefits information
    • Financial transaction records
    • Any other sensitive data as defined by the GLBA

4. Definitions

    • Customer Information: Any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, maintained by or on behalf of Oakland Community College.
    • Nonpublic Personal Information: Personally identifiable financial information that is not publicly available.

5. Information Security Program

5.1 Designation of Coordinators | The Enterprise Systems and Security Director is designated as the Program Coordinator responsible for implementing, monitoring, and updating this policy.

5.2 Risk Assessment |A thorough risk assessment will be conducted to identify potential threats to the security, confidentiality, and integrity of customer information. This includes:

    • Identifying and assessing risks in each relevant area of the institution’s operations, including IT systems, employee practices, and third-party service providers.
    • Evaluating the effectiveness of current safeguards.

5.3 Information Security Measures | To mitigate identified risks, the following measures will be implemented:

5.3.1 Access Controls

    • Implement multi-factor authentication for access to sensitive systems.
    • Restrict access to customer information based on the principle of least privilege.

5.3.2 Encryption

    • Use strong encryption for transmitting and storing customer information.

5.3.3 Physical Security

    • Secure physical access to locations where sensitive information is stored.

5.3.4 Monitoring and Logging

    • Implement systems to monitor and log access to sensitive information.
    • Regularly review logs for unauthorized access attempts.

5.3.5 Employee Training and Management

    • Conduct regular training for employees on information security policies and procedures.
    • Enforce disciplinary measures for non-compliance.

5.4 Incident Response Plan | Develop and maintain an incident response plan to address data breaches and other security incidents. This includes:

    • Immediate containment and remediation steps.
    • Notification procedures for affected individuals and regulatory bodies.
    • Post-incident analysis and improvement measures.

5.5 Evaluation and Adjustment | Regularly evaluate and adjust the information security program based on:

    • The results of testing and monitoring.
    • Changes in technology and data processing practices.
    • New or emerging threats.

6. Oversight of Service Providers

6.1 Due Diligence |Conduct due diligence when selecting service providers who may have access to customer information. Ensure they have appropriate safeguards in place.

6.2 Contractual Obligations | Include provisions in contracts with service providers requiring them to implement and maintain appropriate security measures to protect customer information.

7. Compliance and Enforcement

7.1 Audits and Assessments | Regular audits and assessments will be conducted to ensure compliance with this policy and GLBA requirements.

7.2 Violations and Penalties | Violations of this policy will be subject to disciplinary action, up to and including termination of employment or contract.

8. Policy Review | This policy will be reviewed and updated annually or as needed to ensure continued compliance with regulatory requirements and to address new threats and vulnerabilities.

9. Qualified Individuals/Department Responsible for Implementation & Procedure/Contact Information

For questions or concerns regarding this policy, please contact the Enterprise Systems and Security Director at itsupportcenter@oaklandcc.edu


Change Log

• 10-08-2024 Policy Effective

OCC Logo