Educause Security Discussion mailing list archives
Security (Safeguarding) of Financial Information in Higher Ed
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Sat, 22 Mar 2003 11:49:48 -0500
For many of us, a new federal requirement for information security has escaped our radar screen until recently. I had assumed that the Gramm-Leach-Bliley Act (GLBA) was only of concern to "banks" or other "financial institutions." However, it is increasingly clear that colleges and universities are expected to be in compliance with the information security requirements of Gramm-Leach-Bliley by May 23, 2003 - just 2 months away. This matter was first brought to my attention at the University of Maryland a couple of weeks ago by our Office of Financial Aid. Below is some information about the Final Rules provided by EDUCAUSE to its membership this week. There is also a brief description of the GLBA on page 12 of the new security legal issues paper available at http://www.educause.edu/ir/library/pdf/CSD2746.pdf For anyone who has not reviewed the requirements or begun to think about the impact, I urge you to bring this to the attention of your legal counsel and information security staff as soon as possible. For anyone who has reviewed the requirements and taken steps to comply, I would be interested in information that you can share with the Security Discussion Group in response to the following questions: 1) Who, if anyone, have you designated to coordinate the safeguards? 2) Have you "documented" your information security program as required in the Final Rule? If so, can you share a copy of the documentation or a URL where you have identified your "administrative, technical, and physical safeguards"? 3) Are there any other changes your institution is anticipating in response to the GLBA? 4) What individuals or offices are involved in coordination of efforts to bring your institution into compliance? Thanks, Rodney Petersen University of Maryland and EDUCAUSE EDUCAUSE Washington Update, March 19, 2003 SAFEGUARDS RULE FOR FINANCIAL INFORMATION The Federal Trade Commission (FTC) has published new guidance on how to comply with the Final Rule on "Standards for Safeguarding Customer Information" that implements the Gramm-Leach-Bliley Act. The report summarizes requirements under the Safeguards Rule and recommends practices for safeguarding financial information. Colleges and universities will have until May 23, 2003, to comply with the requirements. The Safeguards Rule requires the development of a written information security plan that (1) designates one or more employees to coordinate the safeguards, (2) identifies and assesses risks to customer information and evaluates the effectiveness of the current safeguards, (3) designates and implements a safeguards program and the regular monitoring and testing of it, (4) selects appropriate service providers and ensures that contracts with those providers include safeguards, and (5) evaluates and adjusts the program in light of relevant circumstances. For the full FTC report, "Financial Institutions and Customer Data: Complying with the Safeguards Rule," go to http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm For the Safeguard Rule see http://www.ftc.gov/os/2002/05/67fr36585.pdf Summary information is also available at http://www.nacubo.org/public_policy/advisory_reports/2003/2003-01.pdf ************************************************************ Written from EDUCAUSE's Washington office, the EDUCAUSE Washington Update is a free service of EDUCAUSE, a nonprofit association dedicated to advancing higher education by promoting the intelligent use of information technology. Anyone may subscribe to the Update. Join or leave the list at http://listserv.educause.edu/cgi-bin/wa.exe?SUBED1=update&&A=1 Or, you can subscribe by sending an e-mail to LISTSERV () LISTSERV EDUCAUSE EDU and typing "subscribe update <firstname lastname>" in the body of the message. To unsubscribe, send e-mail to the same address and type "signoff update" in the body. To view past Washington Updates, refer to the archives at http://www.educause.edu/pub/wu/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Security (Safeguarding) of Financial Information in Higher Ed Rodney Petersen (Mar 22)
- <Possible follow-ups>
- Re: Security (Safeguarding) of Financial Information in Higher Ed David L. Wasley (Mar 22)