Security (Safeguarding) of Financial Information in Higher Ed

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

For many of us, a new federal requirement for information security has
escaped our radar screen until recently.  I had assumed that the
Gramm-Leach-Bliley Act (GLBA) was only of concern to "banks" or other
"financial institutions."  However, it is increasingly clear that
colleges and universities are expected to be in compliance with the
information security requirements of Gramm-Leach-Bliley by May 23, 2003
- just 2 months away.  This matter was first brought to my attention at
the University of Maryland a couple of weeks ago by our Office of
Financial Aid.

Below is some information about the Final Rules provided by EDUCAUSE to
its membership this week.  There is also a brief description of the GLBA
on page 12 of the new security legal issues paper available at
http://www.educause.edu/ir/library/pdf/CSD2746.pdf

For anyone who has not reviewed the requirements or begun to think about
the impact, I urge you to bring this to the attention of your legal
counsel and information security staff as soon as possible.  For anyone
who has reviewed the requirements and taken steps to comply, I would be
interested in information that you can share with the Security
Discussion Group in response to the following questions:

1) Who, if anyone, have you designated to coordinate the safeguards?

2) Have you "documented" your information security program as required
in the Final Rule?  If so, can you share a copy of the documentation or
a URL where you have identified your "administrative, technical, and
physical safeguards"?

3) Are there any other changes your institution is anticipating in
response to the GLBA?

4) What individuals or offices are involved in coordination of efforts
to bring your institution into compliance?

Thanks,

Rodney Petersen
University of Maryland and EDUCAUSE



EDUCAUSE Washington Update, March 19, 2003

SAFEGUARDS RULE FOR FINANCIAL INFORMATION
The Federal Trade Commission (FTC) has published new guidance on how to
comply with the Final Rule on "Standards for Safeguarding Customer
Information" that implements the Gramm-Leach-Bliley Act. The report
summarizes requirements under the Safeguards Rule and recommends
practices for safeguarding financial information. Colleges and
universities will have until May 23, 2003, to comply with the
requirements.

The Safeguards Rule requires the development of a written information
security plan that (1) designates one or more employees to coordinate
the safeguards, (2) identifies and assesses risks to customer
information and evaluates the effectiveness of the current safeguards,
(3) designates and implements a safeguards program and the regular
monitoring and testing of it, (4) selects appropriate service providers
and ensures that contracts with those providers include safeguards, and
(5) evaluates and adjusts the program in light of relevant
circumstances. For the full FTC report, "Financial Institutions and
Customer Data: Complying with the Safeguards Rule," go to
http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm

For the Safeguard Rule see
http://www.ftc.gov/os/2002/05/67fr36585.pdf

Summary information is also available at
http://www.nacubo.org/public_policy/advisory_reports/2003/2003-01.pdf

************************************************************
Written from EDUCAUSE's Washington office, the EDUCAUSE Washington
Update is a free service of EDUCAUSE, a nonprofit association
dedicated to advancing higher education by promoting the intelligent
use of information technology.

Anyone may subscribe to the Update. Join or leave the list at
http://listserv.educause.edu/cgi-bin/wa.exe?SUBED1=update&&A=1

Or, you can subscribe by sending an e-mail to
LISTSERV () LISTSERV EDUCAUSE EDU and typing "subscribe update
<firstname lastname>" in the body of the message. To
unsubscribe, send e-mail to the same address and type
"signoff update" in the body.

To view past Washington Updates, refer to the archives at
http://www.educause.edu/pub/wu/

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.