Re: Security (Safeguarding) of Financial Information in Higher Ed

["David L. Wasley" <david.wasley () UCOP EDU>]

Rodney,  We too were recently made aware of this.  It is another in a
series of rules and laws intended to safeguard personal information.
(Kinda ironic in light of TIA but none-the-less... )

The NACUBO paper says the FTC rules require colleges and universities
to develop plans and maintain programs to:

*  designate an employee or employees to coordinate their information
security program;
        [Most campuses have security officers but probably with less authority
         than this would imply.]

*  identify reasonable, foreseeable internal and external risks to
the security, confidentiality, and integrity of customer information
that could result in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.  At a
minimum, such a risk assessment should include consideration of risks
in each of the following operational areas:

   - employee training and management,

   - information systems, including network and software design, as
well as information processing, storage, transmission, and disposal,
and

   - detecting, preventing and responding to attacks, intrusions, or
other systems failures; design and implement information safeguards
to control the risks identified through risk assessment and regularly
test or monitor the effectiveness of the safeguards' key controls,
systems, and procedures;

        [These appear much more stringent than we are used to in higher ed]

*  oversee service providers by taking steps to select and retain
providers that are capable of maintaining appropriate safeguards for
customer information;

*  contractually require their service providers to implement and
maintain such safeguards; and

*  periodically evaluate and adjust their information security
program, based on the results of the testing and monitoring mentioned
above, any material changes to operations, or any other circumstances
that are known to have or that may have a material impact on the
information security program.

Effective Date: Institutions must implement an information security
program no later than May 23, 2003.

My strong suggestion is that this set of activities be a part of a
larger information management strategy for the campus rather than a
specific project to address the FTC rule.  This area - protection of
personal information, etc. - is not only something that we should
take seriously wherever such information is collected but is very
likely to become the subject of additional rules, etc.

For example, in California we have a recent law (SB1386) that
requires that we notify subjects of any "database" that is
compromised and includes "unencrypted names plus at least one of (a)
SSN, (b) driver's license or state issued ID#, or (c) credit, debit,
or other financial account# plus PIN/passwd/etc.

"Database" technically includes email, for example.  Another
interesting example is the little desktop text files that our admin
assistants keep in order to make travel arrangements for us.

All of this makes management sense but is (generally) not something
we have taken as seriously as we must now.

       David
-----
At 11:49 AM -0500 on 3/22/03, Rodney Petersen wrote:

> For many of us, a new federal requirement for information security has
> escaped our radar screen until recently.  I had assumed that the
> Gramm-Leach-Bliley Act (GLBA) was only of concern to "banks" or other
> "financial institutions."  However, it is increasingly clear that
> colleges and universities are expected to be in compliance with the
> information security requirements of Gramm-Leach-Bliley by May 23, 2003
> - just 2 months away.  This matter was first brought to my attention at
> the University of Maryland a couple of weeks ago by our Office of
> Financial Aid.
>
> Below is some information about the Final Rules provided by EDUCAUSE to
> its membership this week.  There is also a brief description of the GLBA
> on page 12 of the new security legal issues paper available at
> http://www.educause.edu/ir/library/pdf/CSD2746.pdf
>
> For anyone who has not reviewed the requirements or begun to think about
> the impact, I urge you to bring this to the attention of your legal
> counsel and information security staff as soon as possible.  For anyone
> who has reviewed the requirements and taken steps to comply, I would be
> interested in information that you can share with the Security
> Discussion Group in response to the following questions:
>
> 1) Who, if anyone, have you designated to coordinate the safeguards?
>
> 2) Have you "documented" your information security program as required
> in the Final Rule?  If so, can you share a copy of the documentation or
> a URL where you have identified your "administrative, technical, and
> physical safeguards"?
>
> 3) Are there any other changes your institution is anticipating in
> response to the GLBA?
>
> 4) What individuals or offices are involved in coordination of efforts
> to bring your institution into compliance?
>
> Thanks,
>
> Rodney Petersen
> University of Maryland and EDUCAUSE
>
>
>
> EDUCAUSE Washington Update, March 19, 2003
>
> SAFEGUARDS RULE FOR FINANCIAL INFORMATION
> The Federal Trade Commission (FTC) has published new guidance on how to
> comply with the Final Rule on "Standards for Safeguarding Customer
> Information" that implements the Gramm-Leach-Bliley Act. The report
> summarizes requirements under the Safeguards Rule and recommends
> practices for safeguarding financial information. Colleges and
> universities will have until May 23, 2003, to comply with the
> requirements.
>
> The Safeguards Rule requires the development of a written information
> security plan that (1) designates one or more employees to coordinate
> the safeguards, (2) identifies and assesses risks to customer
> information and evaluates the effectiveness of the current safeguards,
> (3) designates and implements a safeguards program and the regular
> monitoring and testing of it, (4) selects appropriate service providers
> and ensures that contracts with those providers include safeguards, and
> (5) evaluates and adjusts the program in light of relevant
> circumstances. For the full FTC report, "Financial Institutions and
> Customer Data: Complying with the Safeguards Rule," go to
> http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm
>
> For the Safeguard Rule see
> http://www.ftc.gov/os/2002/05/67fr36585.pdf
>
> Summary information is also available at
> http://www.nacubo.org/public_policy/advisory_reports/2003/2003-01.pdf
>
> ************************************************************
> Written from EDUCAUSE's Washington office, the EDUCAUSE Washington
> Update is a free service of EDUCAUSE, a nonprofit association
> dedicated to advancing higher education by promoting the intelligent
> use of information technology.
>
> Anyone may subscribe to the Update. Join or leave the list at
> http://listserv.educause.edu/cgi-bin/wa.exe?SUBED1=update&&A=1
>
> Or, you can subscribe by sending an e-mail to
> LISTSERV () LISTSERV EDUCAUSE EDU and typing "subscribe update
> <firstname lastname>" in the body of the message. To
> unsubscribe, send e-mail to the same address and type
> "signoff update" in the body.
>
> To view past Washington Updates, refer to the archives at
> http://www.educause.edu/pub/wu/
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.