Educause Security Discussion mailing list archives
Re: Security (Safeguarding) of Financial Information in Higher Ed
From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Sat, 22 Mar 2003 10:29:32 -0800
Rodney, We too were recently made aware of this. It is another in a series of rules and laws intended to safeguard personal information. (Kinda ironic in light of TIA but none-the-less... ) The NACUBO paper says the FTC rules require colleges and universities to develop plans and maintain programs to: * designate an employee or employees to coordinate their information security program; [Most campuses have security officers but probably with less authority than this would imply.] * identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each of the following operational areas: - employee training and management, - information systems, including network and software design, as well as information processing, storage, transmission, and disposal, and - detecting, preventing and responding to attacks, intrusions, or other systems failures; design and implement information safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures; [These appear much more stringent than we are used to in higher ed] * oversee service providers by taking steps to select and retain providers that are capable of maintaining appropriate safeguards for customer information; * contractually require their service providers to implement and maintain such safeguards; and * periodically evaluate and adjust their information security program, based on the results of the testing and monitoring mentioned above, any material changes to operations, or any other circumstances that are known to have or that may have a material impact on the information security program. Effective Date: Institutions must implement an information security program no later than May 23, 2003. My strong suggestion is that this set of activities be a part of a larger information management strategy for the campus rather than a specific project to address the FTC rule. This area - protection of personal information, etc. - is not only something that we should take seriously wherever such information is collected but is very likely to become the subject of additional rules, etc. For example, in California we have a recent law (SB1386) that requires that we notify subjects of any "database" that is compromised and includes "unencrypted names plus at least one of (a) SSN, (b) driver's license or state issued ID#, or (c) credit, debit, or other financial account# plus PIN/passwd/etc. "Database" technically includes email, for example. Another interesting example is the little desktop text files that our admin assistants keep in order to make travel arrangements for us. All of this makes management sense but is (generally) not something we have taken as seriously as we must now. David ----- At 11:49 AM -0500 on 3/22/03, Rodney Petersen wrote:
For many of us, a new federal requirement for information security has escaped our radar screen until recently. I had assumed that the Gramm-Leach-Bliley Act (GLBA) was only of concern to "banks" or other "financial institutions." However, it is increasingly clear that colleges and universities are expected to be in compliance with the information security requirements of Gramm-Leach-Bliley by May 23, 2003 - just 2 months away. This matter was first brought to my attention at the University of Maryland a couple of weeks ago by our Office of Financial Aid. Below is some information about the Final Rules provided by EDUCAUSE to its membership this week. There is also a brief description of the GLBA on page 12 of the new security legal issues paper available at http://www.educause.edu/ir/library/pdf/CSD2746.pdf For anyone who has not reviewed the requirements or begun to think about the impact, I urge you to bring this to the attention of your legal counsel and information security staff as soon as possible. For anyone who has reviewed the requirements and taken steps to comply, I would be interested in information that you can share with the Security Discussion Group in response to the following questions: 1) Who, if anyone, have you designated to coordinate the safeguards? 2) Have you "documented" your information security program as required in the Final Rule? If so, can you share a copy of the documentation or a URL where you have identified your "administrative, technical, and physical safeguards"? 3) Are there any other changes your institution is anticipating in response to the GLBA? 4) What individuals or offices are involved in coordination of efforts to bring your institution into compliance? Thanks, Rodney Petersen University of Maryland and EDUCAUSE EDUCAUSE Washington Update, March 19, 2003 SAFEGUARDS RULE FOR FINANCIAL INFORMATION The Federal Trade Commission (FTC) has published new guidance on how to comply with the Final Rule on "Standards for Safeguarding Customer Information" that implements the Gramm-Leach-Bliley Act. The report summarizes requirements under the Safeguards Rule and recommends practices for safeguarding financial information. Colleges and universities will have until May 23, 2003, to comply with the requirements. The Safeguards Rule requires the development of a written information security plan that (1) designates one or more employees to coordinate the safeguards, (2) identifies and assesses risks to customer information and evaluates the effectiveness of the current safeguards, (3) designates and implements a safeguards program and the regular monitoring and testing of it, (4) selects appropriate service providers and ensures that contracts with those providers include safeguards, and (5) evaluates and adjusts the program in light of relevant circumstances. For the full FTC report, "Financial Institutions and Customer Data: Complying with the Safeguards Rule," go to http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm For the Safeguard Rule see http://www.ftc.gov/os/2002/05/67fr36585.pdf Summary information is also available at http://www.nacubo.org/public_policy/advisory_reports/2003/2003-01.pdf ************************************************************ Written from EDUCAUSE's Washington office, the EDUCAUSE Washington Update is a free service of EDUCAUSE, a nonprofit association dedicated to advancing higher education by promoting the intelligent use of information technology. Anyone may subscribe to the Update. Join or leave the list at http://listserv.educause.edu/cgi-bin/wa.exe?SUBED1=update&&A=1 Or, you can subscribe by sending an e-mail to LISTSERV () LISTSERV EDUCAUSE EDU and typing "subscribe update <firstname lastname>" in the body of the message. To unsubscribe, send e-mail to the same address and type "signoff update" in the body. To view past Washington Updates, refer to the archives at http://www.educause.edu/pub/wu/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Security (Safeguarding) of Financial Information in Higher Ed Rodney Petersen (Mar 22)
- <Possible follow-ups>
- Re: Security (Safeguarding) of Financial Information in Higher Ed David L. Wasley (Mar 22)