shield Harvard University
Harvard Shield
About                                
Enterprise Security Policy
Information Security & Privacy
Human Subjects
For Students
For Employees
For Registrars
Harvard Confidential Info
Working with Vendors
Accepting Credit Cards
Federal and Regulatory
Resources
Glossary of Terms
FAQ's       
Reporting Security Incidents
Reporting Violations
Privacy Policy
Security Presentations
Search the Site
Federal and Regulatory :: The Gramm-Leach-Bliley Act
 
 

This is a federal lawissued by the Federal Trade Commission that protects the security of personally identifiable, non-public, financial information. The GLB Safeguards Rule applies to financial institutions when engaging in certain bank-like activities, such as making, brokering and servicing loans, providing financial advice, collecting consumer debt, and transferring or safeguarding money.

The FTC has determined that most institutions of higher education are financial institutions and are subject to GLB, when making student loans and providing mortgages to faculty members. Other areas in higher education that may be subject to GLB include making executive loans to senior officials, providing financial counseling to donors in planned giving, providing financial advice in pension planning, offering cards used in lieu of cash for campus transactions, such as cash cards, and providing university credit cards.

The Safeguards Rule requires financial institutions engaged in such activities to develop and implement an information security program that protects personally, identifiable, non-public, financial information obtained in connection with a financial activity. The Rule applies to both electronic and paper information and may include but is not limited to bank and credit card information, income and credit history, social security number, loan amount and balance and repayment status. For educational institutions, this means that information that students, parents, faculty, or employees provide to the University in connection with any of the above financial activities must be protected under the Rule.

The Safeguards Rule requires financial institutions to memorialize in writing their information security program. The program must include the following six components:

  1. Designation of one or more employees to coordinate the program
  2. Identification and assessment of risks to the security of customer information and evaluation of controls
  3. Design and implementation of a safeguards program
  4. Regular testing and monitoring of safeguards
  5. Oversight of service providers who have access to protected information
  6. Evaluation and adjustment of the program as necessary

Best practices to ensure information security

  • Check references prior to hiring employees
  • Regularly ask employees to sign a confidentiality and security agreement
  • Train employees regarding security, confidentiality and integrity of information
  • Lock rooms & file cabinets where paper records are maintained
  • Use strong passwords (e.g. 8 or more characters) and change passwords periodically
  • Encrypt sensitive customer information when transmitted over networks or stored online
  • Refer requests for customer information to appropriate persons
  • Recognize any fraudulent attempts to obtain customer information
  • Limit access to information to those who need to know
  • Establish disciplinary measures for breaches
  • Disable accounts of employees who leave the University
  • Ensure secure storage of records:
    • Store paper records in a room, cabinet or other container that is locked when unattended
    • Ensure that storage areas are protected against destruction or damage from physical hazards
    • Store electronic customer information on a secure server that is accessible only with a password
    • Don’t store sensitive customer data on a machine with an Internet connection
    • Maintain secure backup media & keep archived data secure
  • Provide for secure data transmission:
    • If collecting credit card information, use a Secure Sockets Layer (SSL) or other secure connection (encrypt information in transit)
    • If collect information directly from consumers, make secure transmission automatic
    • If you transmit sensitive data by electronic mail, ensure that such messages are password protected
  • Dispose of customer information in a secure manner.
  • Designate records retention manager to supervise disposal of records
  • Shred or recycle customer information maintained on paper
  • Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives
  • Promptly destroy outdated customer information
  • Monitor operations to detect improper disclosures or theft of customer information.
  • Inventory computers.

GLB & Other Security Website References

http://www.ftc.gov/infosecurity

http://csrc.nist.gov

http://www.sans.org/top20.htm

GLB Questionnaire


 		 
 
Universities adopt serious protections after high risk laptops are stolen
Advisory on use and protection of HUID
  >> See all  
Printer Friendly Page
 Trademark Notice|Privacy Policy | © 2008 President and Fellows of Harvard College  
Supported by WDS