Gramm-Leach-Bliley Act Security Plan
The Financial Services Modernization Act of 1999 (also known as Gramm-Leach-Bliley Act (GLBA)) governs the use, sharing, and collection of financial information. It requires “financial institutions” to take steps to protect customers’ nonpublic personal information. Because higher education institutions like the University of Illinois System participate in financial activities such as making student loans, the Federal Trade Commission's regulations consider them financial institutions and subject to certain GLBA regulations. Higher education institutions must comply with the GLBA Safeguards Rule and Pretexting Provisions; however, they are exempt from the GLBA Privacy Rule by being compliant with the Family Educational Rights and Privacy Act (FERPA).
GLBA Security Plan
Definitions
University of Illinois System: Effective with the approval of the 2016 Strategic Framework and reflected in the Statutes, the University of Illinois System refers to the three universities and the system offices. Acceptable second references are the U of I System, or system.
Purpose
The University of Illinois System GLBA Security Plan outlines how the U of I System complies with federal regulations related to the GLBA Safeguards Rule. The system’s Chief Digital Risk Officer (CDRO) and the universities’ Chief Information Security Officers (CISO) are responsible for the GLBA Security Plan and its periodic review. The University of Illinois Chicago (UIC), University of Illinois Springfield (UIS), and University of Illinois Urbana-Champaign (UIUC) Information Security Policies and the U of I System Privacy Statement, which addresses FERPA compliance, supplement this plan.
Background
GLBA mandates that a university:
- Designate a Qualified Individual to oversee and implement its information security program;
- Identify and assess the risks to covered data in each relevant area of the university’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program, and regularly monitor and test it;
- Implement policies and procedures to ensure that university personnel are able to implement the information security program;
- Select service providers that can maintain appropriate safeguards over covered data, ensure the service contract requires them to maintain safeguards, and oversee their handling of covered data;
- Evaluate and adjust the information security program in light of relevant circumstances, including changes in the university’s business or operations, or the results of security testing and monitoring;
- Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of covered data in the university’s control; and,
- Require the Qualified Individual to report in writing, regularly and at least annually, to the Board of Trustees.
Scope
For purposes of GLBA, covered data is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages. Covered data resides in the U of I System’s Student Information System, eReports, and the Data Warehouse.
The following system and university offices have GLBA responsibilities: University Bursar, Student Financial Aid, Administrative Information Technology Services (AITS), Comptroller, Registrars, UIC Technology Solutions, and UIUC Technology Services.
Plan Statement
I. Qualified Individual
The GLBA Information Security Program is part of the three universities’ Information Security Programs.
The UIC CISO is responsible for the UIC Information Security Program and is designated as the Qualified Individual for UIC.
The UIUC CISO is responsible for the UIS, UIUC, and system offices Information Security Program and is designated as the Qualified Individual for UIS, UIUC, and system offices.
The GLBA Information Security Program is evaluated periodically to make appropriate adjustments based upon regulatory changes or changes to the U of I System’s operations or business. When adjustments are made, appropriate notices are sent to the U of I System community. Questions regarding interpretation and applicability of GLBA and its implementing federal regulations are coordinated with the Office of the University Counsel.
II. Risk Assessment and Safeguards
Covered data is housed in several information systems, therefore multiple areas of the U of I System are responsible for assessing risks and putting safeguards in place to protect covered data. The Office of the University Bursar and each university’s CISO work together to identify and assess risks to (a) covered data including detection, prevention and response to attacks, intrusions and other system failures, (b) information systems, including network and software design, as well information processing, storage, transmission and disposal, and (c) employee training and education, and in each case, put safeguards in place to address those risks and regularly test those safeguards to make sure they are effective.
III. Policies and Procedures
The GLBA Information Security Plan is a subset of the universities’ Information Security Policies. Compliance with the university policies ensures compliance with the GLBA Safeguards Rule. Where appropriate, unit level policies and procedures may be adopted as long as they are consistent with university policy. Unit directors and supervisors are responsible for facilitating and enforcing compliance with all information security policies and practices applicable to their unit. Ensuring employees are properly trained is an essential component of their efforts.
Training for data security and privacy is made available to all employees who have access to covered data. New employees must complete training to gain access to student financial aid data. In addition, current employees that have access to student financial aid data must complete training at least once every fiscal year.
IV. Oversight of Service Providers and Contracts
GLBA requires the U of I System to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Vendors who will have access to covered data must undergo a security risk assessment to identify and document risks associated with them transmitting and/or storing covered data. Appropriate data security provisions are included in contracts with such vendors.
V. Evaluation and Revision of the Information Security Program
GLBA mandates that the Information Security Program be subject to periodic review and adjustment resulting from risk assessments and material changes to the U of I System’s operations or business. Processes such as data access procedures and the training program undergo regular review in relevant offices of the U of I System.
VI. Pretexting Provisions
The Office of the University Bursar and each university’s CISO work together to address the Pretexting Provisions by educating employees to recognize social engineering and phishing scams. Consistent with that effort, the System has an established identity theft protection program to implement the Federal Trade Commission’s Red Flags Rule. Learn more about the System’s program on the Identity Theft Prevention (Red Flags Rule) Program website.
VI. GLBA Reporting
The Qualified Individuals for each university submit written reports to each university’s Chief Information Officer (CIO) and to the University of Illinois System Board of Trustees through the System’s CDRO. Reports are submitted at least annually on a fiscal year basis with the first report due by June 30, 2023.
Last revised: 5/11/2023