Last Revision Date: June 19, 2018
Approval Date: DRAFT
Approval Authority: CWRU Chief Information Security Officer
This document describes the scope and impact of the Gramm-Leach-Bliley Act (GLBA) compliance activities at Case Western Reserve University.
Coordination with Other Policies and Procedures
The CWRU GLBA compliance is closely aligned with these policies and standards:
- CWRU Family Educational Rights and Privacy Act (FERPA) Policy
- Gramm-Leach-Bliley Act- Public Law 106-102
- Policy I-1 Acceptable Use of Information Technology (AUP)
- 16 CFR Part 313 Financial Privacy Rule
The Gramm-Leach-Bliley Act (Public Law 106-102) was signed into law in 1999 as part of an effort to enhance competition in the financial services industry. Section 501 of this Act calls for the protection of non-public personal information. Although they are not part of the financial services industry, higher education institutions such as CWRU are considered financial institutions under this Act due to their significant role in servicing student loans. The Federal Trade Commission, the statutory authority for implementation of the GLBA, published a Final Rule entitled Privacy of Consumer Financial Information to implement privacy provisions of GLBA.
Similarly, higher education institutions are subject to broad privacy compliance provisions of the 1974 Family Educational Rights and Privacy Act (FERPA), which is administered by the U.S. Department of Education. The FERPA requirements are understood to override any other compliance activities when dealing with educational records.
In 2001, the Federal Trade Commission published a Final Rule entitled Standards for Safeguarding Customer Information. This Rule states that financial institutions must "[...] develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue." (16 CFR 314.3) Within the scope of its role as a financial institution, institutions of higher education are required to conform with this rule.
- The university standards that apply to privacy of educational records are encompassed within the CWRU FERPA Policy, and administered by the University Registrar.
- The university standards that apply overall privacy in IT systems and services are encompassed within the CWRU Acceptable Use of Information Technology (AUP).
- The scope of the GLBA compliance activities shall be restricted to financial information associated with the awarding of financial aid and student loans, in workflows administered by the Office of University Financial Aid.
- The university’s Information Security Office manages these elements of GLBA compliance in the overall scope of the information security program:
- The university Chief Information Security Officer has been designated to coordinate the information security program
- Through the conduct of regular risk assessments and evaluation of security incidents, the information security office maintains an index of risks to university operations in accordance with the Risk Management Plan
- As part of the University Technology Strategic Plan, security controls and processes are selected, designed, and implemented to address causal risks in accordance with the risk tolerance of the university
- Monitoring of ongoing risks and testing efficacy of implemented controls, provide user security training and awareness
- Maintaining and exercising incident response capabilities, as well as disaster recovery and business continuity plans
Information Security Office: administer the information security program
University Registrar: administer and maintain the CWRU FERPA Policy
Office of University Financial Aid: manage and maintain financial aid records and any information received from external partners associated with financial aid
Standards Review Cycle
This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.