COLORADO COMMUNITY COLLEGE SYSTEM
SYSTEM PRESIDENT’S PROCEDURE

Gramm-Leach-Bliley Student Financial Information Security Program


SP 4-100

EFFECTIVE: May 16, 2018
APPROVED: May 16, 2018

REFERENCES: Board Policy BP 4-100 15 U.S.C. §§ 6801 – 6809, 16 C.F.R. Part 314

APPROVED:

/ Nancy J. McCallin /
Nancy J. McCallin, Ph.D.
System President

Scope

This procedure applies to all System employees who have access to student financial information or manage vendors who access student financial information.

Purpose

The System recognizes the importance of complying with the Gramm-Leach-Bliley Act (“GLB”), a federal law that requires the System to implement and maintain a GLB Student Financial Information Security Program to safeguard student financial information.

Definitions

“Student financial information” means any customer data as defined in the GLB Act and includes any record containing nonpublic personally identifiable financial information about a student when offering a financial product or service to the student. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, or other personally identifiable information or sensitive student data, in both paper and electronic format.

“Security breach” means any unauthorized disclosure, misuse, alteration, destruction or other compromise of student financial information, such as unauthorized access.

Procedure

This GLB Student Financial Information Security Program implements reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of student financial information as defined in the GLB Act.

The Program is designed to ensure the security and confidentiality of certain student financial information, protect against any anticipated threats to the integrity of such information and protect against unwarranted, unlawful or unauthorized disclosure, misuse, alteration or compromise of such information.

  1. Designation of GLB Student Financial Information Security Program Coordinators: The System President designates the System Chief Information Officer (CIO), the Vice President of Finance and Administration (VPFA), and the Vice President of Organizational Effectiveness, Student Affairs and Strategic Initiatives (VP), collectively referred to as the “GLB Coordinators”, to coordinate the protection of student financial information. The System President designates to each College President the responsibility for complying with this Policy with respect to their particular Colleges. The GLB Coordinators will coordinate the protection of student financial information with the System Financial Aid Director, the System Senior Network Security Administrator, the System Controller and each College IT Director and College Financial Aid Officer designated by each College President to implement the GLB Act requirements in this policy. They will work together to assist the System Office and Colleges in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of student financial information; to evaluate the effectiveness of the current safeguards for controlling these risks; to design and implement a safeguards program; and to regularly monitor and test the program. The GLB Coordinators will evaluate the program periodically to make appropriate adjustments and send reminders to the Colleges.
  2. Risk Assessment and Safeguards: The GLB Coordinators will identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of student financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.The GLB Coordinators will work with all relevant areas of the System to identify potential and actual risks to security and privacy of the IT systems that contain student financial information.The GLB Coordinators will assure that the College Presidents have procedures concerning the physical security of all central systems that contain or have access to student financial information and the network that is utilized to access the systems and will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, document retention policies and other procedures that may expose the System to risks.The GLB Coordinators have developed written plans and procedures to detect any actual or attempted attacks on covered systems and have developed incident response procedures for actual or attempted unauthorized access to student financial information.The GLB Coordinators will periodically review the System disaster recovery program for critical systems.
  3. Employee Training: The GLB Coordinators will develop training and education programs on GLB and this Program for all employees who have access to student financial information. Employees are subject to SP 3-125c General Computer and Information Systems Procedures, which governs confidential data, passwords and basic computer security procedures.
  4. Oversight of Service Providers and Contracts: GLB requires the System take reasonable steps to select and retain service providers who maintain appropriate safeguards for student financial information. The System has developed contract language to ensure that all contracts that involve student financial information include a GLB privacy clause in compliance with GLB.
  5. Evaluation and Revision of the Information Security Program: GLB mandates that this Student Financial Information Security Program be subject to periodic review and adjustment. Processes such as data access procedures and the training program will undergo regular review by the GLB Coordinators.
  6. Notice of Security Breach: Each College Financial Aid Officer, in coordination with College Senior Staff, shall notify the GLB Coordinators, the System Financial Aid Director, and the U.S. Department of Education of any security breach of student financial information pursuant to the requirements of the Federal Student Aid Program Participation Agreement and the Student Aid Internet Gateway Agreement. Actual and suspected data breaches must be reported to the U.S. Department of Education on the day a data breach is detected or suspected. For guidance on reporting, please refer to the “Security Incident Reporting Form” attached to this Procedure. The Family Educational Rights and Privacy Act (“FERPA”) and the Fair and Accurate Credit Transaction Act (“FACTA”) may also apply to the confidentiality of student information. See SP 4-80.

Revising this Procedure

The System President reserves the right to change any provision or requirement of this procedure at any time and the changes shall become effective immediately.

Security Incident Reporting Form

This Form is to be used to report a detected or suspected security breach of student financial information, or unauthorized release of student personally identifiable information to the System or College Security Program Coordinator(s), as well as the U.S. Department of Education.

  1. Intake Information:Date of Detected or Suspected Incident: _____________________________________________________________________Brief Description of Incident:
    _____________________________________________________________________Check all that apply:
    ___________Actual Breach
    ___________Suspected breach
    ___________Student Financial Information
    ___________Student Personally Identifiable Information
    ___________Breach information can be linked to other PII without a password
    ___________Other, ____________________________________________Person Filing Incident Report:
    _____________________________________________________________________
    Name and Title_____________________________________________________________________
    Contact Information, email and phone number
  2. Internal ReportingPlease submit the Security Incident Reporting Form to (Check all that apply):
    ___________ College Security Program Coordinator(s)
    ___________ System Director of Financial Aid
    ___________ System Vice President of Finance and Administration
    ___________ System Vice President of Student Affairs
    ___________ System Chief Information Officer
  3. External ReportingReport the Security Incident to the System Office and Legal Affairs before reporting to the U.S. Department of Education. For reporting to the U.S. Department of Education, please submit an email to cpssaig@ed.gv to include the following information:__________ U.S. Department of Education
    • Date of detected or suspected breach
    • Impact of the breach
    • Method of breach
    • Include College or System “Security Program Point of Contact”
    • Remediation status
    • Next steps if needed

    GLB requires the U.S. Department of Education be notified on the same day a Security Incident is detected.