Top Bar Menu
IECC Secondary Menu
Breadcrumbs

Prevention Program: Gramm-Leach-Bliley Act

POLICY

The Board of Trustees and Employees of the Illinois Eastern Community Colleges shall operate in compliance with the Gramm Leach Bliley (GLB) Act, (16 CFR Part 314).

In order to comply with Federal Law and to protect critical information and data, the Chancellor in conjunction with the Strategic Engagement Planning Council shall develop a procedure for an Information Security Program to comply with this regulation.

The goal of this procedure will be to define IECC’s Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program, and to position IECC for likely future privacy and security regulations.

GLB mandates that IECC shall:

  • appoint an Information Security Program Coordinator;
  • conduct a risk assessment of likely security and privacy risks;
  • implement and test safeguards to control risks;
  • institute a training program for all employees who have access to covered data and information;
  • oversee service providers and contracts;
  • establish an incident response plan;
  • evaluate and adjust the Information Security Program periodically; and
  • report, at least annually, to District leadership on the Information Security Program.

The Coordinator must help the relevant offices of IECC identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.

 

PROCEDURE

To protect critical information and data, and to comply with Federal Law, the Chancellor in conjunction with the Strategic Engagement Planning Council proposes certain practices in IECC’s information environment and institutional information security procedures. These practices will impact diverse areas of the campuses, including but not limited to the Business Office, Financial Aid Office, Office of the Registrar, Student Services, the Library as well as many third-party contractors. The goal of this document is to define IECC’s Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program, and to position IECC for likely future privacy and security regulations.

Gramm Leach Bliley (GLB) Requirements  
GLB mandates that IECC shall:

  • appoint an Information Security Program Coordinator;
  • conduct a risk assessment of likely security and privacy risks;
  • implement and test safeguards to control risks;
  • institute a training program for all employees who have access to covered data and information;
  • oversee service providers and contracts;
  • establish an incident response plan;
  • evaluate and adjust the Information Security Program periodically; and
  • report, at least annually, to District leadership on the Information Security Program.

Information Security Program Coordinator  
To comply with GLB, IECC has designated an Information Security Program Coordinator. This individual must work closely with the Chancellor’s office, outside counsel, if need be, as well as the academic and administrative areas listed above. The Coordinator is presently the Chief Information Officer.

The Coordinator must help the relevant offices of IECC identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.

Risk Assessment and Safeguards  
The Coordinator will work with an external vendor to conduct an annual Information Technology security audit to ensure the district is implementing security best practices. The Coordinator has primary responsibility for the identification of internal and external risk assessment, but all members of the IECC community are involved in risk assessment. The Coordinator, working in conjunction with the relevant IECC offices, will conduct regular risk assessments, including but not limited to the categories listed by GLB.

The Coordinator is designated the responsibility of assuring that patches for operating systems or software environments are reasonably up to date, and will keep records of patching activity. The Coordinator will review the procedures for patches to operating systems and software, and will keep current on potential threats to the network and its data.

The Coordinator will work with the relevant offices (Business Services, Human Resources, the Office of the Registrar, and the Library, among others) to develop and maintain a registry of those members of the IECC community who have access to covered data and information. The Coordinator in cooperation with Human Resources and the Business Office will work to keep this registry rigorously up to date.

The Coordinator will assure the physical security of all servers and terminals which contain or have access to covered data and information. The Coordinator will conduct a survey of other physical security risks, including the storage of covered paper records in non-secure environments, and other procedures which may expose IECC to risks.

One of the largest security risks may be the possible non-standard access to social security numbers. Social security numbers are considered protected information under both GLB and the Family Educational Rights and Privacy Act (FERPA). By necessity, student social security numbers are stored in the IECC student information system. IECC will conduct an assessment to determine who has access to social security numbers, in what systems the numbers are still used, and in what instances students are inappropriately being asked to provide a social security number.

The Coordinator will ensure that all electronic covered information is encrypted in transit and that the central databases are strongly protected from security risks.

It is recommended that relevant offices of IECC decide whether more extensive background or reference checks or other forms of confirmation are prudent in the hiring process for certain new employees, for example employees handling confidential financial information.

The Coordinator will develop a written plan with procedures to detect any actual or attempted attacks on covered systems and will develop incident response procedures for actual or attempted unauthorized access to covered data or information. The Coordinator will periodically review IECC’s disaster recovery program and data-retention policies and present a report to the Strategic Engagement Planning Council.

Oversight of Service Providers and Contractors  
Third-party service providers may be granted access to IECC protected data only when they have a need for specific access to accomplish an authorized task and are able to comply with IECC security and privacy policies and procedures. This access must be reviewed and authorized by the Coordinator or their designee.  Access must be based on the least-privilege necessary and appropriate security controls must be implemented.

Employee training and education  
The Coordinator will work in cooperation with the Office of Human Resources to develop training and education programs for all employees who have access to covered data.

Knowledge of cyber security best practices is one of the best defenses against cyber threats.  All current and new employees must complete cyber security training at the start of employment and as requested by the  district.  Failure to complete the training may result in loss of IECC technology access.

Employees who do not follow best practices outlined in the training and fall victim to cyber scams will be required to attend additional training.  These employees may also be required to meet with their, supervisor, Information Security Program Coordinator, and/or the Human Resources Executive Director to review consequences of their actions.  Repeated failure to follow best practices may result in referral to the district’s disciplinary process.

Evaluation and Revision of the Information Security Program   
GLB mandates that this Information Security Program be subject to periodic review and adjustment. Processes in relevant offices of IECC such as data access procedures and the training program should undergo regular review. The Program itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.

Definitions   
Covered data and information for the purpose of this policy includes student financial information required to be protected under the Gramm Leach Bliley Act (GLB). In addition to this coverage which is required by federal law, IECC chooses as a matter of policy to also define covered data and information to include any credit card information received in the course of business by IECC, whether or not such credit card information is covered by GLB. Covered data and information includes both paper and electronic records.

Student financial information is that information IECC has obtained from a student in the process of offering a financial product or service, or such information provided to IECC by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

IECC is Illinois Eastern Community Colleges and its affiliates Frontier Community College, Lincoln Trail College, Olney Central College, Wabash Valley College, IECC Workforce Education, and all IECC District Office locations.