GLBA Compliance

Introduction

The Gramm-Leach-Bliley Act, also referred to as GLBA, governs the use, sharing and collection of financial information. It requires financial institutions to take steps to protect customer non-public information. Lewis and Clark Community College is subject to certain regulations under the Gramm-Leach-Bliley Act (GLBA) due to its financial activities, such as issuing student loans.

1.1 Purpose

This security plan outlines how Lewis and Clark Community College plans to be compliant with the Safeguards Rule and Pretexting Provisions of the Gramm-Leach-Bliley Act.

GLBA mandates that Lewis & Clark Community College do the following:

• Designate a Qualified Individual to oversee and implement its information security program.
• Identify and assess the risks to covered data in each relevant area of the college’s operations and evaluate the effectiveness of the current safeguards for controlling these risks.
• Establish and maintain an information security program, with regular monitoring and testing to assess its effectiveness.
• Implement policies and procedures to ensure that college personnel can implement the information security program.
• Select service providers that can maintain appropriate safeguards over covered data, ensure the service contract requires them to maintain safeguards, and oversee their handling of covered data.
• Evaluate and adjust the information security program considering relevant circumstances, including changes in the college’s business or operations, or the results of security testing and monitoring.
• Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of covered data in the college’s control.
• The Qualified Individual must provide a written report to the Board of Trustees at least annually, detailing the effectiveness of the information security program.

1.2 Scope

For the Gramm-Leach-Bliley Act, the data covered is limited to student and parent financial information, such as loan information, income tax information, and banking information.

The departments that may potentially handle the listed sensitive information are the following:

• Human Resources Department
• Financial Aid Office
• Bursar’s Office
• Enrollment Office
• Information Technology Department
• Finance Department

Information Security Plan

2.1 Designated Qualified Individual

At Lewis & Clark Community College, the Chief Data and Technology Officer (CDTO) has been designated as the Qualified Individual to supervise and implement the Information Security Plan. The CDTO is responsible for communication, reporting, and approval of any policies, procedures, and changes to the Information Security Plan.

The Qualified Individual, with support from information security staff, will work with representatives from the listed departments and offices in section 1.2 to assess the institution’s procedures and practices regarding access to and use of student records, such as financial aid information.

2.2 Risk Assessment

Information Technology personnel conducted a risk assessment to identify potential threats the college may face in its current operating environment. The assessment considered a scenario with no safeguards in place, allowing for a comprehensive evaluation of vulnerabilities. Each identified risk was categorized based on the following criteria:

• The most likely source or actor behind the threat
• The potential impact if the risk were to materialize
• The likelihood of the risk occurring
• The information system(s) that would be affected
• The recommended response or mitigation strategy for each risk

After assessing all risk factors, a report was submitted to the CDTO detailing each risk's severity and recommended mitigations based on industry best practices. Solutions included policies, procedures, documentation, and practices to address each identified risk.

2.3 Risk Assessment Response

Following the risk assessment, the IT department at Lewis & Clark Community College implemented policies, procedures, and safeguards to protect financial data.

2.3.1 Access Controls Policy

Lewis & Clark Community College’s Access Controls Policy establishes standards for managing access to college data and computer systems, ensuring protection of sensitive information for all users with campus system accounts. The Access Controls Policy establishes the following practices to safeguard information:

• Describes user identification and authentication in Lewis & Clark Community College systems.
• Defines the processes for establishing, modifying, suspending, and terminating user access.
• Sets a standard for approved credential resets by users.
• Requires multi-factor authentication for systems containing sensitive data.

2.3.2 System Identification

Lewis & Clark Community College utilizes an IT Asset Management system that maintains and provides regularly updated data on all managed IT assets across campus.

This system enables the college to track the status, location, and lifecycle of hardware and software, ensuring accountability and facilitating proactive maintenance, as required by IT’s Computer Maintenance Policy. Access to an automatically updated inventory system provides the IT department with reports and information to make data-driven decisions in safeguarding critical resources.

2.3.3 Encryption Policy

To ensure all consumer information is protected at rest and in-transit, Lewis & Clark Community College requires all employee workstations and servers that handle sensitive consumer information to be encrypted, as per the IT Department’s Encryption Policy.

2.3.4 Third-Party Assessment

With the Technology Purchasing Policy, the IT department is required to evaluate and approve any Information Technology-related purchases, including services or equipment from third-party suppliers.

2.3.5 Multi-factor Authentication

The college uses Multi-factor Authentication (MFA), as required by the Access Controls Policy, to secure financial information. If students lack MFA resources, the IT department can offer solutions to ensure equal protection for all.

2.3.6 Data Retention Policy

The college follows procedures provided by the state to maintain records for the mandated duration and disposes of them according to established guidelines when they are no longer are required.

Each department that processes financial data is aware of its responsibility for complying with these retention requirements. Additionally, the IT department is currently developing a comprehensive data retention policy to formally document and standardize these practices across the institution.

2.3.7 Change Management Policy

All changes to the network, infrastructure, organizational systems, or information systems must be documented and approved by IT leadership in accordance with the IT department’s Change Management Policy. The employee responsible for implementing or associated with the change must thoroughly record and document it. In cases of emergency, changes may be submitted for approval retroactively to prevent service degradation.

2.3.8 User Activity Monitoring

To reinforce the institution’s commitment to safeguarding sensitive data, the IT team regularly reviews user access patterns and investigates anomalies, employing both automated monitoring tools and manual oversight as necessary to promptly detect and address unauthorized user access or activity.

2.3.9 Disaster Recovery Plan

To ensure readiness for high-severity incidents, the Information Technology department maintains a documented Disaster Recovery Plan. This plan is reviewed and tested annually in collaboration with the appropriate departmental personnel.

2.4 Safeguard Effectiveness Testing

2.4.1 Third-Party Vulnerability Assessment & Penetration Testing

The IT department contracts with an independent third-party security firm to conduct comprehensive vulnerability assessments and penetration testing on an annual basis. These assessments are designed to identify potential weaknesses in the college’s information systems, network infrastructure, and applications that could be exploited by malicious actors.

2.5 Information Security Awareness & User Training Program

The college’s Information Security Awareness & User Training Program is coordinated by an Information Security Analyst to provide adequate training for all institutional employees. The program consists of the following:

• Require all Lewis & Clark Community College employees to complete relevant security awareness and user training content at least annually.
• Operation & coordination with the IT team to follow the Risk-based Vulnerability Management Strategy.
• Professional Conferences, regular reading of cybersecurity intelligence & news, and updated training material provided to Information Security personnel to ensure they have sufficient knowledge of industry best practices.
• Verification of the effectiveness of the Information Security Program through continuous testing of employee knowledge through simulated scenarios.

2.6 Service Provider Safeguards

The Qualified Individual will work with IT and other departments to ensure third-party service providers are chosen for their ability to safeguard protected financial information of students and others. They will also partner with campus legal counsel to create standard contracts requiring these safeguards, and any exceptions must be approved by legal counsel.

2.7 Governance Review Policy

Each year, IT must meet the requirements of the Information Security Governance Review Policy by ensuring all policies, procedures, documentation, and safeguards are compliant and properly enforced. IT personnel are required to follow all procedures and policy items, which must be regularly reviewed for compliance.

2.8 Incident Response Plan

To ensure readiness for any severity of incident, the Information Technology department maintains and utilizes a written Incident Response Plan. This plan is reviewed and tested annually in collaboration with the appropriate departmental personnel. The plan is meant to be followed for all information security-related incidents, requiring relevant stakeholder communications, incident documentation, remediation, and any required reporting of the incident.

2.9 Board Reporting Guidelines

At least once a year, the Qualified Individual must report to the Board on the effectiveness of the Information Security Plan and its associated programs and initiatives. The Board will receive a report that includes:

• A brief report summarizing the effectiveness of current strategies, policies, and plans, along with their periodic review.
• An overview of current or planned initiatives aimed at strengthening the college’s cybersecurity posture while improving cost-effectiveness.

The annual report for the Board of Trustees highlights the college's management of cybersecurity risks. This is shown through Key Performance Indicators (KPIs) tracked from Information Security initiatives. KPIs reported to the Board may include:

• The likeliness an employee will interact with a malicious email versus the sector’s average.
• Number and percentage of vulnerabilities remediated, as well as all vulnerabilities that exceeded their remediation timeline.
• Results of audits & reviews of policies. Examples include:
  • How many non-compliant computers with the computer maintenance policy or encryption policy.
  • Findings and remediations from auditing the access controls policy
• Risk surface area reductions or notable examples to provide to the board as the direct result of the security plan’s initiatives.
• Incident response metrics, such as incidents detected, response time, and resolution time.

Informing the Board of Trustees about the Information Security Plan promotes transparency, accountability, and demonstrates the effectiveness of the Institution’s information security approach.

Information Security Plan Review

This Information Security Plan shall be reviewed and updated periodically by the IT department to ensure its effectiveness and compliance with relevant laws, regulations, and industry standards.