Gramm-Leach-Bliley Act Information Security Program

1. Purpose:
   This document summarizes the University of Delaware's written information security program mandated by the Federal Trade Commission's Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA).
2. Designation of Representatives:
   The Institution's Director for Billing and Collection is designated as the Program Officer who shall be responsible for coordinating and overseeing the Program with the appropriate unit heads and the Information Systems Auditor. The Program Officer may designate other representatives of the Institution to oversee and coordinate particular elements of the Program. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the Program Officer or his or her designees.
3. Scope of Program:
   The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institution, whether in paper, electronic or other form that is handled or maintained by or on behalf of the University or its affiliates. For these purposes, the term nonpublic financial information is any information a student or other third party provides in order to obtain a financial service from the Institution; information about a student or other third party resulting from any transaction with the Institution involving a financial service; or, information otherwise obtained about a student or other third party in connection with providing a financial service to that person.
4. Elements of the Program:

   1. Risk Identification and Assessment.
      Risk assessments and associated action plans have been established for the external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Risk assessments and compliance plans are in effect for the departments/units involved.

      • Employee Training and Management.
        Human Resources and the Office of Information Technologies provide training for new employees and existing employees through a program segment at new employee orientation and on-going annual training programs for faculty and staff.
      • Information Systems and Information Processing and Disposal.
        Management Information Services and Network and System Services have assessed the risks to nonpublic financial information associated with information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic financial information. Current archiving and destruction processes are in place for all paper, non-public financial information.
      • Detecting, Preventing and Responding to Attacks.
        Management Information Services and Network and System Services have procedures for and methods of detecting, preventing and responding to attacks or other system failures. They also have network access and security policies and procedures.

   2. Designing and Implementing Safeguards.
      The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. An annual audit of safeguard compliance will be done through the Internal Auditor's Office. Evaluation of risk of new or changed business arrangements will be coordinated by the Program Officer and the appropriate unit head.
   3. Overseeing Service Providers.
      The University may appropriately share covered data with third parties. Such activities may include collection activities, transmission of documents, destruction of documents or other similar services. Reasonable steps are taken to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring service providers by contract to implement, and maintain such safeguards. The Associate Director for Procurement Services ensures that all such third party contracts include language requiring the vendor to comply with the Federal Trade Commission (FTC) Standards for Safeguarding Customer Data.
   4. Adjustments to Program.
      This information security plan shall be evaluated and adjusted for any changes in the University's business arrangements, or in light of future guidance from the National Association of College and University Business Officers and/or the Federal Trade Commission.