ISO | Policy
ISO | Policy
ISO | Policy
***DRAFT***
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) is a federal regulation under the Federal Trade
Commission that requires financial institutions (companies that offer consumer financial
products or services such as loans, financial or investment advice, or insurance)
to explain their information-sharing practices to their customers and to safeguard
sensitive data.
https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
University of Guam (UOG) is considered a financial institution because we receive and process federal student aid.
UOG is subject to GLBA per the US Department of Education’s office of Federal Student
Aid (FSA) and requires that the GLBA Safeguard rules be included as an audit objective
in the federal single audit process that UOG undergoes annually.
https://library.educause.edu/topics/policy-and-law/gramm-leach-bliley-act-glb-act
Per the updated GLBA Safeguarding Rules, UOG is required to maintain an information security program which must include the following elements:
-
Designate a Qualified Individual to implement and supervise your company’s information security program. UOG’s “qualified individual” is the UOG Chief Information Officer.
-
Conduct a risk assessment. The Office of Information Technology (OIT) will conduct risk assessments on a regular basis.
-
Design and implement safeguards to control the risks identified in the risk assessment.
-
Implement and periodically review access controls.
-
Know what you have and where you have it.
-
Encrypt customer information on your systems and when it’s in transit.
-
Assess your apps.
-
Implement multi-factor authentication for anyone accessing customer information on your systems.
-
Dispose of customer information securely.
-
Anticipate changes to your information system or network.
-
Maintain a log of authorized users’ activities and keep an eye out for unauthorized access.
-
-
Regularly test or otherwise monitor the effectiveness of safeguards.
-
Train your staff.
-
Monitor your service providers. IT contracts or purchases with third parties that include the processing of personal data must go through the UOG Data Governance Process.
-
Keep your information security program current.
-
Create an incident response plan.