You are here

Office of Information Technology » Policy

ISO | Policy

ISO | Policy

ISO | Policy

ISO Banner

***DRAFT***

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) is a federal regulation under the Federal Trade Commission that requires financial institutions (companies that offer consumer financial products or services such as loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data.
https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act 

University of Guam (UOG) is considered a financial institution because we receive and process federal student aid.

UOG is subject to GLBA per the US Department of Education’s office of Federal Student Aid (FSA) and requires that the GLBA Safeguard rules be included as an audit objective in the federal single audit process that UOG undergoes annually.
https://library.educause.edu/topics/policy-and-law/gramm-leach-bliley-act-glb-act 

Per the updated GLBA Safeguarding Rules, UOG is required to maintain an information security program which must include the following elements:

  1. Designate a Qualified Individual to implement and supervise your company’s information security program. UOG’s “qualified individual” is the UOG Chief Information Officer.

  2. Conduct a risk assessment. The Office of Information Technology (OIT) will conduct risk assessments on a regular basis.

  3. Design and implement safeguards to control the risks identified in the risk assessment.

    1. Implement and periodically review access controls.

    2. Know what you have and where you have it.

    3. Encrypt customer information on your systems and when it’s in transit.

    4. Assess your apps.

    5. Implement multi-factor authentication for anyone accessing customer information on your systems.

    6. Dispose of customer information securely.

    7. Anticipate changes to your information system or network.

    8. Maintain a log of authorized users’ activities and keep an eye out for unauthorized access.

  4. Regularly test or otherwise monitor the effectiveness of safeguards.

  5. Train your staff. 

  6. Monitor your service providers. IT contracts or purchases with third parties that include the processing of personal data must go through the UOG Data Governance Process. 

  7. Keep your information security program current. 

  8. Create an incident response plan.


INFORMATION SECURITY OFFICE HOURS

Monday - Friday: 8AM - 5PM

CONTACT

Email: iso@triton.uog.edu
Phone: (671) 735-2640

facebook    intstagram    twitter