This policy summarizes Miami University’s comprehensive written information security program mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm – Leach – Bliley Act (“GLBA”). This document describes how Miami University intends to (i) ensure the security and confidentiality of nonpublic financial records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers. This information security program incorporates existing Miami University’s policies and procedures and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations.
Scope
This policy applies to any record containing nonpublic financial information about a student or other third party who has a relationship with Miami University, whether in paper, electronic or other form, which is handled or maintained by or on behalf of the university or its affiliates. For these purposes, the term nonpublic financial information shall mean any information:
a student or other third party provides in order to obtain a financial service from the Institution,
about a student or other third party resulting from any transaction with the Institution involving a financial service, or
otherwise obtained about a student or other third party in connection with providing a financial service to that person.
Rationale
The Federal Trade Commission (FTC) requires financial institutions to establish policies and procedures for safeguarding customer financial information by complying with the Gramm-Leach-Bliley Act (GLBA).
Policy
A. Information Security Program (ISP) Coordinator
The Assistant Vice President for Security, Compliance, and Risk Management is designated as the ISP Coordinator. The ISP Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP.
B. Risk Identification and Assessment
The ISP Coordinator will identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromises of such information. The ISP Coordinator will provide guidance to appropriate personnel in the central administration, academic units, and other university units in evaluating their current practices and procedures and in assessing reasonably anticipated risks to nonpublic financial information in their respective areas. The ISP Coordinator will work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:
Employee Training and Management. The ISP Coordinator will coordinate with the appropriate personnel to evaluate the effectiveness of current employee training and management procedures relating to the access and use of nonpublic financial information.
Information Systems. The ISP Coordinator will coordinate with the appropriate personnel to assess the risks to nonpublic financial information associated with the university's information systems, including network and software design as well as information processing, storage, transmission, and disposal.
Detecting, Preventing and Responding to Attacks and System Failures. The ISP Coordinator will coordinate with the appropriate personnel to evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures.
C. Designing and Implementing Safeguards
The ISP Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
D. Overseeing Service Providers
The ISP Coordinator, in conjunction with the Office of the General Counsel and the Office of Strategic Procurement, will assist in instituting methods for selecting and retaining service providers that are capable of maintaining appropriate safeguards for nonpublic financial information. The ISP Coordinator will work with the Office of the General Counsel to develop and incorporate standard, contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA.
E. Adjustments to Program
The ISP Coordinator will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to Miami University’s operations or other circumstances that may have a material impact on the ISP.
F. Exceptions
Any exceptions to this policy require approval from the Assistant Vice President for Security, Compliance, and Risk Management before they can be implemented. All exceptions will be reviewed every 12 months to ensure they are still appropriate and necessary.
G. Review
This policy will be reviewed by the Assistant Vice President for Security, Compliance, and Risk Management every 12 months.
Approvals
Initial Approval:Joe Bazeley on September 13, 2016
Most Recent Approval:Joe Bazeley on September 13, 2016
