Governor's State University
Apply Now

Safeguarding GLBA Customer Information (Policy 100)

Approved By:

President Joyce Ester

Issued:

Revised:

04/01/2025 as Interim; 07/10/2025

Last Reviewed:

Related Policies:

Policy Owner / Contact Person:

Information Technology Services

Additional References:

eCFR :: 16 CFR Part 314 -- Standards for Safeguarding Customer Information at https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314

Policy Categories:

Information Technology Policies

  1. Policy Statement 

    This policy establishes the foundation for compliance with the Gramm-Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information (“Safeguards Rule”).

  2. Purpose

    Pursuant to its program participation agreement and student aid internet gateway agreement with the U.S. Department of Education and as a condition to being eligible to participate in federal financial aid programs under Title IV of the Higher Education Act of 1965, the University must comply with the GLBA, which requires financial institutions to take steps to protect customers’ nonpublic personal information. Institutions of higher education are required to comply with the Safeguards Rule as outlined in 16 C.F.R. Part 314. These requirements are additional to those of the Family Educational Rights and Privacy Act (“FERPA”). The purpose of this policy is to ensure compliance with the University’s program participation agreement, student aid internet gateway agreement, the GLBA, and the Safeguards Rule and to protect the privacy interests of the University’s students.

  3. Scope

    This policy applies to all “customer information,” which is defined as any record, whether in paper, electronic or other form, containing nonpublic personal information about a customer (past or present) that is handled or obtained by Governors State University or on its behalf or by or on behalf of any affiliate of Governors State University. A “customer” is a person having a “customer relationship” with the University, meaning a continuing relationship under which the University provides one or more financial products or services to the customer that are to be used primarily for personal, family, or household purposes. The University’s primary “customers” are its students. Financial services provided by Governors State University may include the University administering or aiding in the administration of Title IV programs; making institutional loans or scholarship payments; or certifying a private education loan on behalf of a student. Customer information is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages.

    1. Policy

      It is the policy of the University to maintain a reasonable information security program sufficient to meet the requirements of the GLBA Safeguards Rule. An “information security program” means the administrative, technical, or physical safeguards the University uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. The University’s information security program is comprised of the following nine elements. 

      1. Element 1: Designate a Qualified Individual to oversee and implement its information security program 

        The University Director of Information Security is responsible for this GLBA policy and is designated as the Qualified Individual for the University. The Qualified Individual is responsible for overseeing and implementing the University’s information security program and enforcing its information security program. 

      2. Element 2: Identify and assess the risks to covered data in each relevant area of the University’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks 

        The Director of Information Security shall perform risk assessments, and may work with data custodians, application owners, units, and individuals to identify and assess risks to customer information including but not limited to: 

        1. Unauthorized access to customer information;
        2. Compromised system security as a result of system access by an unauthorized person; 
        3. Interception of customer information during transmission; 
        4. Loss of data integrity; 
        5. Physical loss of customer information in a disaster; 
        6. Errors introduced into the system; 
        7. Corruption of data or systems; 
        8. Unauthorized requests for customer information; 
        9. Unauthorized access to hard copy files or reports containing customer information; 
        10. Unauthorized transfer or release of customer information by third parties contracted by the University; 
        11. Unauthorized disposal of customer information; and 
        12. Unsecured disposal of customer information.

        The University recognizes that the above list of risks may not be a complete list of risks associated with the protection of customer information. Since technology changes over time, the possibility of new risks may arise, and the risk assessment shall be updated regularly.

      3. Element 3: Design and implement a safeguards program with the minimum safeguards outlined in 16 C.F.R. 314.4 (c)(1) through (c)(8) 

        The minimum safeguards to protect customer information include: 

        1. Implement and periodically review access controls, including technical and, as appropriate, physical controls to authenticate authorized users and limit users’ access only to customer information needed to perform duties or functions; 
        2. Identify and manage the data, personnel, devices, systems, and facilities that enable each unit to achieve business purposes in accordance with their relative importance to business objectives and the University’s risk strategy; 
        3. Protect customer information held or transmitted by the designated units in transit over external networks and at rest, or use effective alternative compensating controls reviewed and approved by the Director of Information Security; 
        4. Implement either multi-factor authentication or reasonably equivalent access controls approved by the Director of Information Security for information systems where customer information is held; 
        5. Follow ITS approved secure disposal procedures for any system with customer information; 
        6. Retain records in accordance with the State Record Retention Act; 
        7. Follow ITS procedures for change management impacting University information systems where customer information is held; and
        8. Follow all ITS procedures and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information.

      4. Element 4: Regularly monitor and test the safeguards program 

        The Director of Information Security will follow regular ITS procedures to monitor and/or test the technical safeguards for GLBA customer information. The University’s Internal Audit department will conduct periodic audits and reviews of the University's information technology and information security to assess compliance with applicable policies, regulations, and best practices. 

      5. Element 5: Implement policies and procedures to ensure that University personnel are able to implement the information security program 

        This Policy is related and subject to University Policy 92 and associated procedures. Where appropriate, unit level policies and procedures may be adopted as long as they are consistent with University Policy 92 and related procedures. Individual units are responsible for facilitating compliance with all information security policies and practices applicable to their unit. The University shall provide cybersecurity awareness training as ensuring employees are properly trained is an essential component of the information security program. 

      6. Element 6: Select service providers that can maintain appropriate safeguards over covered data, ensure the service contract requires them to maintain safeguards, and oversee their handling of covered data

        University units shall not purchase software or enter into contracts with service providers prior to obtaining a completed risk assessment or other approval from ITS. Contracts shall ensure that service providers maintain safeguards with respect to University data, and that the University is entitled to audit compliance with that requirement. 

      7. Element 7: Provide for the evaluation and adjustment of information security program in light of relevant circumstances, including changes in the University’s business or operations, or the results of security testing and monitoring 

        The information security program and associated policies and procedures shall be reviewed and updated as necessary. 

      8. Element 8: Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of covered data in the University’s control;

        The University shall adopt a written incident response plan to respond to data security incidents. It is understood that in the event of a breach of customer information, the University is required to notify contacts designated by the U.S. Department of Education within 24 hours after an incident is known, identified, or suspected.

      9. Element 9: Require the Qualified Individual to report in writing, regularly and at least annually, to the Board of Trustees.

        The Qualified Individual will submit a report to the Board of Trustees annually.