Purpose
Anne Arundel Community College (AACC) is committed to the preservation of personal data and is dedicated to adhering to regulations pertaining to the safeguarding of personal, sensitive, and other protected data within its purview.
In accordance with the Gramm Leach Bliley Act (GLBA) Safeguards Rule, as enshrined in 34 CFR 314.4, the Federal Trade Commission mandates the establishment of an Information Security Program. This program is designed to create, enforce, and sustain protective measures that ensure the security, confidentiality, and integrity of both customer financial records and any non-public personally identifiable financial information associated with them.
GLBA requires that the College implement an information security program designed to protect and safeguard all nonpublic information (NPI) collected for the purpose of offering a financial product or service. The College has institution level information security policies, procedures, guidelines, and processes which describe elements of the College’s overall information security program and includes the protection of National Provider Identifier (NPI) under GLBA.
This document is intended to provide additional information as it specifically relates to GLBA and is not intended to override institution level policies and procedures related to information security. As such, the institution level policies and procedures related to information security supersede regarding issues of application and in the event of a conflict between the Division and the institution level security policies and procedures.
Program Objective
The objectives of the program are to:
Descriptions and Definitions
Requirements
GLBA requires that the AACC Information Security Program include the following elements. The College’s methods as they relate to these elements are as follows:
Risk Assessment
AACC’s Division of Information and Instructional Technology (IIT) identified reasonably foreseeable internal and external risks to the security, confidentiality and integrity of data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of information and the sufficiency of safeguards in place to control these risks.
Recognizing that this may not represent a complete list of the risks associated with the protection of data, and that new risks are created regularly, Information Security Director (ISD) and the Information Security Taskforce will actively monitor appropriate cybersecurity advisory literature for identification of risks in the future and ensure that information security risk assessments are performed periodically in the future.
Specifically, IIT recognized the following internal and external information security risks include but are not limited to:
1. Element No. 1
Designates a qualified individual responsible for overseeing and implementing the institutions or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)).
1.1 The vice president for Information and Instructional Technology (VP-IIT) or their designee will: (1) strategically oversee the program, (2) collaborate with IIT staff to assess internal and external data security risks and evaluate existing protections, (3) facilitate the development and testing of safeguards against identified risks, (4) assess the security measures of contracted service providers and (5) evaluate the program's effectiveness.
1.2 The vice president of IIT shall also designate an appropriate individual(s) to serve as the program coordinator, who will administer the Information Security Program and serve as the primary resource and liaison with Maryland, Anne Arundel County, departments, units, service providers and related entities for addressing issues related to the GLBA Safeguards Rule and disseminating relevant information and updates.
2. Element No. 2
Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).
2.1 The Information security director (ISD), in conjunction with the IIT team, will work with the staff from each AACC Division to identify risks to security and privacy of the College’s financially related information systems. While the ISD is primarily responsible for internal and external risk assessment of the College’s systems including those that store NPI, all members of the College are responsible for safeguarding NPI.
2.2 The ISD will conduct regular data security reviews of the College’s financially related information systems and services. The ISD will work with staff from the Division of Learning Resources Management, as well as representatives from the Division of Learning to perform a risk assessment related to the handling of data that will include documentation of internal controls and will present this to the ISD for evaluation.
2.3 As specified in the College’s Information Technology Strategic Plan, management remains responsible for the review and identification of other security risks, including the storage of paper records or other records that contain data. Data stewards are responsible for ensuring that college Information within their area of assigned responsibility is used with appropriate, controlled levels of access and with assurance of its confidentiality and integrity. The ISD is available to provide guidance to PVP, administration, faculty and staff as required.
2.4 Access to the College’s financially related information systems and services is provided on an as needed basis with the principle of least privilege, as defined herein, applied. Access is requested by the individual user’s supervisor and approved through the College’s approved process.
2.5 Access to the forms that contain student financial information is approved by the Office of Financial Aid. The registrar is responsible for ensuring that access to these forms is not granted without approval.
2.6 The vice president of IIT, in coordination with the ISD, is responsible for assuring physical security of the College’s primary electronic system that houses NPI as well as the network that the College uses to access this system. During risk assessments of other College areas, the ISD will notify the VP-IIT and the associate vice president of Finance (AVP-F) of other systems identified related to GLBA. As identified, ISD will work with the IIT team, as well as the appropriate representatives across AACC’s four divisions to develop a mitigation plan for any risks associated with those identified systems.
3. Element No. 3
Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4©). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4©(1) through (8).
3.1 The AVP-F, or their designee, will perform an annual review to ensure that those with access to customer information are still active and that their access levels are appropriate. Role-based authorization will be applied in adherence to the principle of least privilege; roles are regularly reviewed and maintained.
3.2 The responsible official will periodically assess this requirement and related guidelines according to established policies, processes, guidelines and procedures. Identified flaws, gaps or areas of improvement will be addressed in a timely manner.
3.3 Any transfer or storage of data must employ encryption methods. These methods must be reviewed by the Information Security Director, and/or the Information Security Taskforce, and approved by the VP-IIT.
3.4 Access to application and database development environments is controlled by network and host-based firewalls, host and application-level authorization schemes, and multifactor authentication. IIT managers who develop, maintain, or modify key applications relating to data must deploy adequate measures for managing change control, separation of test and production environments, and separation of responsibilities and authorizations for staff involved in those functions.
3.5 Multi-factor authentication is required to access or transmit NPI. This will be implemented uniformly as software lifecycles permit. Exceptions require ISD review, and vice president of IIT preapproval.
3.6 Data retention is consistent with the College policy.
3.7 Log data required to audit for unauthorized access to customer information and related information systems is securely collected and maintained for an appropriate period of time; details are reserved.
4. Element No. 4
Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).
4.1 Regular testing and monitoring for effectiveness will be conducted in accordance with college policy, process, guidelines and procedures.
5. Element No. 5
Provides for the implementation of requirements and guidelines to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4€).
5.1 Security training: Prior to receiving access to protected data, all employees are required to participate in information security training, as well as review and acknowledge the appropriate consumer information rules and regulations. Further, references and/or background checks (as appropriate depending upon position) of new employees working in areas that have access to data are performed. New employees who handle data receive proper training on the importance of confidentiality of student records, student financial information and all other data, and the proper use of computer information and passwords.
Thereafter, all employees are required to complete annual training in cybersecurity and FERPA to ensure compliance. Cybersecurity awareness training may also include controls and measures to detect and identify ransomware, phishing, and social engineering tactics to prevent employees from providing data to an unauthorized individual. These training efforts minimize risk and safeguard data and information. Security updates are regularly distributed to all employees to raise awareness and test vulnerability to social engineering tactics.
5.2 The ISD collaborates and communicates regularly with the vice president of IIT, director of Enterprise Application Services, director of Infrastructure Services, director of Technology Support Services, and the dean of Distance Education, as well as the Information Security Taskforce to ensure best practices are implemented and followed.
5.3 Professional development funds are reserved to provide needed technology training across the College. System administrators and system engineers work closely with application administrators to ensure patches and security updates are implemented in a timely fashion. The ISD leverages the Information Security Taskforce for urgent and emergent issues.
5.4 All technology workers are engaged with appropriate knowledge resources to maintain currency in their areas and share threats and countermeasures through established communication channels. IIT engages in regular readiness communications, discussions, trainings, and testing.
6. Element No. 6
Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)).
6.1 The College has developed standard language related to safeguards and their handling of data. This language is included in its contracts and agreements with service providers who may require access to data.
6.2 As part of the College’s procurement process, contracts for technology that require access to data will undergo a security review during the contracting process and, depending on the level of risk, may undergo a re-review during the contract renewal period.
7. Element No. 7
Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).
7.1. Policies are reviewed every two years unless otherwise specified. In addition to the regularly scheduled reviews, risks are reviewed and mitigation plans are developed using a risk-based approach on a regular basis.
8. Element No. 8
For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).
8.1 Incidents will be addressed according to AACC’s information security requirements and guidelines. ISD maintains the College’s Incident Response Plan that incorporates a decision tree and checklist for declaration of an incident, activation, determination of appropriate internal and external stakeholders, investigation, mitigation, reassessment and reporting.
9. Element No. 9
For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the requirement for its qualified individual to report regularly and at least annually to the board of directors or, if no such board exists, to the senior officer responsible for the institution’s information security program (16 C.F.R. 314.4(i)).
9.1 Each spring, the ISD will review the information security plan with the vice president of Information and Instructional Technology. The ISD will review and highlight any revisions or changes to the document. This discussion will occur during one of the director and VP’s regular monthly one on one meetings. At the conclusion of this meeting, the director of Information Security will make the recommendation to approve the plan for the upcoming fiscal year. If the vice president of IIT concurs, the plan is approved for the upcoming fiscal year.
9.2 Following approval by the president of Information and Instructional Technology, the director of Information Security arranges and delivers an annual update to AACC’s president and vice presidents (PVP). The presentation includes key information security updates, outlines any changes to the information security plan, shares critical metrics, and presents recommendations or changes. If the PVP supports the report, it advances for consideration by the board of trustees' Audit and Finance Committee.
9.3. The vice president of IIT and the ISD shall report to AACC’s president and vice presidents (PVP), board of trustees' Audit and Finance Committee at least annually on the status of the GLBA Information Security Program.
Exemptions
None
Contingencies
None
Review Process
Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.
Guideline Title: AACC Information Security Program Compliance with Gramm-Leach-Bliley Act (GLBA)
Guideline Owner: Vice President for Information and Instructional Technology
Guideline Administrator: Director, Information Security
Contact Information: John Williams, jwwilliams6@aacc.edu
Approval Date: Jan. 8, 2024
Effective Date: Jan. 8, 2024
History: Adopted Oct. 13, 2023
Applies to: Faculty, staff and students
Related Policies: N/A
Related Procedures: N/A
Related Guidelines: N/A
Forms: N/A
Relevant Laws: