Safeguarding Nonpublic Financial Information Policy

arrow_circle_left Back to All Policies

TBR Policy Reference: 1:08:04:01

TBR Guideline Reference: B-090

Approved by: President's Cabinet

Original Date Effective: 2023-06-26

Last Modified: 2023-06-23

---

Purpose

This guideline explains the procedure by which Jackson State Community College (‘JSCC” or the “Institution”) has developed a comprehensive written Information Security Program (the “Program”) as mandated by the Gramm-Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information Rule. The program’s components described below intend to:

1. Protect the security and confidentiality of customers’ nonpublic financial information;
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
3. Protect against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.

The JSCC Program consists of existing institutional policies and procedures incorporated by reference into the Program, including but not limited to policies such as computer/electronic records confidentiality policies, Family Educational Rights & Privacy Act policies, employee/personnel records confidentiality policies, etc.

Definitions

• Customer - person who has a continuing relationship with the institution for provision of financial services, such as financial aid.
• Customer Information - any record containing nonpublic personal financial information about a Customer.  
• Non-public financial information – any record not publicly available that an institution obtains about a customer while offering a financial product or service, as well as such information provided to the institution by another source. Nonpublic financial information includes information that a person submits to apply for financial aid (e.g., tax returns and other financial information), that an institution collects from third parties relating to financial aid (e.g., FAFSA information), and that an institution creates based on customer information in its possession.
• Security event – an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such system, or customer information held in physical form.
  
  

Policy/Guideline

1. Introduction
   1. GLBA covers Jackson State Community College because we offer and process financial aid applications and receive customer information from students and others about those activities.
   2. Jackson State has developed, implemented, and maintains a written comprehensive Information Security Program. The Program contains administrative, technical, and physical safeguards appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.  The Program applies to any paper or electronic record maintained by the institution that contains customer information about an individual or a third party who has a relationship with the institution.
2. Requirements of an Information Security Program
   1. Program Coordinator
      1. Jackson State Community College has established a qualified individual to serve as the Program Coordinator responsible for overseeing and implementing the Program. The Coordinator obtains assistance from other campus sources, but the ultimate responsibility for the Program remains with the Coordinator.
      2. The Coordinator’s development of the Program included but was not limited to:
         1. Consulting with the appropriate offices to identify units and areas of the institution with access to customer information and maintaining a list of the same;
         2. Assisting the appropriate offices of the institution in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and making sure that appropriate safeguards are designed and implemented in each office and throughout the institution to safeguard the protected data
         3. Working with the TBR shared services contract officer(s) to guarantee that all contracts with third-party service providers that have access to and maintain customer information include a provision requiring that the service provider maintain appropriate safeguards for customer information; and
         4. Working with responsible institutional officers to develop and deliver adequate training and education for all employees with access to customer information.
      3. Security and Privacy Risk Assessments
         1. The Program identifies reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information and assess the sufficiency of the safeguards in place to control those risks.
         2. Risk assessments include consideration of risks in each office that has access to customer information.
         3. Risk assessments are written and include, at a minimum, consideration of the risks in the following areas:
            1. Criteria for the evaluation and categorization of the identified security risks and threats;
            2. Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of existing controls in the context of identified risks and threats; and
            3. Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Program will address the risks.
         4. The institution periodically performs additional risk assessments that reexamine the reasonably foreseeable internal and external risks to customer information's security, confidentiality, and integrity that could result in unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information.  Such assessments must reassess the sufficiency of safeguards to control the risks.
      4. Information Security Personnel and Employee Training
         1. Jackson State utilizes qualified information security personnel, whether employed by the institution or through vendors, sufficient to manage information security risks and assist in overseeing the Program.  Security personnel will receive security updates and training to address relevant security risks. Jackson State will verify that key information security personnel maintain current knowledge of changing information security threats and countermeasures.
         2. The Coordinator provides institutional employees with security awareness training that is updated as necessary to reflect risks identified by the risk assessment. This training may be developed and implemented in conjunction with vendors, the human resources office, the Compliance and Risk office, and the Office of General Counsel. The training shall occur regularly, as deemed appropriate by the Coordinator, and it shall include education on relevant policies and procedures and other safeguards in place or developed to protect customer information.
      5. Design and Implementation of Safeguards
         1. The Program includes safeguards to control the risks identified through the risk assessments, including by:
            1. Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to authenticate and permit access only to authorized users and to limit authorized users’ access only to customer information that they need to perform their duties and functions (or in the case of customers, to access their own information);
            2. Identifying and managing the data, personnel, devices, systems, and facilities that enable the institution to achieve operational purposes in accordance with their relative importance to operational objectives and risk strategy;
            3. Protecting by encryption all customer information held or transmitted by the institution in transit over external networks and at rest. To the extent, the Coordinator determines that encryption of customer information, either in transit or at rest, is infeasible, the Coordinator may approve a method to secure such customer information using effective alternative compensating controls;
            4. Adopting secure development practices for in-house developed applications used to transmit, access, or store customer information and procedures to evaluate, assess, or test the security of externally developed applications used to transmit, access, or store customer information;
            5. Implementing multi-factor authentication for any individual accessing any information system, unless the Coordinator has approved in writing the use of reasonably equivalent or more secure access controls;
            6. Developing, implementing, and maintaining procedures for the secure disposal of customer information.  These procedures will be periodically reviewed to minimize the unnecessary retention of data. Disposal must occur no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates unless:
               1. The information is required to be kept for a longer period in accordance with TBR Policy 1.12.01.00, Records Retention and Disposal of Records;
               2. The information is necessary for operational purposes; or
               3. Targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
            7. Adopting procedures for change management; and
            8. Implementing policies, procedures, and controls designed to monitor and log the activity of authorized users and to detect unauthorized access or use of, or tampering with, customer information by such users.
         2. The Program regularly tests or otherwise monitors the effectiveness of the safeguards’ key controls, systems, and procedures to detect actual and attempted attacks on or intrusions into information systems.
         3. For information systems, monitoring and testing includes continuous monitoring or periodic penetration testing and vulnerability assessments.  In the absence of effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the institution must conduct:
            1. Annual penetration testing of information systems based on relevant risks identified through risk assessments; and
            2. Vulnerability assessments, including any systemic scans or reviews of information systems designed to identify publicly known security vulnerabilities.  Such vulnerability assessments must be conducted at least every six months, whenever there are material changes to an institution’s operations and when circumstances or events may have a material impact on the Program.
         4. Oversight of Service Providers and Contracts
            1. The institution takes reasonable steps to select and retain third-party service providers capable of maintaining appropriate safeguards for the customer information to which they have access.  Service providers will be periodically assessed based on the risk they present and the continued adequacy of their safeguards.
            2. The institution requires, by contract, that current and potential service providers with access to customer information maintain sufficient procedures to detect and respond to security events.
            3. The institution requires, by contract, that all applicable third-party service providers implement and maintain appropriate safeguards for customer information.
         5. Incident Response Plan
            1. The Program includes a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the institution’s control.
            2. To the extent the following requirements are not already required by the State of Tennessee’s incident response plan, the Coordinator ensures that the incident response plan addresses:
               1. The goals of the incident response plan;
               2. The internal processes for responding to a security event;
               3. The definition of clear roles, responsibilities, and levels of decision-making authority;
               4. External and internal communications and information sharing;
               5. Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
               6. Documentation and reporting of security events and related incident response activities; and
               7. The evaluation and revision as necessary of the incident response plan following a security event.
            3. Evaluation and Revision of Program
               1. The Coordinator evaluates and adjusts the Program in light of the results of testing and monitoring, any material changes to the institution’s operations, the results of risk assessments, and any other circumstances that may have a material impact on the Program.
               2. The Program includes a plan that will be evaluated regularly and a method to revise the Program, as necessary, for continued effectiveness.

 

1. Assessment of the Information Security Program
   1. The Coordinator, in conjunction with the appropriate administrators, assesses the Program’s effectiveness annually.
   2. The Coordinator makes sure that necessary revisions to the Program are made at the time of the annual review to address any changes in the institutional organization that may affect the implementation and effectiveness of the Program.
2. Publication of the Information Security Program
   1. 1. To promote uniform compliance with the Program by all personnel employed by the institution and to achieve the institution’s duty to safeguard the confidentiality of customer information, the institution shall, at a minimum, display and disseminate the Program in accordance with Jackson State’s standard distribution methods.
      2. Jackson State’s current Program shall be available upon request for review and copy at all times.
3. Annual Reporting to the Board of Regents
   1. 1. The Tennessee Board of Regents System Office Coordinator’s report to the Board of Regents shall also include a report from the JSCC Program Coordinator.  The System Office Coordinator shall prepare a form for the institutional coordinator to complete and return in time sufficient for inclusion in the report to the Board.

Sources

Authority

T.C.A. § 49-8-203; All state and federal statutes, codes, Acts, rules and regulations referenced in this guideline; 16 C.F.R. Part 314 .