“The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.” – Federal Trade Commission
In its capacity as a financial institution, the University of Washington (UW) is required to maintain an information security program. This program must include the following elements:
(a) Designate a “Qualified Individual” responsible for overseeing, implementing, and enforcing the information security program. The University’s “Qualified Individual” responsible for the information security program is the UW Chief Information Security Officer.
(b) Base the information security program on a risk assessment of the security, confidentiality, and integrity of customer information, and assess the sufficiency of any safeguards in place to control these risks. The UW’s information security program follows a risk-based approach as outlined here. The components of the program are established in UW’s Administrative Policy Statement 2.6, Information Security Controls and Operational Practices.
(c) Design and implement safeguards to control the risks identified in the risk assessment. The Office of Information Security has established a security standard that applies to UW Confidential data, including data in scope of GLBA. If additional safeguards are needed to address identified risks, the Office of Information Security will work directly with departments as needed to address the risks.
(d) Regularly test or otherwise monitor the effectiveness of safeguards. For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Units are responsible for routine monitoring, testing, and assessing the effectiveness of safeguards implemented by them. The Office of Information Security offers additional monitoring and vulnerability assessment capabilities, and can arrange for penetration testing as needed.
(e) Implement policies and procedures for security awareness training. People who have access to GLBA data are required to take GLBA training and information security training at least annually.
(f) Oversee service providers. IT contracts with third parties that include the processing of personal data must include a data processing agreement and IT Security Terms.
(g) Evaluate and adjust the information security program in light of the results of testing and monitoring. The Office of Information Security regularly reviews and adjusts the information security program following established governance practices.
(h) Establish an incident response plan. The UW has established Administrative Policy Statement 2.5, Information Security and Privacy: Incident Reporting and Management.
(i) Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. The UW OIS will provide a written report at least annually to the Board of Regents.
Contact us if you are uncertain if GLBA applies to you, if you have questions about GLBA safeguards, or if you have other GLBA related questions.
References
UW Office of Information Security:
- Security 101 online training
- UW Information Security Program
UW Administrative Policy Statements:
- APS 2.6, Information Security Controls and Operational Practices
- APS 2.5, Information Security and Privacy: Incident Reporting and Management
UW Privacy Office:
Data Processing Agreement
UW Procurement: