Gramm-Leach-Bliley Act

Gramm-Leach-Bliley Act

Gramm-Leach-Bliley Act

INFORMATION SECURITY PROGRAM

Oklahoma City Community College (OCCC) has developed the following written Information Security Program (WISP or Program) to protect information and address compliance requirements of any applicable law or regulations, including the Safeguards Rule of the Gramm Leach Bliley Act (collectively, the Regulations).

Objectives

The Program of OCCC has the following objectives –

  1. Ensure the security and confidentiality of protected information in compliance with Regulations, including the applicable Gramm Leach Bliley Act (GLBA) rules as published by the Federal Trade Commission.
  2. Provide administrative, physical, and technical safeguards to ensure compliance with the Regulations.
  3. Safeguard against anticipated threats to the security or integrity of protected electronic data.
  4. Protect against unauthorized access to or use of data that could result in harm or inconvenience to any customer.
  5. Position OCCC to comply with future privacy and security Regulations.

Responsibility for the Information Security Program

In coordination and partnership with the Information Technology Services of OCCC, the Program designates a trusted service provider – McAfee & Taft, A Professional Corporation, with support from C.H. Guernsey & Company – as the “Qualified Individual” responsible for the development, implementation, and oversight of OCCC’s compliance with the policies and procedures required by the GLBA Safeguards Rule.  Questions regarding this Program, or GLBA impacts on business processes and policies should be directed to the cyber@mcafeetaft.com or support@occc.edu.

Risk Assessment and Safeguards

The use of protected information creates risk to customers and OCCC.  The handling, storing, and transferring of this type of information requires risk assessment and data protection.  Assessing risk and maintaining appropriate safeguards can reduce risk. Safeguards are designed to reduce the risk inherent in handling protected information and include safeguards for information systems and the storage of paper.  OCCC has a security program with associated risk assessment practices, safeguard controls and policies. These related documents are not restated here.

Employee Education and Training

Employees handle and have access to protected information in order to perform their job duties. This includes permanent and temporary employees as well as student employees, whose job duties require them to access protected information or who work in a location where there is access to protected information. Departments are responsible for maintaining a high level of awareness and sensitivity to safeguarding protected information and should periodically remind employees of its importance. Training materials relative to the Regulations and data handling are available on the online.

Oversight of Service Providers

The Regulations require the College to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and protected information.  The Office of Legal Counsel will assist employees and departments in providing and reviewing contract language to ensure that all relevant service provider relationships comply with the Regulations, including specific GLBA provisions.

Service providers must agree to implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of customer information and further containing each of the elements set forth in § 314.4 of the Gramm Leach Bliley Standards for Safeguarding Customer Information (see 16 C.F.R. § 314). Service Providers must further agree to safeguard all customer information provided to it under this Agreement in accordance with its information security program and the Standards for Safeguarding Customer Information.

The GLBA contract due diligence is considered in various aspects of contract negotiation, including security control reviews.  All contracts should be reviewed by legal counsel to ensure the required language is included.

Evaluation and Revision of the Information Security Program

The Regulations mandate that this Information Security Program be subject to periodic review and adjustment. The most frequent of these reviews will occur within the Information Technology Services.  Processes in other relevant offices of the College such as data access procedures and the training programs should undergo regular review. This Program is reevaluated regularly in order to ensure ongoing compliance with existing and future laws and regulations.

Definitions

  • Covered Componentmeans any area of OCCC, which is required to be compliant with the Regulations, including GLBA.
  • CUI (Controlled Unclassified Information) means information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
  • Customer Informationmeans any record containing nonpublic personal information as defined in 16 C.F.R. § 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of OCCC.
  • Financial Product or Servicemeans –
    • (i) any product or service that a financial holding company could offer by engaging in a financial activity; and
    • (ii) Financial Service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service.
  • Non-Public Personal Informationmeans –
    • (i) Personally identifiable financial information and
    • (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 C.F.R. § 313.3(n) (1).
  • Personally Identifiable Financial Informationmeans any information –
    • (i) A consumer provides to you to obtain a financial product or service from you;
    • (ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
    • (iii) You otherwise obtain about a consumer in connection with providing a financial product or service to the consumer.
  • Protected Information refers to either personally identifiable financial information or customer information, which is covered by the GLBA.

Document History

• Published: June 9, 2023