GLBA Compliance: U-M Financial Services Information Security Plan

Last Revised: November 2017

Introduction

The University of Michigan's information technology security program protects the confidentiality, integrity, and availability of its information assets—data, systems, services, and infrastructure components. An important aspect of the program is the integration of relevant compliance regulations into the overall program, and the assurance that these regulations are embedded in the implementation of the program by schools, colleges, departments, and central offices across the university. The U-M Information Technology Security Program provides the framework that demonstrates compliance with the federal Gramm-Leach-Bliley Act (GLBA).

The intent of this document is to describe how the various components of the university's information security program are in accord with specific provisions of the Gramm-Leach-Bliley Act Safeguards Rule (GLBA), and to provide references to additional materials and to applicable policies and guidelines.

GLBA Objectives and Requirements

In compliance with the Gramm-Leach-Bliley Safeguards Rule and regulations issued by the Federal Trade Commission pursuant to that Rule, the university has established this information security plan to:

  • Ensure the security and confidentiality of customer information.
  • Protect against anticipated threats to the security or integrity of customer information.
  • Guard against unauthorized access to or use of customer information that could result in harm or inconvenience to any customer.
  • Comply with applicable Gramm-Leach-Bliley rules as published by the Federal Trade Commission.

Consistent with its efforts to meet these objectives, the university will:

  • Designate one or more staff members to oversee and coordinate the Information Security Plan.
  • Conduct risk assessments to identify foreseeable internal and external risks that could lead to unauthorized disclosure or misuse of confidential information.
  • Implement plans to control the risks.
  • Contractually require third-party service providers to implement and maintain confidentiality safeguards.
  • Periodically evaluate and adjust the Information Security Plan to ensure ongoing protection of confidential information.

Information Security Plan Implementation Approach

Implementation of the information security program across the university currently operates on two tracks.

First, there is a distributed model for responsibility that is shared between schools, colleges, and some departments (referred to as "units") that is accomplished through collaboration and cooperation. The Office of Information Assurance (IA), under the direction of the chief information security officer, serves as the focal point for program implementation, while the unit deans and directors are accountable for unit security planning and implementation. Every unit is responsible for planning and implementing security to protect its sensitive and critical assets. University policies and guidelines provide units with guidance for identifying assets that need to be protected under applicable law and require units to perform periodic risk assessments around their sensitive and critical assets (reference SPG 601.27). Each unit appoints an information security unit liaison (SUL) that leads and coordinates the unit security efforts.

Second, many university units and departments subscribe to MiWorkspace, a comprehensive suite of desktop services offered by ITS, a campus-wide shared services provider. For these units, IA is more completely responsible for all components of the IT security program, including performance of sensitive asset risk assessments.

Coordination of the GLBA Information Security Plan

The university's Student Business Services Director is the GLBA coordinator of the information security plan for customer information. However, as indicated above, non-MiWorkspace units are responsible for implementing a unit-level security plan (SPG 601.27) that satisfies GLBA requirements. In addition, the following teams and committees play a role in coordinating the various aspects of the information security plan:

  • The Chief Information Security Officer and IA lead and coordinate the university-wide IT security program and assist units in their security implementation.
  • The IA Council provides guidance, oversight, and strategic thinking on information technology policy, enterprise continuity, privacy, IT security and identity and access management in support of the university's mission.
  • The GLBA Committee, chaired by the Student Business Services Director, evaluates specific GLBA-required standards to ensure they are incorporated into the overall plan.

Who to Contact with Questions

Individuals who have questions regarding the security of customer information or non-public financial information that is handled or maintained by or on behalf of the University of Michigan or its affiliates should contact:

  • University of Michigan – Ann Arbor
    Bryan Howard
    Student Business Services Director
    Financial Operations, Student Business Operations
    6000 Wolverine Tower
    Ann Arbor, MI 48109-1287
    (734) 647-3816
    bryhow@umich.edu

  • Michigan Medicine
    Jeanne Strickland
    Michigan Medicine Chief Compliance Officer
    Michigan Medicine Compliance Office
    Rm. 4C23, 300 North Ingalls Building
    SPC 5434
    Ann Arbor, MI 48109-5434
    Asst: Mary Korr (734) 615-4400

  • University of Michigan – Dearborn
    Dawn Roult
    Assistant Controller
    Financial Services
    1141 AB
    Dearborn, MI 48126-1491
    (313) 593-5632

  • University of Michigan – Flint
    Dalana Moore
    Assistant Division Controller of Financial Services & Budget
    Financial Services & Budget
    213 University Center
    Flint, MI 48502
    (810) 766-6829

Specifics about reporting a potential breach of university customer information security practices are at Report an IT Security Incident.

Risk Assessment and Safeguards

Risk assessment is the foundation upon which informed security management decisions are made. As such, risk assessment is integrated into the business processes of each unit. The Information Security Program has established a common risk assessment methodology, referred to as RECON—Risk Evaluation of Computers and Open Networks, which is based on best practices and industry standards. University policy (SPG 601.27) requires units to develop, maintain and implement unit-level information security plans consistent with GLBA and other regulations, and to conduct periodic risk assessments.

The risk assessment is one component of the overall risk management methodology that has been adopted by the university. As a follow-up to conducting the risk assessments, units are required to implement risk mitigation actions that have been identified in the risk treatment plans.

Training and Education

University of Michigan employees are instructed in the importance of privacy, confidentiality, and security of customer information before access to such information is granted. Specific guidance is provided for privacy-related requirements under the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the safeguard requirements of the GLBA. Additionally, employees receive information regarding applicable exemptions under the Michigan Freedom of Information Act (FOIA). All university employees are required to complete the Access and Compliance eLearning course describing their responsibilities when handling personally identifiable information (PII) before they are granted access to institutional enterprise data systems. The university also conducts periodic campaigns to enhance the awareness of staff and faculty regarding the appropriate handling of private personal information including customer information.

As a part of their responsibilities for implementing the information security program, deans and directors are required to communicate information security policies to their units on an ongoing and as-needed basis.

IA maintains Safe Computing, a comprehensive campus website that provides guidance and detailed information about many aspects of computer and data security, regulatory compliance including GLBA, and university IT policies, as well as instructions on securing personal and university-owned devices.

The Sensitive Data Guide to IT Services helps university faculty, researchers, and staff make informed decisions about where to safely store and share sensitive data—including student loan application information—using IT services available on the Ann Arbor campus.

Incident Management

U-M has established a university-wide policy for central reporting and tracking of serious IT security incidents, which includes any incidents that involve exposure of sensitive customer information. The university has also established guidelines and responsibilities for consistent reporting and handling of information security incidents.

Oversight of Service Providers and Contractors

Consistent with the provisions of the GLBA, the university takes reasonable steps to select and retain service providers that maintain appropriate safeguards for covered data and information. As part of this effort, IA and U-M Procurement Services collaborated on embedding information assurance at the outset of vendor engagement, typically during the vendor selection process. To this end, the following processes and documentation have been put in place:

  • U-M data protection addendum (DPA): IA, in collaboration with the U-M Office of the General Counsel (OGC), developed a data protection addendum that generally is attached to all contracts where a service provider will access or maintain institutional data. The DPA provides broad security and legal/regulatory compliance assurances. 
  • U-M service provider security and compliance questionnaire: U-M has implemented a version of the Cloud Security Alliance Consensus Assessment Questionnaire. The questionnaire is mapped to industry-standard security and compliance control schemes and is provided to service providers that will access or maintain sensitive institutional data. Responses to the questionnaire allow for qualitative analysis of security and compliance risks, and become part of an overarching procurement decision.

Program Evaluation and Revision

The university IT Security Program aims to integrate risk-based security considerations into the regular business decision-making process. As such, the program establishes an ongoing process, as depicted in the chart below.

Microsoft Security Risk Management Process

IA works with security unit liaisons from units across the university to coordinate the planning, implementation, and periodic reviews of their security program via the RECON process. In addition, an annual Office of Internal Controls certification process requires deans and directors to acknowledge their responsibilities relative to the implementation of the IT Security Program.

The overall information security plan is periodically evaluated and adjusted to reflect changing university business, measurements of program effectiveness, and lessons learned from the implementation of security safeguards.

Definitions

Customer Information:

For the purpose of this program, "customer information" is defined as any record containing nonpublic personal information about a customer of the university, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the university or its affiliates. (Reference 16 CFR 313.3).

Nonpublic personal information means:

  • Personally identifiable financial information.
  • Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

Examples of nonpublic personal information include but are not limited to:

  • Social Security Number
  • Credit Card Number
  • Account Numbers
  • Account Balances
  • Any Financial Transactions
  • Tax Return Information
  • Driver's License Number
  • Date/Location of Birth

Examples of services or activities that the university may offer which result in the creation of customer information could include but are not limited to:

  • Student (or other) loans, including receiving application information, and the making or servicing of such loans
  • Credit counseling services
  • Collection of delinquent loans and accounts
  • Check cashing services
  • Real estate settlement services
  • Issuing credit cards or long term payment plans involving interest charges
  • Obtaining information from a consumer report

University of Michigan References