Gramm-Leach-Bliley Act (GLBA) Safeguards Policy

Category	Computing and Technology
Responsible Unit	Brockport Information Technology Services
Responsible Cabinet Member	VP for Administration and Finance
Adoption Date	2025-04-11
Last Revision Date
Last Review Date

Policy Statement

The Gramm-Leach-Bliley Act (GLBA) sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student financial information.

GLBA requires SUNY Brockport to protect student financial aid information provided by the Department of Education or otherwise obtained in support of the administration of Federal Student Aid (FSA) programs (Title IV programs). This includes information relating to past or present students.

Purpose/Scope

The objectives of the GLBA safeguard standards are to:

ensure the security and confidentiality of student financial information,
protect against any anticipated threats or hazards to the security or integrity of student financial information, and
protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student.

The requirement for institutions of higher education to comply with GLBA is outlined in several Department of Education and Federal Trade Commission (FTC) notices, agreements, and guidelines. The most significant is the Program Participation Agreement (PPA) for Title IV FSA programs.

Enforcement is handled through a combination of possible actions from the Department of Education and FTC which can include fines, and suspension of Title IV program participation.

Applicability

This policy applies to any SUNY Brockport employee, office, partner, or third party supporting financial services offered by SUNY Brockport. This policy is concerned with creating, receiving, transmitting, or storing any information related to campus-provided financial services.

Offices with regular GLBA-related activities:

Advancement and Communication Division
- Advancement Office
Administration and Finance Division
- Brockport Information Technology Services (BITS)
- Office of Student Accounts and Accounting (OSAA)
Academic Affairs Division
- Career Design Center
Enrollment Management Division
- Financial Aid Office

Definitions

Information Security Program — The administrative, technical, and physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle student financial information.

Definitions not listed here can be found in the Information Security Glossary.

Policy Procedures

Roles and Responsibilities:

The President will:

designate an Information Security Officer (ISO) to serve as the qualified individual, and
authorize a cross-divisional information security program focused on university-wide compliance with GLBA safeguard requirements.

B. The President and President’s Cabinet will:

require the ISO to report in writing, regularly or at least annually. This report will include:
- the overall status of the information security program and compliance with GLBA safeguards, and
- related materials such as risk assessments, results of tests, security events or violations, and related management responses and recommendations.

C. The University Information Security Officer (ISO) will:

implement and oversee an information security program and coordinate with campus leadership,
ensure that the university information security program incorporates all the elements required by the GLBA safeguards, and
ensure that the university information security program is based on the NIST SP 800-171 controls recommended by the Department of Education and the Federal Trade Commission.

D. Departments or individuals with direct responsibility for GLBA-related processes and systems will:

ensure that processes, policies, and requirements are created to comply with the campus information security program, and
complete annual training on GLBA safeguards compliance.

Approach to compliance:

The Information Security Officer (ISO) will serve as the coordinator of a single university-wide information security program in compliance with the GLBA Safeguards requirements. Many campus experts and professionals are working with student financial information and systems. Successfully implementing the intent of GLBA to protect student financial information across the University requires a coordinated team effort. It can’t be done by any one person, team, or division alone.

For this reason, the ISO will ensure that campus information security policies are informed by GLBA requirements and available for incorporation into related campus policies, standards, and procedures.