Back to Top

Purpose

Anne Arundel Community College (AACC) is committed to the preservation of personal data and is dedicated to adhering to regulations pertaining to the safeguarding of personal, sensitive, and other protected data within its purview.

In accordance with the Gramm Leach Bliley Act (GLBA) Safeguards Rule, as enshrined in 34 CFR 314.4, the Federal Trade Commission mandates the establishment of an Information Security Program. This program is designed to create, enforce, and sustain protective measures that ensure the security, confidentiality, and integrity of both customer financial records and any non-public personally identifiable financial information associated with them.

GLBA requires that the College implement an information security program designed to protect and safeguard all nonpublic information (NPI) collected for the purpose of offering a financial product or service. The College has institution level information security policies, procedures, guidelines, and processes which describe elements of the College’s overall information security program and includes the protection of National Provider Identifier (NPI) under GLBA.

This document is intended to provide additional information as it specifically relates to GLBA and is not intended to override institution level policies and procedures related to information security. As such, the institution level policies and procedures related to information security supersede regarding issues of application and in the event of a conflict between the Division and the institution level security policies and procedures.

Program Objective

The objectives of the program are to:

  1. Ensure data security and confidentiality.
  2. Mitigate anticipated threats to data.
  3. Prevent unauthorized data access and harm.

Descriptions and Definitions

  1. Customer: any individual who receives a financial product or service from the College.
  2. Gramm-Leach-Bliley Act (GLBA): Also known as the Financial Services Modernization Act of 1999. GLBA is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Through its lending programs, AACC is required to comply with GLBA for those areas of its operations related to this lending.
  3. Financial Service: Includes offering or servicing student loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, reviewing credit reports in connection with providing a loan to a student or prospective student, engaging in debt collection activities, and leasing real or personal property to students for their benefit.
  4. Non-Public Personal Information (NPI): Which is (i) provided by a customer to the College, (ii) provided by another financial institution to the College, or (iii) otherwise obtained by the College for the purpose of offering a financial product or service.
  5. Personally Identifiable Information (PII): Information that can be used by itself or in combination with other information to identify an individual. Examples of PII include, but are not limited to:
    • Name
    • Physical Address
    • Email Address
    • Date of Birth
    • Mother’s Maiden Name
    • Phone Number
  1. Principle of Least Privilege: Maintains that system users will be granted access to only those functions and data needed to perform their job duties.
  2. Service Provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to data through its direct provision of financial services to the College. For the avoidance of doubt, the service provider includes software-as-a-service providers who contract with the College and related entities to receive data for the delivery of financial services. Service providers also include any person or entity that administers any aspect of the College’s participation in U.S. Department of Education Title IV programs.

Requirements

GLBA requires that the AACC Information Security Program include the following elements. The College’s methods as they relate to these elements are as follows:

Risk Assessment

AACC’s Division of Information and Instructional Technology (IIT) identified reasonably foreseeable internal and external risks to the security, confidentiality and integrity of data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of information and the sufficiency of safeguards in place to control these risks.

Recognizing that this may not represent a complete list of the risks associated with the protection of data, and that new risks are created regularly, Information Security Director (ISD) and the Information Security Taskforce will actively monitor appropriate cybersecurity advisory literature for identification of risks in the future and ensure that information security risk assessments are performed periodically in the future.

Specifically, IIT recognized the following internal and external information security risks include but are not limited to:

  • Unauthorized access of data and information by someone other than the owner of the data
  • Compromised system security because of system access by an unauthorized person of data during transmission
  • Loss of data integrity
  • Physical loss of data in the event of a disaster
  • Errors introduced into the system
  • Corruption of data or system
  • Management of account users in systems maintained by external service providers
  • Unauthorized access of data by employees
  • Unauthorized requests for data
  • Unauthorized access through hardcopy files or reports
  • Unauthorized transfer of data through third parties

1.  Element No. 1

Designates a qualified individual responsible for overseeing and implementing the institutions or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)).

1.1 The vice president for Information and Instructional Technology (VP-IIT) or their designee will: (1) strategically oversee the program, (2) collaborate with IIT staff to assess internal and external data security risks and evaluate existing protections, (3) facilitate the development and testing of safeguards against identified risks, (4) assess the security measures of contracted service providers and (5) evaluate the program's effectiveness.

1.2  The vice president of IIT shall also designate an appropriate individual(s) to serve as the program coordinator, who will administer the Information Security Program and serve as the primary resource and liaison with Maryland, Anne Arundel County, departments, units, service providers and related entities for addressing issues related to the GLBA Safeguards Rule and disseminating relevant information and updates.

2.  Element No. 2 

Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).

2.1 The Information security director (ISD), in conjunction with the IIT team, will work with the staff from each AACC Division to identify risks to security and privacy of the College’s financially related information systems. While the ISD is primarily responsible for internal and external risk assessment of the College’s systems including those that store NPI, all members of the College are responsible for safeguarding NPI.

2.2  The ISD will conduct regular data security reviews of the College’s financially related information systems and services. The ISD will work with staff from the Division of Learning Resources Management, as well as representatives from the Division of Learning to perform a risk assessment related to the handling of data that will include documentation of internal controls and will present this to the ISD for evaluation.

2.3  As specified in the College’s Information Technology Strategic Plan, management remains responsible for the review and identification of other security risks, including the storage of paper records or other records that contain data. Data stewards are responsible for ensuring that college Information within their area of assigned responsibility is used with appropriate, controlled levels of access and with assurance of its confidentiality and integrity. The ISD is available to provide guidance to PVP, administration, faculty and staff as required.

2.4  Access to the College’s financially related information systems and services is provided on an as needed basis with the principle of least privilege, as defined herein, applied. Access is requested by the individual user’s supervisor and approved through the College’s approved process.

2.5  Access to the forms that contain student financial information is approved by the Office of Financial Aid. The registrar is responsible for ensuring that access to these forms is not granted without approval.

2.6  The vice president of IIT, in coordination with the ISD, is responsible for assuring physical security of the College’s primary electronic system that houses NPI as well as the network that the College uses to access this system. During risk assessments of other College areas, the ISD will notify the VP-IIT and the associate vice president of Finance (AVP-F) of other systems identified related to GLBA. As identified, ISD will work with the IIT team, as well as the appropriate representatives across AACC’s four divisions to develop a mitigation plan for any risks associated with those identified systems.

3.  Element No. 3

Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4©). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4©(1) through (8).

3.1  The AVP-F, or their designee, will perform an annual review to ensure that those with access to customer information are still active and that their access levels are appropriate. Role-based authorization will be applied in adherence to the principle of least privilege; roles are regularly reviewed and maintained.

3.2  The responsible official will periodically assess this requirement and related guidelines according to established policies, processes, guidelines and procedures. Identified flaws, gaps or areas of improvement will be addressed in a timely manner.

3.3  Any transfer or storage of data must employ encryption methods.  These methods must be reviewed by the Information Security Director, and/or the Information Security Taskforce, and approved by the VP-IIT.

3.4  Access to application and database development environments is controlled by network and host-based firewalls, host and application-level authorization schemes, and multifactor authentication. IIT managers who develop, maintain, or modify key applications relating to data must deploy adequate measures for managing change control, separation of test and production environments, and separation of responsibilities and authorizations for staff involved in those functions.

3.5  Multi-factor authentication is required to access or transmit NPI. This will be implemented uniformly as software lifecycles permit. Exceptions require ISD review, and vice president of IIT preapproval.

3.6  Data retention is consistent with the College policy.

3.7  Log data required to audit for unauthorized access to customer information and related information systems is securely collected and maintained for an appropriate period of time; details are reserved.

4. Element No. 4

Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).

4.1  Regular testing and monitoring for effectiveness will be conducted in accordance with college policy, process, guidelines and procedures.

5. Element No. 5

Provides for the implementation of requirements and guidelines to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4€).

5.1 Security training: Prior to receiving access to protected data, all employees are required to participate in information security training, as well as review and acknowledge the appropriate consumer information rules and regulations. Further, references and/or background checks (as appropriate depending upon position) of new employees working in areas that have access to data are performed. New employees who handle data receive proper training on the importance of confidentiality of student records, student financial information and all other data, and the proper use of computer information and passwords.

Thereafter, all employees are required to complete annual training in cybersecurity and FERPA to ensure compliance. Cybersecurity awareness training may also include controls and measures to detect and identify ransomware, phishing, and social engineering tactics to prevent employees from providing data to an unauthorized individual. These training efforts minimize risk and safeguard data and information. Security updates are regularly distributed to all employees to raise awareness and test vulnerability to social engineering tactics.

5.2 The ISD collaborates and communicates regularly with the vice president of IIT, director of Enterprise Application Services, director of Infrastructure Services, director of Technology Support Services, and the dean of Distance Education, as well as the Information Security Taskforce to ensure best practices are implemented and followed.

5.3 Professional development funds are reserved to provide needed technology training across the College. System administrators and system engineers work closely with application administrators to ensure patches and security updates are implemented in a timely fashion. The ISD leverages the Information Security Taskforce for urgent and emergent issues.

5.4 All technology workers are engaged with appropriate knowledge resources to maintain currency in their areas and share threats and countermeasures through established communication channels. IIT engages in regular readiness communications, discussions, trainings, and testing.

6. Element No. 6

Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)).

6.1 The College has developed standard language related to safeguards and their handling of data. This language is included in its contracts and agreements with service providers who may require access to data.

6.2 As part of the College’s procurement process, contracts for technology that require access to data will undergo a security review during the contracting process and, depending on the level of risk, may undergo a re-review during the contract renewal period.

7. Element No. 7

Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).

7.1. Policies are reviewed every two years unless otherwise specified. In addition to the regularly scheduled reviews, risks are reviewed and mitigation plans are developed using a risk-based approach on a regular basis.

8. Element No. 8

For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).

 8.1 Incidents will be addressed according to AACC’s information security requirements and guidelines. ISD maintains the College’s Incident Response Plan that incorporates a decision tree and checklist for declaration of an incident, activation, determination of appropriate internal and external stakeholders, investigation, mitigation, reassessment and reporting.

9.  Element No. 9

For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the requirement for its qualified individual to report regularly and at least annually to the board of directors or, if no such board exists, to the senior officer responsible for the institution’s information security program (16 C.F.R. 314.4(i)).

9.1  Each spring, the ISD will review the information security plan with the vice president of Information and Instructional Technology.  The ISD will review and highlight any revisions or changes to the document. This discussion will occur during one of the director and VP’s regular monthly one on one meetings. At the conclusion of this meeting, the director of Information Security will make the recommendation to approve the plan for the upcoming fiscal year. If the vice president of IIT concurs, the plan is approved for the upcoming fiscal year.

9.2  Following approval by the president of Information and Instructional Technology, the director of Information Security arranges and delivers an annual update to AACC’s president and vice presidents (PVP). The presentation includes key information security updates, outlines any changes to the information security plan, shares critical metrics, and presents recommendations or changes. If the PVP supports the report, it advances for consideration by the board of trustees' Audit and Finance Committee.

9.3.  The vice president of IIT and the ISD shall report to AACC’s president and vice presidents (PVP), board of trustees' Audit and Finance Committee at least annually on the status of the GLBA Information Security Program.

Exemptions

None

Contingencies

None

Review Process

Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.

Guideline Title: AACC Information Security Program Compliance with Gramm-Leach-Bliley Act (GLBA)

Guideline Owner: Vice President for Information and Instructional Technology

Guideline Administrator: Director, Information Security

Contact Information: John Williams, [email protected]

Approval Date: Jan. 8, 2024

Effective Date: Jan. 8, 2024

History: Adopted Oct. 13, 2023

Applies to: Faculty, staff and students

Related Policies: N/A

Related Procedures: N/A

Related Guidelines: N/A

Forms: N/A

Relevant Laws:

  • Gramm Leach Bliley Act (GLBA) Safeguards Rule, 34 CFR 314.4