[unisog] GBLA policy examples

Eric D Matulka ematulka at nebraska.edu
Wed Jul 16 21:40:16 GMT 2003

The following site also has links to some good information on this topic, 
including a few URLs for individual institutions and their policies: 

Eric Matulka
Computing Services Network
University of Nebraska Central Administration
Phone - 402.472.0785    ematulka at nebraska.edu
The University of Nebraska:  Pioneering New Frontiers

Tony Wright <wright at wsu.edu> 
07/16/2003 03:40 PM

Christopher Cramer <chris.cramer at duke.edu>
Phillip G Deneault <deneault at WPI.EDU>, unisog at sans.org
Re: [unisog] GBLA policy examples

The Chronicle of Higher Education in their July 11 edition published an
article about GBL Act and education institutions.

First couple of paragraphs of the article follows:

Copyright 2003 by The Chronicle of Higher Education
 From the issue dated July 11, 2003

  When Is a College Like a Bank?

When Congress passed the Gramm-Leach-Bliley Act in 1999,
  college officialspaid little notice. Higher education seemed
  to have little to do with a law that requires financial
  institutions, such as banks and investment companies, to
  protect customers' private information from computer mishaps.


  Campus officials got a rude surprise when the Federal Trade
  Commission issued a regulation last year that put virtually
  all colleges under the law, also known as the Financial
  Services Modernization Act. Many college administrators didn't
  find out about the ruling until this year. Now colleges are
  playing catch-up and are trying to figure out how to comply.

  In the regulation, which sets forth how the law is enforced,
  the commission created a definition of "financial
  institutions" that includes most colleges on the basis of the
  financial relationships they have with students, donors, and

End excerpt.

----Systems don't run smoothly by chance.---
Tony Wright, PhD.
College of Agriculture and Home Economics
PO Box 646230
Washington State University, Pullman WA 99164-6230

On Wed, 16 Jul 2003, Christopher Cramer wrote:

> there are a handful of samples from different Universities at:
> http://www.nacubo.org/business_operations/safeguarding_compliance/
> Since the policies don't have to be submitted anywhere for approval,
> there doesn't seem to be much concern for a standard form.  So the above
> samples come in a range from the all-inclusive, policy/procedure
> document to ones that seem to be broad policy needing supporting
> procedures documented separately.
> In general, how are folks handling Grahm-Leach-Bliley?  Is it being
> dumped directly on to security folks or is it being handled as a larger
> issue with support and advice from security?  The second is my
> preference, but a couple of other groups (who might end up with
> responsibility) have been trying to make it an IT Security issue only.
> Thanks
> -Chris
> --
> Christopher E. Cramer, Ph.D.
> University Information Technology Security Officer
> Duke University,  Office of Information Technology
> 253A North Building, Box 90132, Durham, NC  27708-0291
> PH: 919-660-7003  FAX: 919-660-7076  CELL: 919-210-0528
> PGP Public Key: http://www.duke.edu/~cramer/cramer.pgp
> On Wed, 2003-07-16 at 13:39, Phillip G Deneault wrote:
> > Does anyone have any good examples for policies that fulfill the
> > Gramm-Leach-Bliley Act?  I understand what I need to put in but not 
> > format.
> >
> > We've missed the deadline to have submitted our policies and now its 
on my
> > desk.  Woo.
> >
> > Thanks
> > Phil
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > Phil Deneault     "We work in the dark, We do what we can,
> > deneault at wpi.edu   We give what we have. Our doubt is our passion,
> > WPI NetOps         and our passion is our task. The rest is the
> > InfoSec            madness of art." - Henry James
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the unisog mailing list