[unisog] GBLA policy examples

James Goldston jgoldston at sses.net
Thu Jul 17 11:44:19 GMT 2003


Thanks for the insight, Chris.  The part about them being covered because
there are some areas which come under the financial umbrella appears to make
sense.  Good to see that edus recognize financial records as being different
from other kinds of specific privacy-related records and they must be
protected accordingly.

In the banking world, regulators perform examinations.  Not sure what the
edu equivalent is--perhaps a lawsuit, or perhaps an external audit.  The
latter presupposes the audit firm knows about GLB and there exists a body of
knowledge that shows exactly where it applies in the edu context,
ramifications of "non-compliance," etc.  T'would be a big surprise to me if
such a BoK exists, then again, I haven't looked (which is what piqued my
interest in the first place).

In the Georgetown link, I notice it states they have a "GLBA Information
Security Program."  Interesting.  Wonder if they also have a regular 'ol
"Information Security Program" (I see they have a "University Information
Security Policy")?  Many times I see people calling a "Policy" a "Program."
One of these days I'd like to write a little paper on the differences
between Policy and Program, but not now.  At least they are working at tying
in the other aspects needed to "secure" such data.  Tongue-in-cheek: Wonder
if they also have a "HIPAA Information Security Program?" :)  Anyhoo, I'll
give them credit for going after it.

Have a good day,
James


> -----Original Message-----
> From: Christopher Cramer [mailto:chris.cramer at duke.edu]
> Sent: Wednesday, July 16, 2003 4:36 PM
> To: James Goldston
> Cc: Phillip G Deneault; unisog at sans.org
> Subject: RE: [unisog] GBLA policy examples
>
>
> Hi James,
>
> Unfortunately, most universities *didn't* think it applied which is why
> many haven't implemented a policy yet.  However, the FTC did rule that
> universities are covered under GLB - think student loans, financial aid
> and debit-like cards.
>
> One advantage that we do have is that of the two components (privacy and
> security), the privacy component is addressed by most institution's
> FERPA policy.  The only problem there is whether or not the FERPA policy
> covers all areas where we are acting in a bank-like function, e.g.
> faculty and staff at Duke can put money on their Duke card, they aren't
> covered by FERPA.
>
> -c
>
> On Wed, 2003-07-16 at 15:32,James Goldston wrote:
> > The format of a policy shouldn't matter (other than for readability,
> > understandability, etc.).  Content is king.
> >
> > Assuming you are asking in the context of an educational
> facility, is the
> > edu considered a "financial institution?"  If not then I'm not
> sure the GLB
> > applies.  If you believe it does, please provide why if you don't mind.
> > There are various places where pre-approved examples of
> consumer notices and
> > opt-out examples are already provided.  You can also look at a financial
> > institution web's sites for examples.  Most will have them.
> >
> > For the financial world, of much more importance are all the banking
> > regulations as a result of the GLB fallout.  E.g., require a
> formal written
> > Info Sec Prgm, Board level involvement.
> >
> > James
> >
> > Notes:
> > Subtitle A of Title V of the Gramm-Leach-Bliley Act ("GLB Act")
> has privacy
> > provisions relating to consumers' financial information...
> >
> > Definition: Any institution the business of which is engaging
> in financial
> > activities as described in section 4(k) of the Bank Holding
> Company Act (12
> > U.S.C. ? 1843(k)). Under the Final Rule promulgated by the Federal Trade
> > Commission (FTC), an institution must be significantly engaged
> in financial
> > activities to be considered a "financial institution."
> >
> >
> > > -----Original Message-----
> > > From: Phillip G Deneault [mailto:deneault at WPI.EDU]
> > > Sent: Wednesday, July 16, 2003 1:39 PM
> > > To: unisog at sans.org
> > > Subject: [unisog] GBLA policy examples
> > >
> > >
> > > Does anyone have any good examples for policies that fulfill the
> > > Gramm-Leach-Bliley Act?  I understand what I need to put in
> but not the
> > > format.
> > >
> > > We've missed the deadline to have submitted our policies and
> now its on my
> > > desk.  Woo.
> > >
> > > Thanks
> > > Phil
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > Phil Deneault     "We work in the dark, We do what we can,
> > > deneault at wpi.edu   We give what we have. Our doubt is our passion,
> > > WPI NetOps         and our passion is our task. The rest is the
> > > InfoSec            madness of art." - Henry James
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > >
>



More information about the unisog mailing list