[unisog] GBLA policy examples

Phillip G Deneault deneault at WPI.EDU
Thu Jul 17 14:02:20 GMT 2003


On Thu, 17 Jul 2003, James Goldston wrote:

> In the banking world, regulators perform examinations.  Not sure what the
> edu equivalent is--perhaps a lawsuit, or perhaps an external audit.  The
> latter presupposes the audit firm knows about GLB and there exists a body of
> knowledge that shows exactly where it applies in the edu context,
> ramifications of "non-compliance," etc.  T'would be a big surprise to me if
> such a BoK exists, then again, I haven't looked (which is what piqued my
> interest in the first place).

My university actually undergoes a yearly audit by Pricewaterhouse-Coopers
in both its financial area and its IT division.  For years, the focus has
been on GLBA-ish ideas(with mixed success).  Maybe this year will be
different.

In my research the only consequences on non-compliance in the .edu sense 
is liability.  Thats enough for most colleges.  Maybe someone was able to 
find something else?
 
> In the Georgetown link, I notice it states they have a "GLBA Information
> Security Program."  Interesting.  Wonder if they also have a regular 'ol
> "Information Security Program" (I see they have a "University Information
> Security Policy")?  

I've been in the process of trying to define an IT policy for my 
university for a while now(accounting for politics and such).  This GBLA 
thing is annoying me because I'd rather have a univeristy-wide 
security policy first before I have some random government-required edict 
that might actually limit my implimentation.  At the very least, I'll 
probably end up having to change the GBLA policy later to account for this 
new information.  

On a brighter note, a random government-required edict is just the tool I
need to bash the proverbial square peg that is my university security
policy into the round hole of my IT division. :-)

Phil

> > -----Original Message-----
> > From: Christopher Cramer [mailto:chris.cramer at duke.edu]
> > Sent: Wednesday, July 16, 2003 4:36 PM
> > To: James Goldston
> > Cc: Phillip G Deneault; unisog at sans.org
> > Subject: RE: [unisog] GBLA policy examples
> >
> >
> > Hi James,
> >
> > Unfortunately, most universities *didn't* think it applied which is why
> > many haven't implemented a policy yet.  However, the FTC did rule that
> > universities are covered under GLB - think student loans, financial aid
> > and debit-like cards.
> >
> > One advantage that we do have is that of the two components (privacy and
> > security), the privacy component is addressed by most institution's
> > FERPA policy.  The only problem there is whether or not the FERPA policy
> > covers all areas where we are acting in a bank-like function, e.g.
> > faculty and staff at Duke can put money on their Duke card, they aren't
> > covered by FERPA.
> >
> > -c
> >
> > On Wed, 2003-07-16 at 15:32,James Goldston wrote:
> > > The format of a policy shouldn't matter (other than for readability,
> > > understandability, etc.).  Content is king.
> > >
> > > Assuming you are asking in the context of an educational
> > facility, is the
> > > edu considered a "financial institution?"  If not then I'm not
> > sure the GLB
> > > applies.  If you believe it does, please provide why if you don't mind.
> > > There are various places where pre-approved examples of
> > consumer notices and
> > > opt-out examples are already provided.  You can also look at a financial
> > > institution web's sites for examples.  Most will have them.
> > >
> > > For the financial world, of much more importance are all the banking
> > > regulations as a result of the GLB fallout.  E.g., require a
> > formal written
> > > Info Sec Prgm, Board level involvement.
> > >
> > > James
> > >
> > > Notes:
> > > Subtitle A of Title V of the Gramm-Leach-Bliley Act ("GLB Act")
> > has privacy
> > > provisions relating to consumers' financial information...
> > >
> > > Definition: Any institution the business of which is engaging
> > in financial
> > > activities as described in section 4(k) of the Bank Holding
> > Company Act (12
> > > U.S.C. ? 1843(k)). Under the Final Rule promulgated by the Federal Trade
> > > Commission (FTC), an institution must be significantly engaged
> > in financial
> > > activities to be considered a "financial institution."
> > >
> > >
> > > > -----Original Message-----
> > > > From: Phillip G Deneault [mailto:deneault at WPI.EDU]
> > > > Sent: Wednesday, July 16, 2003 1:39 PM
> > > > To: unisog at sans.org
> > > > Subject: [unisog] GBLA policy examples
> > > >
> > > >
> > > > Does anyone have any good examples for policies that fulfill the
> > > > Gramm-Leach-Bliley Act?  I understand what I need to put in
> > but not the
> > > > format.
> > > >
> > > > We've missed the deadline to have submitted our policies and
> > now its on my
> > > > desk.  Woo.
> > > >
> > > > Thanks
> > > > Phil
> > > >
> > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > Phil Deneault     "We work in the dark, We do what we can,
> > > > deneault at wpi.edu   We give what we have. Our doubt is our passion,
> > > > WPI NetOps         and our passion is our task. The rest is the
> > > > InfoSec            madness of art." - Henry James
> > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > >
> >
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault     "We work in the dark, We do what we can,
deneault at wpi.edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-




More information about the unisog mailing list