About
This compliance plan ("Plan") describes K-State's safeguards to protect non-public, financial-related personal information ("covered information") in accordance with the requirements of the Gramm-Leach-Bliley Act of 1999 (GLBA). The Safeguards Rule of the GLBA, as defined by the Federal Trade Commission (FTC), requires financial institutions, which the FTC explicitly indicated includes higher education institutions, to have an information security program to protect confidentiality and integrity of personal information.
These safeguards are provided to:
- Ensure the security and confidentiality of covered information.
- Protect against anticipated threats or hazards to the security or integrity of such information.
- Protect against unauthorized access to or use of covered information that could result in substantial harm or inconvenience to any customer.
This Information Security Plan also provides for mechanisms to:
- Designate an employee or employees to coordinate the information security program.
- Identify and assess the internal and external risks that may threaten covered information maintained by K-State.
- Design and implement safeguards to control the identified risks.
- Oversee service providers, including third-party contractors, to ensure appropriate safeguards for covered information are maintained.
- Periodically evaluate and adjust the information security program as circumstances change.
This plan responds to the Gramm-Leach-Bliley Act of 1999 that mandates protection of customer information, which for universities is primarily student financial information.
Audience
- Students
- Faculty
- Staff
- Guests
Details
Definitions
Covered Information
Information that K-State has obtained from a customer (e.g., a student) in the process of offering a financial product or service, or such information provided to the University by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers, in both paper and electronic format.
Information Security Program
The administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle covered information.
Service Providers
Any person or entity that receives, maintains, processes, or otherwise is permitted access to covered information through its direct provision of services to the University.
Roles and Responsibilities
Chief Information Security Officer (CISO)
The CISO is responsible for coordinating and overseeing all elements of K-State's information security program. The CISO will work with appropriate personnel from other offices as needed such as the Registrar's Office, Internal Audit, and the Division of Financial Services to ensure protection of covered information.
Information Security Program Elements
Risk Assessment
Under the oversight of the CISO, risk and privacy assessments are performed for all information systems that house or access covered information. These risk and privacy assessments shall address unauthorized access, use, disclosure, disruption, modification and/or destruction of information or the information system itself. Further, the assessments shall identify known potential threats, the likelihood of their occurrence and the magnitude of the impact of those threats should they occur.
Internal and external risks at K-State include, but are not limited to:
- Unauthorized access of covered information by persons within or outside the University.
- Compromised system security as a result of human error, vulnerabilities, infection by malicious software, or unauthorized system access.
- Interception of data during transmission.
- Loss of data integrity.
- Physical loss of data in a disaster.
- Errors introduced into the system.
- Corruption of data or systems.
- Unauthorized access through hard copy files or reports.
- Unauthorized disclosure of covered information through third parties.
Risk and privacy assessments are used to determine the likelihood and magnitude of harm that could come to an information system, the affected individual(s), and ultimately the University itself in the event of a security breach. By determining the amount of risk that exists, the University shall determine how much of the risk should be mitigated and what controls should be used to achieve that mitigation.
Both risk and privacy assessments shall be performed prior to, or if not practical, immediately after acquisition of an information system (in the event that the information system is owned/operated by the University) or prior to the initial establishment of service agreements (in the event that the information system is owned/operated by a third party on behalf of the University). Further, the risk and privacy assessments shall be reviewed and, where required, updated after three years or whenever a significant change is made to the information system, whichever comes first.
Risk assessment should include consideration of risks in each of the following operational areas, in accordance with the requirements of the GLBA:
Two-Factor Authentication
In accordance with 16 CFR 314.4(c)(5), Kansas State University has implemented two-factor authentication as part of its Designing and Implementing Safeguards strategy. Two-factor authentication requires users to provide multiple pieces of evidence to verify their identity when accessing systems. This additional layer of security significantly reduces the risk of unauthorized access and strengthens the protection of sensitive information. By incorporating two-factor authentication, the university demonstrates its commitment to data security, privacy, and compliance with regulatory requirements.
Change Management
Change management policies can be found under PPM Chapter 3439.
Monitoring and Testing
Kansas State University engages in continuous monitoring, periodic penetration testing and vulnerability assessments for its information systems. These practices ensure ongoing scrutiny and proactive identification of potential security risks, bolstering the university's commitment to maintaining a secure information environment.
Employee training and management
Prior to being granted access to covered information, new employees in positions that require access to covered information (e.g., position in the Division of Financial Services, Registrar, and Student Financial Assistance) will receive training on the importance of confidentiality of student records, student financial information, and other types of covered information, and the risks of not providing appropriate protection.
All university employees are required to complete annual training in general information technology security. Training also covers controls and procedures to prevent employees from providing confidential information to an unauthorized individual through social engineering or improper disposal of documents that contain covered information. All training will be reviewed and, where needed, updated at least annually.
All new employees with access to covered information must pass a criminal background check as a condition of employment.
The university ensures that its information security personnel receive comprehensive security updates and training to effectively address relevant security risks, as well as stay abreast of evolving information security threats and countermeasures. By providing continuous education and training, the university equips its security personnel with the necessary knowledge and skills to proactively mitigate risks and respond to emerging threats. This commitment to ongoing professional development ensures that the university's information security team remains well-prepared and capable of safeguarding sensitive information in an ever-changing threat landscape.
Each department responsible for maintaining covered information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.
Information systems
Including network and software design, as well as information processing, storage, transmission, and disposal.
Incident management
Including detecting, preventing and responding to attacks, intrusions, or other systems failures. K-State's strategy for managing IT security incidents, including assessing risks, is described in the IT Security Incident Reporting process. Suspected incidents can always be reported the Information Security Group by emailing abuse@ksu.edu.
Designing and Implementing Safeguards
Safeguards are necessary to mitigate and control the risks identified through risk assessment. Furthermore, the effectiveness of safeguards' key controls, systems, and procedures should be regularly tested to ensure continued protection of covered information. The policy framework for K-State's information security program that governs the design, implementation, and maintenance of these safeguards. Protection of covered information is explicitly encompassed by K-State's comprehensive information security program that protects all K-State information and technology assets, commensurate with size and complexity of the institution, the nature and scope of activities, and the sensitivity of information assets.
Overseeing Service Providers
In the process of choosing a service provider that will maintain or regularly access covered information, the selection and retention processes shall ensure the ability of the service provider to implement and maintain appropriate safeguards for covered information. Contracts with service providers may include the following provisions:
- An explicit acknowledgment that the contract allows the contract partner access to covered information.
- A specific definition or description of the covered information being provided.
- A stipulation that the covered information will be held in strict confidence and accessed only for the explicit business purpose of the contract.
- An assurance that the contract partner will protect the covered information it receives according to commercially acceptable standards and no less rigorously than it protects its own covered information.
- A provision providing for the return or destruction of all covered information received by the contract provider upon completion or termination of the contract.
- An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles K-State to terminate the contract without penalty.
- A provision ensuring that the contract's confidentiality requirements shall survive any termination of the agreement.
Reporting
The CISO will submit an annual written report to K-State leadership, outlining the overall compliance and status of the information security program, along with any recommended changes. This report provides details on security events, outcomes from security testing, audit findings, perspectives on risk management strategies, key decisions on controls derived from risk assessments, and provides information regarding security assessments for service providers.
Program Evaluation and Adjustment
The CISO will periodically review and adjust the information security program as it relates to the GLBA requirements, with input from the University's Security Team and relevant stakeholders. Program evaluation should be based on results of testing and monitoring of security safeguard effectiveness and reflect changes in technology and/or operations, evolving internal and external threats, and any other circumstances that have a material impact on the information security program. The Office of General Counsel and the Chief Information Officer must review any recommended adjustments.
Related Laws, Regulations, or Policies
Statements regarding compliance with Gramm Leach Bliley have been added to:
Rates
Notes