91Ö±²¥

Responsible Office: Administration and Finance

1. PURPOSE

   The Gramm-Leach-Bliley Act ("GLBA") (Public Law 106-102) and its implementing regulations at 16 CFR Part 313 & 314 requires Financial Institutions to protect, to the extent reasonably possible, the security, privacy, and confidentiality of personally identifiable financial records and information, also known as "Covered Information." Because 91Ö±²¥ of Maryland Global Campus ("91Ö±²¥") engages in Financial Services, such as student financial aid, the Federal Trade Commission ("FTC") considers the 91Ö±²¥ a Financial Institution for GLBA purposes.

2. SCOPE

   This Policy applies to Covered Information provided by a student or other third party to the 91Ö±²¥, resulting from any service or transaction performed by the 91Ö±²¥ for a student or other third party, or otherwise obtained by the 91Ö±²¥.

3. DEFINITIONS

   Capitalized terms utilized in this Policy shall have the meaning ascribed to them below. These terms shall have the same meaning when used in the singular or plural form.

   1. Covered Information: Any nonpublic personally identifiable financial information handled or maintained by or on behalf of the 91Ö±²¥ whether in paper, electronic or other form that: (i) a student or other third party provides in order to obtain a Financial Service from the 91Ö±²¥ (ii) is about a student or other third party resulting from any transaction with the 91Ö±²¥ involving a Financial Service; or (iii) is otherwise obtained about a student or other third party in connection with providing a Financial Service to that person. This includes but is not limited to: asset statement, bank account information, credit card information, income and credit history, social security number, tax return.

   2. Financial Institution: Any institution engaging in activities that are financial in nature or incidental to financial activities.

   3. Financial Services: Includes Financial Institution’s evaluation or brokerage of information that the institution collects in connection with a request or an application for a financial product or service (e.g. student loans and the administration of financial aid).

   4. Information Resource: Anything that is intended to generate, store, or transmit information.

   5. Information Security Program ("IS Program"): Provides a formal structure for (1) developing and maintaining 91Ö±²¥-wide security policies, (2) defines security principles that safeguard 91Ö±²¥ computing resources, and (3) ensures compliance with internal and external regulations.

   6. Service Provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to 91Ö±²¥ information through its direct provision of services to the 91Ö±²¥.

   7. Sub-Service Provider: Any person or entity that receives, maintains, processes, or otherwise is permitted access to 91Ö±²¥ information through its provision of services to a 91Ö±²¥ Service Provider.

4. POLICY STATEMENTS

   1. The 91Ö±²¥ shall designate one or more individuals to coordinate the Information Security Program ("IS Program") as it relates to GLBA.

   2. The 91Ö±²¥â€™s IS Program shall identify and assess internal and external risks to the security, confidentiality, and integrity of Covered Information that could result in the unauthorized disclosure, misuse, alteration, destruction or any other compromise of such information. The IS Program coordinator(s) shall provide guidance to appropriate personnel in central administration, academic departments, and other 91Ö±²¥ departments in evaluating their current practices and procedures and assessing threats to Covered Information. The IS Program coordinator(s) shall work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:

      1. Employee Training and Management - evaluate the effectiveness of current security employee training and management procedures relating to the access and use of Covered Information;

      2. Information Systems - assess the risks to Covered Information associated with the 91Ö±²¥â€™s information systems, including network and software design as well as information processing, storage, transmission, & disposal, and;

      3. Detecting, Preventing, and Responding to Attacks and System Failures - evaluate procedures for and methods of detecting, preventing, and responding to attempted attacks, intrusions, and other system failures.

   3. The IS Program coordinator(s) will coordinate with appropriate personnel to design and implement safeguards, as needed, to minimize or mitigate the risks identified in assessments and shall develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. The IS Program coordinator(s) will ensure that monitoring of the safeguards shall be performed on an ongoing basis and adjustments to the IS Program shall be made as needed.

   4. The IS Program coordinator(s) shall work with the 91Ö±²¥â€™s Office of Procurement and the Office of Legal Affairs ("OLA") in developing methods and procedures for selecting and retaining Service Providers, to include Sub-Service Providers, that are capable of maintaining appropriate safeguards for Covered Information. Contract language shall require Service Providers to implement and maintain appropriate safeguards for those computing resources that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Covered Information.

5. ENFORCEMENT

   1. Any employee, contractor, or other third-party performing duties on behalf of the 91Ö±²¥ with knowledge of an alleged violation of this Policy shall notify the Office of Human Resources as soon as practicable.

   2. Any employee, contractor, or other third-party performing duties on behalf of the 91Ö±²¥ who violates this Policy may be denied access to the 91Ö±²¥â€™s Information Resources and may be subject to other penalties and disciplinary action, up to and including termination of employment or contract.