New York University GLBA Information Security Program
This document summarizes New York University’s (“NYU”) comprehensive written information security program (the “Program”) mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act (“GLBA”). In particular, this document addresses the requirements to ensure the security and confidentiality of nonpublic financial information and to safeguard the covered records or information against any anticipated threats or hazards or unauthorized access or use. The Program incorporates by reference NYU’s policies and procedures and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA.
Scope of Program
The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with NYU, whether in paper or electronic or other form, that is handled or maintained by or on behalf of NYU or its affiliates. This Program applies to all NYU faculty and staff members with access to such information.
Elements of the Program
1. Designation of Representatives
A. GLBA Program Officer
NYU’s Vice President, Information Technology & Global University Chief Information Officer is designated as the GLBA Program Officer who shall be responsible for coordinating the Program. The GLBA Program Officer may designate other individuals to coordinate particular elements of the Program with the affected departments. Within NYU IT, the Program Director, IT Policy Development and Compliance and the Associate Vice President, Global University Chief Information Security Officer will have designated Program responsibilities. The GLBA Program Officer or his/her designee(s) will work with the Office of General Counsel and the affected department representatives, as necessary, to implement the Program. Questions regarding the implementation of the Program or the interpretation of this document should be directed to the GLBA Program Officer or his/her designee(s) (OIS-Compliance@nyu.edu).
B. Affected Departments
Currently, the following units have been identified as the GLBA-affected areas:
a) Financial Aid (in the Office of the Vice President for Enrollment Management)
b) Financial Operations and Treasury (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)
c) CDV-Office of the Controller (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)
d) Office of the Bursar (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)
e) Faculty Housing Office
f) Office of University Development and Alumni Relations (UDAR)
g) School of Law
A periodic recertification process will be held at least annually. Documentation will be retained by the GLBA Program Officer or his/her designee. In addition, the Program Officer may update the Program from time to time, as appropriate.
C. Affected Department Representative
Each affected NYU department shall appoint a representative, responsible for the GLBA-covered nonpublic financial information in that department, to work with the GLBA Program Officer or his/her designee(s).
2. Risk Identification and Assessment
NYU intends, as part of the Program, to undertake to identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. In implementing the Program, the GLBA Program Officer or his/her designee(s) will coordinate with the affected departments to establish procedures for identifying and assessing such risks in each relevant area of NYU’s operations, including:
A. Procedures and Practices
The Program Officer or his/her designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the current policies, procedures, and practices of the affected department relating to access to and use of nonpublic financial information and to recommend revisions to or development of new policies, procedures, standards, or guidelines, as appropriate.
B. Employee Training
The Program Officer or his/her designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the training of the affected department’s employees.
C. Information Systems and Information Processing and Disposal
The Program Officer or his/her designee(s) will coordinate with the affected department representatives to assess the risks to nonpublic financial information associated with NYU’s information systems, including, as appropriate, network and software design and information processing, storage, transmission, and disposal of nonpublic financial information. The GLBA Program Officer’s or his/her designee’s responsibilities include oversight of institutional procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
D. Detecting, Preventing, and Responding to Attacks
The GLBA Program Officer or his/her designee(s) will coordinate the evaluation of procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. This includes the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by NYU. The level of monitoring will be appropriate to the potential impact and probability of the identified risks and the sensitivity of the nonpublic financial information.
3. Design and Implementation of Safeguards
The GLBA Program shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The GLBA Program Officer or his/her designee(s), on a regular basis, will conduct risk identification and assessments and implement safeguards to control identified risks and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
4. Oversight of External Service Providers
Each affected department shall coordinate with those responsible for the third party service procurement activities to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access.
In addition, the GLBA Program Officer or his/her designee(s) will work with the Office of General Counsel or other designated institutional official to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the Office of General Counsel or other designated institutional official.
A. Program Adjustments
The Program Officer or his/her designee(s) will evaluate and adjust the Program based on risk identification and assessment activities undertaken to update the Program, as well as any material changes to NYU’s operations or other circumstances that may have a material impact on the Program.
The Program Officer will provide an annual Program status report to the Senior Vice President and Chief Financial Officer and to the Office of General Counsel. Information to be included in this report may be required from the affected departments.
About This Policy
Effective Date Supersedes N/A Issuing Authority Vice President, Information Technology & Global University Chief Information Officer Responsible Officer Vice President, Information Technology & Global University Chief Information Officer
- Covered data: means information protected by the GLBA and financial information that NYU, as a matter of policy, has included within the scope of the Program, and consists of both paper and electronic records that are handled by the University or its affiliates. Covered data includes information obtained from a student or other third party at the University in the course of offering a financial product or service, or such information provided to the University from another institution.
- Nonpublic financial information: includes any information (i) a student or other third party provides in order to obtain a financial service from NYU, (ii) about a student or other third party resulting from any transaction with NYU involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
- Offering a financial product or service: includes offering student loans, receiving income tax information from a current or prospective student’s parents as a part of a financial aid application, offering credit or interest bearing loans, and other financial services as defined in 12 CFR § 225.28. Examples of financial information relating to such products or services are addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers.
- Service Providers: refers to all third parties to which the University offers access to covered data in the ordinary course of business. For example, service providers may include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers.