New York University GLBA Information Security Program
This document summarizes New York University’s (“NYU”) comprehensive written information security program (the “Program”) mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act (“GLBA”). In particular, this document addresses the requirements to:
- ensure the security and confidentiality of customer information
- safeguard against any anticipated threats or hazards to the security or integrity of such information, and
- protect against unauthorized access to or use of such information that could substantially harm or inconvenience customers.
Scope of Program
The Program applies to customer information, which means any nonpublic personal information that NYU or its affiliates handle or maintain about a student, faculty, or staff member or other third party in connection with the provision of a financial service or product by or on behalf of NYU or its affiliates (“GLBA nonpublic financial information (NPI”)).
Elements of the Program
1. Designation of Representatives
A. GLBA Program Officer
NYU’s Vice President, Information Technology and CIO is designated as the GLBA Program Officer responsible for coordinating the Program. The GLBA Program Officer may designate other individuals to coordinate particular elements of the Program with the affected departments. Within NYU IT, the Program Director, IT Policy Development and Compliance and the Associate Vice President, Global University Chief Information Security Officer will have designated Program responsibilities. The GLBA Program Officer or designee(s) will work with the Office of General Counsel and the affected department representatives, as necessary, to implement the Program. Questions regarding the implementation of the Program or the interpretation of this document should be directed to the GLBA Program Officer or designee(s) (firstname.lastname@example.org).
B. Affected Departments
Currently, the following units have been identified as the GLBA-affected areas:
- Financial Aid (in the Office of the Vice President for Enrollment Management)
- Financial Operations and Treasury (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)
- Faculty Housing
- University Development and Alumni Relations (UDAR)
- School of Law
The GLBA Program Officer or designee will keep records of a periodic recertification process held at least annually. In addition, the GLBA Program Officer may update the Program from time to time, as appropriate.
C. Affected Department Representative
Each affected NYU department shall appoint a representative, responsible for the GLBA-NPI in that department, to work with the GLBA Program Officer or designee(s).
2. Risk Identification and Assessment
As part of the Program, the GLBA Program Officer or designee will undertake measures that:
- identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of GLBA NPI that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information; and
- assess the sufficiency of any safeguards in place to control these risks.
At a minimum, the risk assessment must consider risks in:
- employee training and management;
- information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
- detecting, preventing and responding to attacks, intrusions, or other systems failures.
In implementing the Program, the GLBA Program Officer or designee(s) will coordinate with the affected departments to establish procedures for identifying and assessing such risks in each relevant area of NYU’s operations, including the areas noted below.
A. Procedures and Practices
The GLBA Program Officer or designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the current policies, procedures, and practices of the affected department relating to access to and use of GLBA NPI and to recommend revisions to or development of new policies, procedures, standards, or guidelines, as appropriate.
B. Employee Training
The GLBA Program Officer or designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the training of the affected department’s employees.
C. Information Systems and Information Processing and Disposal
The GLBA Program Officer or designee(s) will coordinate with the affected department representatives to assess the risks to GLBA NPI associated with NYU’s information systems, including, as appropriate, network and software design and information processing, storage, transmission, and disposal of GLBA NPI. The GLBA Program Officer’s or designee’s responsibilities include oversight of institutional procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
D. Detecting, Preventing, and Responding to Attacks
The GLBA Program Officer or designee(s) will coordinate the evaluation of procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. This includes the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by NYU. The level of monitoring will be appropriate to the potential impact and probability of the identified risks and the sensitivity of the GLBA NPI.
3. Design and Implementation of Safeguards
The GLBA Program Officer or designee(s), will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above. This review will also confirm that reasonable safeguards and monitoring are implemented by each affected department that has access to GLBA NPI. Such safeguards and monitoring may be accomplished through existing network monitoring, and problem escalation procedures, and other data management practices.
4. Oversight of External Service Providers
Each affected department shall coordinate with those responsible for the third party service procurement activities to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for GLBA NPI to which they will have access.
In addition, the GLBA Program Officer or designee(s) will work with the Office of General Counsel to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards.
A. Program Adjustments
The GLBA Program Officer or designee(s) will evaluate and adjust the Program based on risk identification and assessment activities undertaken to update the Program, as well as any material changes to NYU’s operations or other circumstances that may have a material impact on the Program.
The GLBA Program Officer will provide an annual Program status report to the Senior Vice President and Chief Financial Officer and to a representative of the Office of General Counsel. Information to be included in this report may be required from the affected departments.
About This Policy
Effective Date Supersedes N/A Issuing Authority Vice President, Information Technology and Global University Chief Information Officer Responsible Officer Associate Vice President and Global University Chief Information Security Officer
- Covered data: means information protected by the GLBA and financial information that NYU, as a matter of policy, has included within the scope of the Program, and consists of both paper and electronic records that are handled by the University or its affiliates. Covered data includes information obtained from a student or other third party at the University in the course of offering a financial product or service, or such information provided to the University from another institution.
- Nonpublic financial information: includes any information (i) a student or other third party provides in order to obtain a financial service from NYU, (ii) about a student or other third party resulting from any transaction with NYU involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
- Offering a financial product or service: includes offering student loans, receiving income tax information from a current or prospective student’s parents as a part of a financial aid application, offering credit or interest bearing loans, and other financial services as defined in 12 CFR § 225.28. Examples of financial information relating to such products or services are addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers.
- Service Providers: refers to all third parties to which the University offers access to covered data in the ordinary course of business. For example, service providers may include businesses retained to transport and dispose of covered data, collection agencies, and systems support providers.