Overview

This document summarizes New York University’s (“NYU”) comprehensive written information security program (the “Program”) mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act (“GLBA”).  In particular, this document addresses the requirements to ensure the security and confidentiality of nonpublic financial information and to safeguard the covered records or information against any anticipated threats or hazards or unauthorized access or use. The Program incorporates by reference NYU’s policies and procedures and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA.

Scope of Program

The Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with NYU, whether in paper or electronic or other form, that is handled or maintained by or on behalf of NYU or its affiliates. This Program applies to all NYU faculty and staff members with access to such information.

Elements of the Program

1. Designation of Representatives

A. GLBA Program Officer

NYU’s Vice President, Information Technology and CIO is designated as the GLBA Program Officer who shall be responsible for coordinating the Program.  The GLBA Program Officer may designate other individuals to coordinate particular elements of the Program with the affected departments. Within NYU IT, the Program Director, IT Policy Development and Compliance and the Director, Office of Information Security will have designated Program responsibilities. The GLBA Program Officer or his/her designee(s) will work with the Office of General Counsel and the affected department representatives, as necessary, to implement the Program. Questions regarding the implementation of the Program or the interpretation of this document should be directed to the GLBA Program Officer or his/her designee(s) (glba@nyu.edu).

B. Affected Departments

Currently, the following units have been identified as the GLBA-affected areas:

a) Financial Aid (in the Office of the Vice President for Enrollment Management)

b) Financial Operations and Treasury (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)

c) CDV-Office of the Controller (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)

d) Office of the Bursar (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)

e) Faculty Housing Office

f) Office of University Development and Alumni Relations (UDAR)

A periodic recertification process will be held at least annually. Documentation will be retained by the GLBA Program Officer or his/her designee. In addition, the Program Officer may update the Program from time to time, as appropriate.

C.  Affected Department Representative

Each affected NYU department shall appoint a representative, responsible for the GLBA-covered nonpublic financial information in that department, to work with the GLBA Program Officer or his/her designee(s).

2.  Risk Identification and Assessment

NYU intends, as part of the Program, to undertake to identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.  In implementing the Program, the GLBA Program Officer or his/her designee(s) will coordinate with the affected departments to establish procedures for identifying and assessing such risks in each relevant area of NYU’s operations, including:

A. Procedures and Practices

The Program Officer or his/her designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the current policies, procedures, and practices of the affected department relating to access to and use of nonpublic financial information and to recommend revisions to or development of new policies, procedures, standards, or guidelines, as appropriate.

B. Employee Training

The Program Officer or his/her designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the training of the affected department’s employees.

C. Information Systems and Information Processing and Disposal

The Program Officer or his/her designee(s) will coordinate with the affected department representatives to assess the risks to nonpublic financial information associated with NYU’s information systems, including, as appropriate, network and software design and information processing, storage, transmission, and disposal of nonpublic financial information.  The GLBA Program Officer’s or his/her designee’s responsibilities include oversight of institutional procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.

D.  Detecting, Preventing, and Responding to Attacks

The GLBA Program Officer or his/her designee(s) will coordinate the evaluation of procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. This includes the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by NYU. The level of monitoring will be appropriate to the potential impact and probability of the identified risks and the sensitivity of the nonpublic financial information.

3. Design and Implementation of Safeguards

The GLBA Program shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form.  The GLBA Program Officer or his/her designee(s), on a regular basis, will conduct risk identification and assessments and implement safeguards to control identified risks and to regularly test or otherwise monitor the effectiveness of such safeguards.  Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.

4. Oversight of External Service Providers

Each affected department shall coordinate with those responsible for the third party service procurement activities to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access.

In addition, the GLBA Program Officer or his/her designee(s) will work with the Office of General Counsel or other designated institutional official to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards.  Any deviation from these standard provisions will require the approval of the Office of General Counsel or other designated institutional official.

A. Program Adjustments and Reports

The Program Officer or his/her designee(s) will evaluate and adjust the Program based on risk identification and assessment activities undertaken to update the Program, as well as any material changes to NYU’s operations or other circumstances that may have a material impact on the Program.

B.

The Program Officer will provide an annual Program status report to the Senior Vice President and Chief Financial Officer and to the Office of General Counsel. Information to be included in this report may be required from the affected departments.


Notes
top
  1. Dates of official enactment and amendments: Not Available
  2. History: Last Review: January 7, 2018. Last Revision: January 7, 2018.
  3. Cross References: N/A