Overview

This document summarizes New York University’s (“NYU”) comprehensive written information security program (the “Program”) mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act (“GLBA”). In particular, this document addresses the requirements to:

  • ensure the security and confidentiality of customer information
  • safeguard against any anticipated threats or hazards to the security or integrity of such information, and
  • protect against unauthorized access to or use of such information that could substantially harm or inconvenience customers.
The Program incorporates by reference all applicable NYU’s policies and procedures with respect to privacy and information security.

Scope of Program

The Program applies to customer information, which means any nonpublic personal information that NYU or its affiliates handle or maintain about a student, faculty, or staff member or other third party in connection with the provision of a financial service or product by or on behalf of NYU or its affiliates (“GLBA nonpublic financial information (NPI”)).

Elements of the Program

1. Designation of Representatives

A. GLBA Program Officer

NYU’s Vice President, Information Technology and CIO is designated as the GLBA Program Officer responsible for coordinating the Program. The GLBA Program Officer may designate other individuals to coordinate particular elements of the Program with the affected departments. Within NYU IT, the Program Director, IT Policy Development and Compliance and the Associate Vice President, Global University Chief Information Security Officer will have designated Program responsibilities. The GLBA Program Officer or designee(s) will work with the Office of General Counsel and the affected department representatives, as necessary, to implement the Program. Questions regarding the implementation of the Program or the interpretation of this document should be directed to the GLBA Program Officer or designee(s) (glba@nyu.edu).

B. Affected Departments

Currently, the following units have been identified as the GLBA-affected areas:

  1. Financial Aid (in the Office of the Vice President for Enrollment Management)
  2. Financial Operations and Treasury (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)
  3. Faculty Housing
  4. University Development and Alumni Relations (UDAR)
  5. School of Law

The GLBA Program Officer or designee will keep records of a periodic recertification process held at least annually. In addition, the GLBA Program Officer may update the Program from time to time, as appropriate.

C.  Affected Department Representative

Each affected NYU department shall appoint a representative, responsible for the GLBA-NPI in that department, to work with the GLBA Program Officer or designee(s).

2.  Risk Identification and Assessment

As part of the Program, the GLBA Program Officer or designee will undertake measures that:

  • identify and assess reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of GLBA NPI that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information; and
  • assess the sufficiency of any safeguards in place to control these risks.

At a minimum, the risk assessment must consider risks in:

  • employee training and management;
  • information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
  • detecting, preventing and responding to attacks, intrusions, or other systems failures.

In implementing the Program, the GLBA Program Officer or designee(s) will coordinate with the affected departments to establish procedures for identifying and assessing such risks in each relevant area of NYU’s operations, including the areas noted below.

A. Procedures and Practices

The GLBA Program Officer or designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the current policies, procedures, and practices of the affected department relating to access to and use of GLBA NPI and to recommend revisions to or development of new policies, procedures, standards, or guidelines, as appropriate.

B. Employee Training

The GLBA Program Officer or designee(s) will coordinate with the affected department representatives to evaluate the effectiveness of the training of the affected department’s employees.

C. Information Systems and Information Processing and Disposal

The GLBA Program Officer or designee(s) will coordinate with the affected department representatives to assess the risks to GLBA NPI associated with NYU’s information systems, including, as appropriate, network and software design and information processing, storage, transmission, and disposal of GLBA NPI. The GLBA Program Officer’s or designee’s responsibilities include oversight of institutional procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.

D.  Detecting, Preventing, and Responding to Attacks

The GLBA Program Officer or designee(s) will coordinate the evaluation of procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. This includes the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by NYU. The level of monitoring will be appropriate to the potential impact and probability of the identified risks and the sensitivity of the GLBA NPI.

3. Design and Implementation of Safeguards

The GLBA Program Officer or designee(s), will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments set forth above. This review will also confirm that reasonable safeguards and monitoring are implemented by each affected department that has access to GLBA NPI. Such safeguards and monitoring may be accomplished through existing network monitoring, and problem escalation procedures, and other data management practices.

4. Oversight of External Service Providers

Each affected department shall coordinate with those responsible for the third party service procurement activities to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for GLBA NPI to which they will have access.

In addition, the GLBA Program Officer or designee(s) will work with the Office of General Counsel to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards.

A. Program Adjustments

The GLBA Program Officer or designee(s) will evaluate and adjust the Program based on risk identification and assessment activities undertaken to update the Program, as well as any material changes to NYU’s operations or other circumstances that may have a material impact on the Program.

B. Reports

The GLBA Program Officer will provide an annual Program status report to the Senior Vice President and Chief Financial Officer and to a representative of the Office of General Counsel. Information to be included in this report may be required from the affected departments.

Notes
top
  1. Dates of official enactment and amendments: May 22, 2003
  2. History: Last Review: November 11, 2021. Last Revision: November 11, 2021.
  3. Cross References: N/A