St. Olaf College | Northfield, Minnesota, USA

Resources for...
- » Getting Help
- » Students
- » Visitors
- » Faculty & Staff
- » About IIT
Jump to...
- » Documentation
- » ResHall Networking
- » Instructional Technology
- » Healthy Computing
- » Building a Web Site
- » Computing Seminars
- » Newletters
- » Computer Purchase Recommendations
- » Information Security
- » Google Apps for Education at St. Olaf
- Information and Instructional Technologies
- Rolvaag Library 251
- 1510 St. Olaf Ave.
- Northfield, MN 55057
- 507-786-3830
- 507-786-3096 FAX
- helpdesk@stolaf.edu
- Instant Message (IM)
  AIM, MSN or Yahoo!:
  stocomputerhelp

Gramm-Leach-Bliley Act Plan

This document summarizes St. Olaf’s written information security program mandated by the Federal Trade Commission’s Safeguard Rules and the Gramm-Leach-Bliley Act (GLBA). Procedures are in place at St. Olaf and at 3rd parties hired by St. Olaf to ensure security and confidentiality of covered records and protect against hazards and unauthorized access to nonpublic personal information (NPI) as defined by the GLBA. The same safeguards governed by statute are used for all confidential data.

NPI is defined as any sensitive data or information the college obtains in connection with, or resulting from providing a financial product or service to an individual. NPI does not include information that we have a reasonable basis to believe is lawfully made “publicly available.” Information is not NPI when you have taken steps to determine:

That the information is generally made lawfully available to the public; and
That the individual can direct that it not be made public and has not done so.

St. Olaf College data custodians have identified access to or possession of NPI and other confidential data in their immediate area of responsibility in both paper and electronic form. Risks were identified and assessed. Recommendations for creating compliance were implemented.

Protected data can include, but is not limited to, tax return information, bank and credit card account numbers, income and credit histories and social security numbers. As part of its plan, St. Olaf has done the following:

Identified and listed NPI and other confidential data that needs to be safeguarded.
Identified and assessed the risks to customer information in each relevant area of the college’s operation, and evaluated the effectiveness of the current safeguards for controlling unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.
Designed and implemented a safeguard program and regularly monitors and tests it.
Selected appropriate service providers and added addendums to contracts with them to implement a similar information security plan.
Evaluated and adjusted the program in light of relevant circumstances, including changes in the colleges contractors and operations as a results of testing and monitoring of safeguards.

Employee Responsibilities and Training
Each employee must understand and annually complete and sign the Information Confidentiality and Security Agreement as part of their annual review. They are provided with the necessary training to understand which information is considered protected, which information is considered confidential, and the required safeguarding procedures for each. The agreement/check list has sections on:

Paper record handling
Electronic records
Access and notifications
Supervisor Responsibilities.

Supervisor Responsibilities and Training
Each supervisor must understand, complete, and sign a document acknowledging their responsibilities for data security. This checklist makes sure that Managers in each area are aware that they are responsible for:

Compliance with GLBA rules,
Performing tests to assess the effectiveness of policies and procedures where emphasis is put on risk assessment of new business processes.
Proactively making changes to procedures where necessary.
Reviewing the list of confidential data elements to identify new elements or eliminate the use of old ones
Collecting Employee Confidentiality and Security Agreements as part of each employee’s review and answer any questions they may have. Make sure employees receive the training they need.
Immediately reporting breaches in security

Securing Information
St. Olaf has reviewed all of the following areas of its operations:

Employee Management and Training. Training is available for new managers and employees. Annual checklists augment initial training, require risk assessments of any new procedures and data, and monitor and test safeguards.
Information Systems. IIT has adopted a Systems Administrator Policies document that outlines the procedures and policies IIT staff abide by. These policies encompass a wide-range of security procedures and practices. Overall responsibility for this area is delegated to the IIT Director.
Managing System Failures. IIT has a disaster and emergency response document currently being updated. Responsibility of this function rests mainly with the IIT Director although managers are required to work out the details of a disaster recovery and continuation plans for their areas.

Security Officer
The Security Officer for GLBA at St. Olaf is the Controller. Responsibility for information system hardware and software has been delegated to the IIT Director. Program Officers for HIPAA, FERPA, and GLBA work with the IIT Director to produce and maintain a comprehensive security plan and coordinated training programs.

Reference Documents:
Employee training materials: http://www.stolaf.edu/offices/treasurers/XXXXX
Supervisor training materials: http://www.stolaf.edu/offices/treasurers/XXXXX
HIPAA Information Security Plan: http://www.stolaf.edu/services/hr/hipaa/index.html
FERPA Information Security Plan: http://www.stolaf.edu/offices/registrar/ferpa.html
Technology Policies:: http://www.stolaf.edu/services/iit/policies/