Safeguarding Customer Information

OFFICE RESPONSIBLE: FAO

LOCATION: STUDENT CATALOGUE AND WEBSITE

DOCUMENT LAST REVIEWED/UPDATED:  JULY 1, 2018

POLICY AND PROCEDURE LAST REVIEWDED/UPDATED: JULY 1, 2018

Safeguarding Customer Information


I. Purpose.

In order to continue to protect private information and data and to comply with the provisions of the Federal Trade Commission’s safeguard rules implementing applicable provisions of the Gramm-Leach-Bliley Act (GLBA), the University has adopted this Information Security Program for certain highly critical and private financial and related information. This security program applies to customer financial information (covered data) the University receives in the course of business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope. This document describes many of the activities the University currently undertakes, and will undertake, to maintain covered data according to legal and University requirements. This Information Security Program document is designed to provide an outline of the safeguards that apply to this information, specifically in compliance with GLBA. The practices set forth in this document will be carried out by and impact diverse areas of the University.


II. Definitions

Customer means any individual who receives a financial service from the School. Customers may include students, parents, spouses, faculty, staff, and third parties.

Non-public personal information means any personally identifiable financial or other personal in the process of offering a financial product or service; such information provided to the School by another financial institution; such information otherwise obtained by the School in connection with providing a financial product or service; or any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any information listed above that is not publicly available. Examples of personally identifiable financial information include names, addresses, telephone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, both in paper and electronic form.

Financial product or service includes student loans, employee loans, activities related to extending credit, financial and investment advisory activities, management consulting and counseling activities, community development activities, and other miscellaneous financial services as defined in12 CFR § 225.28.

Covered data and information for the purpose of this Program includes non-public personal information of customers required to be protected under GLBA. In addition to this required coverage, the University chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the School, whether or not such financial information is covered by GLBA. Covered data and information includes both paper and electronic records.

III. Security Program Components

The GLBA requires that the School develop, implement, and maintain a comprehensive information security program containing the administrative, technical, and physical safeguards that are appropriate based upon the University’s size, complexity, and the nature of its activities. This Information Security Program has five components:

(1) designating an employee or office responsible for coordinating the program;

(2) conducting information, not otherwise publicly available, that the University has obtained from a customer risk assessments to identify reasonably foreseeable security and privacy risks;

(3) ensuring that safeguards are employed to control the risks identified and that the effectiveness of these safeguards is regularly tested and monitored;

(4) overseeing service providers;

(5) maintaining and adjusting this Information Security Program based upon the results of testing and monitoring conducted as well as changes in operations or operating systems.

Safeguarding Customer Information

This program is designed to set standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

Purposes:

  •  To ensure the security and confidentiality of customer information;
  • To protect against anticipated threats to the security and/or integrity of customer information;
  • To guard against unauthorized access to, or use of, customer information that could result in harm or inconvenience to any customer; and
  • To comply with the Gramm-Leach-Bliley Act and the related rules put forth by the Federal Trade Commission.

Policy for Maintaining the Security, Confidentiality & Integrity of Customer Information

Control access to rooms and file cabinets where paper records are kept.

  • Doors to office areas are to be locked during non-business hours.
  • Customer information is to be processed in work areas that are behind locked doors or in other areas not regularly accessible to the general public.
  • Guests are escorted in areas where customer information is being processed and are restricted to areas where customer information is not in plain view.
  • File cabinets used to store customer information are secured in locked areas or areas not regularly accessible to the general public.
  • The cabinets used to store promissory notes are locked during non-business hours.
  • Documents no longer needed are disposed of in designated recycling containers or shredded on site.
  • Custodial and Maintenance staff are trained to ensure secure areas remain locked and confidential information is safeguarded.
  • Building Security Guidelines are to be followed as published in the student catalogue

Control access to information stored electronically.

  • Computer workstations accessing customer information are to be housed behind locked doors or in areas where output devices (screens, printers, etc.) cannot be seen by the general public.
  • Computer screens displaying customer information are to be minimized when not in use to prevent inadvertent breeches.
  • Strong passwords are to be used.
  • Network and email access (at least eight characters, alphanumeric, special character)
  • Mainframe access (at least eight characters, alphanumeric)
  • Computer passwords are required to be changed every 120 days.
  • User IDs, passwords, and PINs are not to be posted near or on computers.

Protect our customers’ information.

  • Requests for customer information will be responded to in accordance with FERPA guidelines.
  • Appropriate security policies will be developed and followed to ensure protection of customer information.
  • Fraudulent attempts to obtain customer information are to be reported to management, who will then report the attempt to the appropriate law enforcement agencies.

Definitions

Customer – Any student of the School, parent of a student of the School, or faculty or staff member employed by the School.

Customer Information – Any record containing nonpublic personal information about a customer of the School, whether in paper, electronic, or other form, that is handled or maintained by, or on behalf of, Buckner Barber School

Information Security Program – The administrative, technical, or physical safeguards Buckner Barber School uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

Service Provider – Any person or entity that receives, maintains, processes, or otherwise is permitted access to Buckner Barber School’s customer information through a provision of services.
While this plan is intended to promote the security of information, it does not create any consumer, customer, or other third-party rights or remedies, or establish or increase any standards of care that would otherwise not be applicable.