GLBA (The Gramm-Leach-Bliley Act)
The Gramm-Leach-Bliley Act (GLBA) was signed into law in 1999 and directly affects financial institutions, including insurance companies and agencies. At the heart of GLBA is a requirement that financial institutions provide a privacy notice to their customers and restrict what non-public personal information (NPI) they share about customers with third parties. Financial institutions are also required to provide security and integrity of customers' NPI by way of physical and electronic means.
While Tennessee College of Applied Technology Shelbyville is primarily an educational institution and its areas covered by GLBA are few, the TCAT-Shelbyville is committed to satisfying the law in all its financial processes. This site provides detailed information on TCAT-Shelbyville policies and procedures designed to facilitate compliance with GLBA.
Report complaints and potential violations to :
Laura Monks, President Laura.Monks@tcatshelbyville.edu
Brandon Hundson, Vice President - Brandon.Hudson@tcatshelbyville.edu
Leslie Martin, Student Services Coordinator- Leslie.Martin@tcatshelbyville.edu
Steve Mallard, IT Manager- Steve.Mallard@tcatshelbyville.edu
GLBA: Who's Covered
Office of Financial Aid (Student Services)
Office of Information Technology (Electronic Records-Student Information Management)
Release of Student Information Policy
Family Education Rights and Privacy Act (FERPA) of 1974
Because you have access to confidential information on the integrated student data base, it is important for you to be aware of federal regulatoins and Technology Center policy as they relate to dissemination of various types of information. The Family Educational Rights and Privacy Act (FERPA) of 1974 governs the release, review and dissemination of a student's education records.
Generally, you must have written permission from the parent or eligible student before releasing any information from a student's education records. However, federal law does allow schools to disclose records without consent, to the following parties:
School employees who have a need to know
Other schools to which a student is transferring
Parents when a student over 18 is still dependent
Certain government officials in order to carry out their responsibilities
Appropriate parties in connection with financial aid for a student
Organizations doing research for the school
Individuals with court orders or subpoenas for the records
Persons who need to know in cases of health and safety emergencies
GLBA: Required Information Security Program
PROGRAM: Gramm-Leach-Bliley Act (GLBA) Required Information Security Program
STATEMENT: This document summarizes the Tennessee College of Applied Technology Shelbyville’s comprehensive written information security program mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm–Leach–Bliley Act (GLBA).
APPLICABILITY: The GLBA Information Security Program applies to any record containing nonpublic financial information about a student or other third party who has a relationship with Tennessee College of Applied Technology Shelbyville, whether in paper, electronic or other form, which is handled or maintained by or on behalf of Tennessee College of Applied Technology Shelbyville or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from Tennessee Technology Center at Shelbyville, (ii) about a student or other third party resulting from any transaction with Tennessee Technology Center at Shelbyville involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
Financial Service: A "Financial Service" is defined by federal law to include, but not be limited to, such activities as the lending of money; investing for others; providing or underwriting insurance; giving financial, investment or economic advisory services; marketing securities and the like.
GUIDING PRINCPLES/PURPOSE: In particular, this document describes the elements of the GLBA Information Security Program pursuant to which Tennessee College of Applied Technology Shelbyville intends to (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers. The GLBA Information Security Program incorporates by reference Tennessee Technology Center at Shelbyville’s policies and procedures enumerated below, and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, without limitation, FERPA.
RESPONSIBILITY(IES): Tennessee College of Applied Technology Shelbyville’s Technology Center IT Manager (IT Manager) with overall responsibility for overseeing Technology Center information security is responsible for coordinating and overseeing the information security program. Consistent with the Technology Center Information Security Policy, the IT Manager may designate other representatives of Tennessee Technology Center at Shelbyville to oversee and coordinate particular elements of the GLBA Information Security Program. Any questions regarding implementation or the interpretation of this document should be directed to the IT Manager or his/her designees.
ADMINISTRATION AND IMPLEMENTATION:
1. Risk Identification and Assessment. Tennessee College of Applied Technology Shelbyville intends, as part of the GLBA Information Security Program, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. In implementing the GLBA Information Security Program, the IT Manager or his/her designee will establish procedures for identifying and assessing such risks in each relevant area of Tennessee Technology Center at Shelbyville’s operations, including:
Employee training and management. The IT Manager will coordinate with representatives in Tennessee College of Applied Technology Shelbyville’s Financial Aid offices to evaluate the effectiveness of the Technology Center’s procedures and practices relating to access to and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of Tennessee Technology Center at Shelbyville’s current policies and procedures in this area, including:
Release of Student Information Policy
Information Systems and Information Processing and Disposal - The IT Manager will assess the risks to nonpublic financial information associated with Tennessee College of Applied Technology Shelbyville’s information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic financial information. These risks will be evaluated in view of Tennessee Technology Center at Shelbyville’s Computer Systems Acceptable Use Policy, the Technology Center Information Security Policy and the Records Retention Policy.
Detecting, Preventing and Responding to Attacks - Consistent with the provisions of the Technology Center Information Security Policy, the IT Manager and/or his/her designee will evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. The IT Manager may elect to delegate to local information security personnel the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by Tennessee College of Applied Technology Shelbyville.
2. Designing and Implementing Safeguards - The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The IT Manager, in collaboration with the Tennessee Board of Regents, will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
3. Overseeing Service Providers - The IT Manager or his/her designee shall coordinate with those responsible for the third party service procurement activities among IT and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the IT Manager will work with the Tennessee Board of Regents, Administration and Student Services to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the Tennessee Board of Regents.
4. Adjustments - The IT Manager is responsible for evaluating and adjusting the GLBA Information Security Program based on the risk identification and assessment activities undertaken, as well as any material changes to Tennessee College of Applied Technology Shelbyville’s operations or other circumstances that may have a material impact it.
ENFORCEMENT: As described in the College Information Security Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including suspension of services or termination of employment.
RESOURCE(S): The College Information Security Policy, the Records Retention Policy and Computer Systems Acceptable Use Policy.
REVIEW CYCLE: This program will be reviewed and updated as needed, at least annually, based on the recommendations of the College IT Manager or Director.
TRAINING: Faculty and Staff will review confidentiality policies and procedures and be trained on an annual basis.
PROTECTION: All records will be locked in a secure room and will be locked in filing cabinets. All Electronic records will be locked in the server room.
Access will only be granted to Administration, Student Services or the IT Department.
All Electronic records are protected by a Disaster Recovery Program that includes the use of NAT, Firewalls and Network Intrusion Detection to include logging on each computer. Any breach will be reported to the Director or Student Services Immediately.