Gramm-Leach-Bliley Act Security Policy

RISD is required to comply with the applicable portions of the Gramm-Leach-Bliley Act (GLBA) related to its capacity under the GLBA definition of a financial institution. RISD complies with the privacy requirements of the GLBA through its compliance with the Family Educational Rights and Privacy Act (FERPA).

This policy applies to all RISD employees with access to Non-Public Financial Information (NPFI), including service providers who have access to RISD’s NPFI, and Protected Information.

This policy memorializes Rhode Island School of Design’s (RISD) efforts to ensure the security and confidentiality of records protected under the Gramm-Leach-Bliley Act (GLBA), through the implementation of institutional practices that protect against the unauthorized access or disclosure of protected records. This policy incorporates by reference other RISD policies pertaining to information security, including the RISP, FERPA, General Data Protection Regulation (GDPR) as referenced in RISD’s Privacy Policy, and other ITS policies specific to RISD systems.

GLBA -- The Gramm-Leach-Bliley Act and its implementing regulations

Program Officer -- The RISD employee designated to oversee the terms of this policy. RISD’s Chief Information Officer is designated as the Program Officer pursuant to GLBA, who is responsible for coordinating the program described under this policy. The Program Officer may designate other RISD employees to oversee, coordinate, or implement this policy, as needed. Questions regarding this policy should be directed to privacy@risd.edu.

Non-Public Financial Information (NPFI) -- Non-public information provided by a RISD student or other third party to RISD, or otherwise obtained by RISD, for the purposes of obtaining a financial product or service from RISD, whether in paper, electronic, or another format.

RISD Representative

RISD’s Chief Information Officer is designated as the Program Officer pursuant to GLBA and is responsible for coordinating the program described under this policy. The Program Officer may designate other RISD employees to oversee, coordinate, or implement this policy, as needed. Questions regarding this policy should be directed to privacy@risd.edu.

Information Security Program

• Risk Identification & Assessment
  RISD, through its Program Officer, will identify and assess reasonably foreseeable external and internal risks to information security pertaining to NPFI, including the risks of unauthorized access, disclosure, misuse, or destruction of its NPFI and incorporating the other elements of this Program.
  
• Information Systems Data Processing & Disposal
  The Program Officer and designees will coordinate with RISD departments to inventory, assess, and monitor the storage, transmission, and disposal of NPFI contained in RISD systems. The Program Officer or designee(s) will coordinate with departments to ensure compliance with proper procedures for handling and disposing of NPFI.
  
• Detecting, Preventing, & Responding to Threats
  The Program Officer and designee(s), in conjunction with Risk Assessment and other departments as needed, will evaluate RISD policies, procedures, and technological safeguards for methods of detecting, preventing, and responding to threats to the RISD systems storing and transmitting NPFI. The Program Officer or designee(s) will advise as to necessary software and hardware updates, as well as recommended physical security practices for each department. RISD’s emergency response team members will coordinate with the Program Officer in the event of an emergency that impacts RISD’s protection of NPFI.
  
• Service Providers
  The Program Officer, in coordination with General Counsel and all departments contracting with third party service providers who handle RISD’s NPFI, will select third party service providers who are capable of providing reasonable, appropriate safeguards under GLBA. RISD will collect and maintain copies of service provider contracts containing representations regarding the secure handling of NPFI. Where possible, RISD contracts will contain standardized language pertaining to the secure handling of NPFI.
  
• Employee Education
  The Program Officer shall develop or identify training materials that support compliance with RISD information security practices under GLBA, and will make these materials available to management employees for the purposes of training employees who handle NPFI.
  
• Review & Assessment
  The Program Officer, in conjunction with General Counsel, Risk Management, Student Financial Services, and other departments as needed, will periodically evaluate and assess the risk to RISD’s data security systems and practices, and will recommend and implement changes to RISD data security policies, protections, and practices when appropriate.

As necessitated by law

Issuing Office

Information Technology Services

Responsible Officer

Chief Information Officer

Individuals/offices required for review and changes

Senior Vice President, Finance and Information

Director of Risk and Compliance

Office of the General Counsel

Director of Student Financial Services

Controller