Gramm-Leach-Bliley Act Security Policy
RISD is required to comply with the applicable portions of the Gramm-Leach-Bliley Act (GLBA) related to its capacity under the GLBA definition of a financial institution. RISD complies with the privacy requirements of the GLBA through its compliance with the Family Educational Rights and Privacy Act (FERPA).
This policy applies to all RISD employees with access to Non-Public Financial Information (NPFI), including service providers who have access to RISD’s NPFI, and Protected Information.
GLBA -- The Gramm-Leach-Bliley Act and its implementing regulations
Program Officer -- The RISD employee designated to oversee the terms of this policy. RISD’s Chief Information Officer is designated as the Program Officer pursuant to GLBA, who is responsible for coordinating the program described under this policy. The Program Officer may designate other RISD employees to oversee, coordinate, or implement this policy, as needed. Questions regarding this policy should be directed to firstname.lastname@example.org.
Non-Public Financial Information (NPFI) -- Non-public information provided by a RISD student or other third party to RISD, or otherwise obtained by RISD, for the purposes of obtaining a financial product or service from RISD, whether in paper, electronic, or another format.
RISD’s Chief Information Officer is designated as the Program Officer pursuant to GLBA and is responsible for coordinating the program described under this policy. The Program Officer may designate other RISD employees to oversee, coordinate, or implement this policy, as needed. Questions regarding this policy should be directed to email@example.com.
Information Security Program
- Risk Identification & Assessment
RISD, through its Program Officer, will identify and assess reasonably foreseeable external and internal risks to information security pertaining to NPFI, including the risks of unauthorized access, disclosure, misuse, or destruction of its NPFI and incorporating the other elements of this Program.
- Information Systems Data Processing & Disposal
The Program Officer and designees will coordinate with RISD departments to inventory, assess, and monitor the storage, transmission, and disposal of NPFI contained in RISD systems. The Program Officer or designee(s) will coordinate with departments to ensure compliance with proper procedures for handling and disposing of NPFI.
- Detecting, Preventing, & Responding to Threats
The Program Officer and designee(s), in conjunction with Risk Assessment and other departments as needed, will evaluate RISD policies, procedures, and technological safeguards for methods of detecting, preventing, and responding to threats to the RISD systems storing and transmitting NPFI. The Program Officer or designee(s) will advise as to necessary software and hardware updates, as well as recommended physical security practices for each department. RISD’s emergency response team members will coordinate with the Program Officer in the event of an emergency that impacts RISD’s protection of NPFI.
- Service Providers
The Program Officer, in coordination with General Counsel and all departments contracting with third party service providers who handle RISD’s NPFI, will select third party service providers who are capable of providing reasonable, appropriate safeguards under GLBA. RISD will collect and maintain copies of service provider contracts containing representations regarding the secure handling of NPFI. Where possible, RISD contracts will contain standardized language pertaining to the secure handling of NPFI.
- Employee Education
The Program Officer shall develop or identify training materials that support compliance with RISD information security practices under GLBA, and will make these materials available to management employees for the purposes of training employees who handle NPFI.
- Review & Assessment
The Program Officer, in conjunction with General Counsel, Risk Management, Student Financial Services, and other departments as needed, will periodically evaluate and assess the risk to RISD’s data security systems and practices, and will recommend and implement changes to RISD data security policies, protections, and practices when appropriate.
As necessitated by law
Information Technology Services
Chief Information Officer
Individuals/offices required for review and changes
Senior Vice President, Finance and Information
Director of Risk and Compliance
Office of the General Counsel
Director of Student Financial Services