Gramm Leach Bliley Act (GLBA)

The Gramm Leach Bliley Act (GLBA) is a law that applies to financial institutions and includes privacy and information security provisions that are designed to protect consumer financial data. This law applies to how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments and/or financial aid) containing personally identifiable information. GLBA regulations include both a Privacy Rule (16 CFR 313) and a Safeguards Rule (16 CFR 314), both of which are applicable to educational institutions. Universities are deemed in compliance with the GLBA Privacy Rule if they maintain compliance with the Family Educational Rights and Privacy Act (FERPA) (see TAMU-CC’s FERPA compliance information). The following information on this site shall summarize the Texas A&M University-Corpus Christi’s information relevant to the GLBA Safeguards Rule.

The University will implement and maintain a comprehensive Information Security Program. The Program will include administrative, technical, and physical safeguards implemented based on risk. These safeguards may be included in existing University rules, policies and procedures as well as the implementation of the Security Control Catalog [PDF].

GLBA Program Elements

• Designation of Responsibility: As defined in University Policy 29.01.99.C1, the Chief Information Security and Privacy Officer (CISPO) is responsible for coordinating and overseeing the University Information Security Program, including elements related to GLBA. Any questions regarding the implementation of the program or the interpretation of this document should be directed to the CISPO.
• Risk Assessment: The University will conduct periodic risk assessments to identify and assess the risks to the security and confidentiality of university data. Appropriate updates to the Information Security Program shall be made based on the results of these assessments. See Cybersecurity Control Standards RA-3 Risk Assessment.
• Regular Security Testing: Regular security testing and assessments, such as vulnerability assessments and penetration testing, should be conducted to identify and address vulnerabilities and weaknesses in the security program. See Cybersecurity Control Standards PM-6 Measures of Performance and PM-14 Testing, Training, and Monitoring.
• Ongoing Monitoring: Continuous monitoring of the information security program is essential to detect and respond to security threats and vulnerabilities promptly. See Cybersecurity Control Standards PM-6 Measures of Performance and PM-14 Testing, Training, and Monitoring.
• Incident Response Plan: The University maintains an incident response plan to address any security incidents or data breaches. A copy of the Incident Response Plan shall be maintained by Information Technology. See Cybersecurity Control Standards Incident Response Controls Family (IR-1 through IR-9).

GLBA Program Safeguards

• Access Controls: Access to university data will be restricted to authorized personnel who require access as part of their job responsibilities. Access controls, including user authentication and authorization, will be implemented, and regularly reviewed. See Cybersecurity Control Standards Access Controls Family (AC-1 through AC-22) and Identification and Authentication Controls Family (IA-1 through IA-11).
• System and Data Inventory: IT shall implement proper inventory of systems and data used for critical business functions. See Cybersecurity Control Standards PM-5 Systems Inventory.
• System Development and Acquisition: The University shall adopt secure development practices for all in-house development. Formal processes are in place for acquisition that include appropriate security evaluations. See Cybersecurity Control Standards System and Services Acquisition Controls Family (SA-1 through SA-22).
• Multi-Factor Authentication: Implementation of Multi-factor Authentication (MFA). See Cybersecurity Control Standards IA-2(1) Multi-factor Authentication to Privileged Accounts and IA-2(2) Multi-factor Authentication to Non-Privileged Accounts.
• Data Encryption: Appropriate data encryption shall be employed for sensitive financial data. See Cybersecurity Control Standards SC-13 Cryptographic Protections.
• Employee Training: All employees receive Information Security Awareness (ISA) training upon hire and again annually. See Cybersecurity Control Standards AT-2 Security Awareness and Training.
• Third-Party Service Providers: Third-party service providers shall be required to enter into written contracts that include provisions for safeguarding university data and maintaining compliance with applicable laws and regulations. See Cybersecurity Control Standards SA-4 Acquisition Process.
• Records Retention and disposal: The University has established a records retention and disposal process in accordance with Texas A&M University System records management regulation 61.99.01, and applicable Texas Records Management Law further implementation details are available in 61.99.01.C0.01. Proper disposal of all physical media shall be documented and processed by Information Technology. See Cybersecurity Control Standards SR-12 Component Disposal.
• Change Management: Changes to University production systems shall be documented, reviewed, tested and approved prior to implementation. See Cybersecurity Control Standards CM-4 Impact Analyses and CM-5 Access Restrictions for Change.
• Event Logging: The University shall implement appropriate monitoring and logging on systems to detect unauthorized access and modification of data. See Cybersecurity Control Standards Accountability Audit and Risk Management Controls Family (AU-1 through AU-12)

Policy Effective Date: December 5, 2024