OVERVIEW

Pursuant to the Gramm Leach Bliley Act (GLBA) Safeguards Rule codified at 16 CFR 314, the Federal Trade Commission required institutions handling non-public customer information to adopt an Information Security Program no later than June 9, 2023 and develop, implement, and maintain safeguards to protect the security, confidentiality, and integrity of customer financial records and related non-public personally identifiable financial information. Certain activities conducted by Lake Forest College are subject to the GLBA. The GLBA does not contain an exemption for colleges or universities.

1. PURPOSE

To ensure that all required elements are in place for Lake Forest College to be fully compliant with the Gramm-Leach Bliley Act (GLBA) including the Federal Trade Commission’s (FTC’s) Safeguards Rule, it is essential to adhere to the most recent regulatory requirements. The full text of Part 314 – Standards for Safeguarding Customer Information can be found on the Code of Federal Regulations website. The effective date of Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) was June 9, 2023. Additionally, as of May 13, 2024, the Final Rule required mandatory reporting to the FTC for security events involving Covered Data. This rule mandates that non-banking financial institutions notify the FTC within 30 days of discovering any breach that involves unauthorized acquisition of unencrypted customer information affecting 500 or more consumers.

2. SCOPE

This policy applies to any division, department or business unit of Lake Forest College, any Service Provider of Lake Forest College, and any Related Entities of Lake Forest College, that collects, stores or processes Covered Data in connection with the delivery of Financial Services (as defined below in this Policy). This obligation is in addition to any other College policies and procedures adopted pursuant to international law or U.S. federal and state laws and regulations for the protection of personal data, including the Family Educational Rights and Privacy Act (FERPA).

3. HISTORY

The Gramm-Leach Bliley Act (GLBA) enacted in 1999 is a regulation under the Federal Trade Commission (FTC) that requires financial institutions to be transparent about information-sharing practices and to safeguard sensitive information. It is comprised of three rules:

1. The Pretexting Rule is designed to counter identity theft; the College must have mechanisms in place to detect and mitigate unauthorized access to personal, non-public information (such as impersonating a student to request private information by phone, email, or other media.)
2. The Privacy Rule is designed to govern the collection and disclosure of customers’ personal financial information by financial institutions.
3. The Safeguards Rule is designed to ensure the administrative, technical, and physical safeguarding of personal, non-public customer information. The Safeguards Rule requires the College to develop, implement, and maintain a Comprehensive Information Security Program (or "CISP") containing administrative, technical, and physical safeguards that are appropriate for the size, complexity, and nature of its activities, in order to:
   • Ensure the security and confidentiality of customer records and information.
   • Protect against any anticipated threats or hazards to the security or integrity of such records.
   • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

While GLBA has been around for years, its impact increased for colleges and universities when the Office of Management and Budget (OMB) released the Compliance Supplement in July 2019, containing a new audit objective designed to assess institutional compliance and to ensure higher education institutions adhered specifically in their collection, storage, and use of student financial records containing Personally Identifiable Information (PII.)

In December 2021, the FTC revised the Safeguards Rule. Many of the provisions went into effect 30 days later, and other requirements were effective Dec. 9, 2022. Finally, the FTC provided a six-month extension through June 9, 2023. At a virtual Federal Student Aid conference in December 2022, the Department of Education Office of Inspector General informed institutions about the changes to the Safeguards Rule and the requirements for compliance in the single audit/federal awards program audit. The Department of Education then issued Publication GENERAL-23-09 on February 9, 2023 to provide clear guidance to higher educational institutions.

4. COVERED DATA TYPES

By way of example, the type of Covered Data regulated by the GBLA includes (but is not limited to) the following:

• Information provided by an applicant or student to obtain a loan or extension of credit from the College, a private lender, or the federal government;
• Information provided by a student to regularly receive refunds or make payments by wire transfer or debit card;
• Information from a consumer report regarding a student to receive a loan;
• Information from an employee or student to license real property from the College;
• Account balance information, payment history, overdraft history, and credit or debit card purchase information;
• Any information provided by a student in connection with collecting on or servicing an account;
• Personal information collected through an internet cookie for the provision of Financial Services (as defined below) by the College.

5. RESPONSIBLE DIVISIONS

The following divisions within the College handle Covered Data in the delivery of services:

• Enrollment (Admissions, Financial Aid, Student Accounts)
• Advancement Office
• Finance & Institutional Planning (Human Resources)
• Information Technology Services
• Campus Life (including Residence Life, Health and Wellness, & Athletics)
• Academic Affairs (including the Registrar's Office)
• Career Advancement Center

6: PROGRAM REQUIREMENTS

As of December 9, 2021, the Gramm-Leach Bliley Act (GLBA) Safeguards Rule mandates that institutions and servicers under FTC jurisdiction are required to develop, implement, and maintain a written, comprehensive information security program. The FTC’s regulations require that the information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information.

An institution or servicer’s written information security program must include the following nine elements per FTC regulations:

Element 1: Designates a qualified individual responsible for overseeing, implementing, and enforcing the institution’s information security program (16 C.F.R. 314.4(a)).

Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).

Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8).

Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).

Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)).

Element 6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)).

Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).

Element 8: Addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).

Element 9: Addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).

7: COMPREHENSIVE INFORMATION SECURITY PROGRAM

This policy shall serve as the College’s “comprehensive, written information security program” as it pertains to GLBA, but may be augmented by other College policies and non-public documents, including but not limited to the Information Security Policy, the Technology Procurement & Vendor Management Policy, the Computing Device Lifecycle Policy, the Change Management Policy, and the Incident Response Plan. The College will maintain GLBA compliance through the following efforts, activities, policies, and procedures:

7.1 Element 1: Qualified Individual: The position of Information Security Manager (ISM) is designated as the Qualified Individual responsible for implementing, overseeing, and enforcing the College’s ‘Comprehensive, Written Information Security Program’ in full compliance with 16 C.F.R. 314.4(a), ensuring regular reviews and updates to the program and reporting directly to the Vice President for Information Technology and Chief Information Officer (VPIT/CIO) on compliance matters. The ISM shall have authority to implement the Information Security Plan, enforce security measures and ensure compliance across all departments as required under GLBA.

7.2 Element 2: Risk Assessment: The College shall identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Covered Data that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise. Risk assessment and management processes are detailed in Section 3 of the College’s Information Security Policy, which establishes a risk-based approach, including risk categorization and prioritization strategies, use of a Risk Register, and defined responsibilities for the VPIT/CIO and ISM. Further:

• Identified risks that pertain to GLBA-regulated Covered Data will follow the risk scoring methodology outlined in Section 3.1 of the Information Security Policy and will be prioritized for remediation based on their severity as follows:
  • Critical: < 90 days
  • High: < 180 days
• Risks pertaining to GLBA-regulated Covered Data categorized as Medium or Low will be prioritized for remediation at the discretion of the VPIT/CIO or ISM, subject to institutional priorities and available resources.
• Risk assessments and remediation strategies will be updated in response to emerging threats, material changes in the operating environment, and any findings identified in the activities outlined in section 7.2.1 in alignment with GLBA requirements for continuous program adjustments.
• Risks may be accepted only when mitigating controls are determined sufficient and approved by the VPIT/CIO.

The Information Security Risk Register, maintained as outlined in the Information Security Policy, will track and document all risks relevant to GLBA compliance. The VPIT/CIO and ISM will promptly endeavor to address any identified risks specifically related to GLBA-regulated data in accordance with federal regulations and internal policies.

7.2.1 Risk assessment activities and frequency:

• Annually: In alignment with GLBA requirements, the ISM will be performing the annual information security risk assessments. Reports generated from these assessments will be shared with the VPIT/CIO and other members of the Information Security Team (IST) and any identified risks or vulnerabilities will be prioritized for remediation, mitigation, or additional compensating controls based on their severity. The ISM shall be responsible for updating the information security risk register, and tracking remediation efforts.
• Monthly: Every effort is made for the Information Security Team (IST) to meet on at least a monthly basis to discuss current status, risk-reduction priorities, cybersecurity projects, and other operational improvements that strengthen the cybersecurity posture of the College, reduce risk to the organization, and enhance the effectiveness of administrative and technical safeguards. The ISM is responsible for these meetings. The College will also utilize a modern vulnerability scanning solution, either internally or vendor-provided, and perform regular automated scans of its servers and network. These scans will occur on a monthly basis at a minimum. The ISM shall be responsible for evaluating, scoring, and adding vulnerabilities identified by these scans to the Information Security Risk Register.
• Continually: The College shall utilize a Security Information Event Manager (SIEM), Security Orchestration and Response (SOAR), or similar continuous monitoring solution, either internally or vendor-provided, which as much as possible with limited resources, will:
  • Ingests logs from College IT systems, infrastructure, and endpoints,
  • Perform User and Entity Behavior Analysis (UEBA) or similar automated processing to identify suspicious and/or unusual behavior in systems or on the network, and
  • Flag these events or otherwise alert employees for further review.

The ISM shall be responsible for daily communication, coordination, and execution of these continuous monitoring services, communication of any significant detections to the IST, development of strategies to address identified issues, and overseeing the effectiveness of the solution. This continuous, enhanced monitoring with automated incident detection and near-real-time alerting serves as a compensating control for other limitations, such as constrained storage which limits how long logged events can be retained.

7.3 Element 3: Design and implement safeguards: To maintain GLBA compliance, the College is expected to successfully design, implement, and maintain safeguards across each of the eight sub-elements under Element 3. These safeguards are developed with a risk-based approach and are guided by broader information security frameworks, including NIST SP 800-171, which provides comprehensive controls for safeguarding controlled unclassified information. This alignment ensures that the College’s data protection practices not only fulfill GLBA requirements but also uphold industry standards, supporting a comprehensive and adaptable security posture.

7.3.1 Element 3.1: Implement and periodically review access controls: As part of its risk assessment activities, the College will endeavor to perform annual reviews of access controls, with supplemental event-driven reviews conducted after any significant system changes or security incidents. User access logs will be continually monitored to detect unauthorized access, with any significant findings reported to senior leadership, and logs shall be retained for a minimum period of six months. Other specifics on GLBA-compliant role-based access controls, alignment to the Principle of Least Privilege, and College auditing processes may be found in Section 5 of the College Information Security Policy.

7.3.2 Element 3.2: Periodically inventory Covered Data in all its forms and on all systems: The College is expected to maintain an inventory of systems which collect, process, store, or otherwise handle Covered Data whether they are on premises or cloud-hosted service provider platforms. This inventory will be reviewed and updated annually to ensure alignment with the College’s risk management strategy and business objectives, with supplemental updates to the inventory to be performed when significant changes occur, such as new systems or services being introduced, or following major operational changes. Any gaps or risks identified during the annual review will be addressed promptly and reported to senior leadership.

7.3.3 Element 3.3: Encrypt Covered Data in storage, in transit, and in use: The College shall protect GLBA Covered Data using encryption requirements for both data in transit and at rest, in alignment with all aspects of the College’s Encryption Policy, which may be found in Section 5.3 of the Information Security Policy.

7.3.4 Element 3.4: Implement secure development practices for internal applications: To protect GLBA-regulated Covered Data, the College will strive to follow secure development practices throughout the application lifecycle for all internally developed software. These practices include threat modeling, code review, and vulnerability assessments at key stages of development and before deployment. Secure coding principles, aligned with industry standards, will guide developers in mitigating risks associated with data handling and access control. Development processes will incorporate continuous security testing and monitoring, ensuring that potential vulnerabilities are identified and addressed proactively.

7.3.5 Element 3.5: Implement strong authentication such as Multi-Factor Authentication (MFA): The College expects all systems handling PI and/or regulated Covered Data to utilize Single Sign-On (SSO) with adaptive, risk-based Multi-Factor Authentication (MFA) to protect institutional IT systems, ensuring consistent and comprehensive security for GLBA-regulated Covered Data. This centralized approach ensures that almost every access point to College resources—whether on-premises or remote—is governed by strong authentication requirements that adapt based on risk. Exceptions to this policy – primary for legacy systems or those addressing a specific business need – are rare, approved by the VPIT/CIO, documented, and have compensating controls around authentication and/or access implemented, such as independent MFA, VPN requirements, etc. The implementation of SSO with adaptive MFA includes the following practices:

• Conditional Access Policies: All user access requests are evaluated through Conditional Access policies, which apply additional authentication requirements based on contextual factors such as location, device type, and user behavior analytics. This helps ensure that high-risk access scenarios trigger stronger authentication protocols.
• Uniform Application of MFA: MFA is enforced uniformly across all first and third-party IT systems that store, process, or otherwise handle GLBA-regulated data. This approach eliminates inconsistencies and reduces the risk of unauthorized access.
• Regular Assessment of Authentication Controls: The ISM conducts annual reviews of the SSO and MFA infrastructure, testing the effectiveness of Conditional Access policies and ensuring alignment with evolving security standards. Any significant findings or recommended updates will be documented in the Information Security Risk Register and communicated to senior leadership.
• User Training and Compliance Audits: To ensure consistent usage of SSO and MFA, the College does not grant individuals exceptions to these secure authentication policies. Automated, continual monitoring verifies compliance, and risky activities flagged by the monitoring tools will be evaluated and addressed promptly.

By implementing comprehensive SSO with adaptive MFA across the enterprise, the College ensures that GLBA-regulated Covered Data is protected by strong and dynamic authentication controls, meeting and exceeding industry standards.

7.3.6 Element 3.6: Dispose of Covered Data securely: For GLBA compliance purposes, Lake Forest College shall make every effort to dispose of customer information within two years of last expected use except when there are documented, legitimate business or regulatory reasons for retention. These requirements are outlined in Sections 6.3 and 6.6 of the Information Security Policy, which specify both disposal timelines and procedures for documenting retention extensions. The policy also requires all electronic and paper records containing Covered Data be disposed of through secure methods to prevent unauthorized access. The ISM coordinates with the Director of Enterprise Systems in overseeing the secure disposal process, ensuring it meets GLBA standards, and is periodically reviewed for compliance with evolving best practices.

7.3.7 Element 3.7: Enforce Change Management controls to continually evaluate whether IT infrastructure changes may compromise designed security controls: To comply with GLBA requirements, the College employs Change Management controls that evaluate and document the security implications of any modifications to IT systems affecting Covered Data. As outlined in the College’s Change Management Policy, these controls ensure that all changes are formally reviewed, approved, and tested to prevent unauthorized access or disruption to systems handling GLBA-regulated data. Continuous evaluation of high-impact and emergency changes includes compliance reviews to verify ongoing adherence to GLBA standards. Refer to Section 6.8 of the Change Management Policy for additional guidance on post-change reviews and accountability for regulatory compliance.

7.3.8 Element 3.8: Log and monitor systems storing, processing, or handling Covered Data to detect unauthorized access: The College will ensure systems storing, processing, or handling GLBA-regulated Covered Data are configured for comprehensive logging and monitoring of user activity whenever such options are available with the system in use. In alignment with the College's Continuous Monitoring Policy ( Information Security Policy, Section 5.4), automated monitoring and analytics will identify and flag suspicious activities for immediate human review. Additional controls are in place to detect unauthorized access or anomalous behavior by authorized users accessing Covered Data. The College’s SIEM enables near real-time alerts for high-risk incidents involving GLBA-regulated data, ensuring rapid response and safeguarding the integrity of Covered Data.

7.4 Element 4: Monitor and Test Safeguards: The College regularly monitors systems that store, process, or handle GLBA-regulated Covered Data through contin behavior analysis, as outlined in Section 5.4 of the Information Security Policy. Weekly vulnerability assessments and annual penetration testing, detailed in Sections 5.7 and 5.8, evaluate the effectiveness of the College’s technical and administrative security controls. Findings from these assessments, along with remediation actions, are documented and tracked to completion in the Information Security Risk Register. High-risk vulnerabilities are prioritized to proactively detect unauthorized access, assess risks, and maintain robust security safeguards in alignment with GLBA requirements.

7.5 Element 5: Implement policies and procedures to ensure qualified personnel and ongoing security awareness training: To support its information security program and align with GLBA standards, Lake Forest College operates a cybersecurity security awareness and training (CSAT) program (see Information Security Policy, Section 10). The College fulfills Element 5 requirements as follows:

• Security Awareness Training: Annual cybersecurity training is mandatory for all personnel. The VPIT/CIO and ISM review the training to ensure it remains appropriate to evolving threats and selects or creates content in response to the College's risk assessment findings.
• Qualified Information Security Personnel: The College designates qualified personnel to manage and oversee the information security program, including the ISM and VPIT/CIO. These roles are regularly evaluated to ensure qualifications align with evolving requirements.
• Ongoing Training and Threat Knowledge: Key personnel involved in information security receive ongoing role-specific training to remain knowledgeable about current and emerging threats. This includes training on updated countermeasures and technologies relevant to the College’s security environment.

7.6 Element 6: Service Provider Oversight: To comply with GLBA requirements, Lake Forest College implements a thorough vetting process for all service providers handling Covered Data. The College’s Technology Procurement and Vendor Management Policy requires risk-based assessments of service providers, with higher scrutiny applied to vendors handling sensitive information (see Sections 3.2 and 5.6). Contracts include provisions for security safeguards, data handling practices, ongoing monitoring for unauthorized access or suspicious activities, and incident response requirements, and service providers with access to GLBA-regulated data are expected to be reassessed at every contract renewal to ensure they maintain adequate safeguards. Any significant findings from these assessments, along with remediation actions, are documented and tracked to completion in the Information Security Risk Register.

7.7 Element 7: Adjustments to Program: The College endeavors to continually evaluate and adjust its information security program in direct response to annual risk assessments, weekly vulnerability scans, testing and monitoring, and as any material changes in operations, regulatory requirements, or external threat conditions occur. As part of this adaptive approach, the ISM and VPIT/CIO will review and analyze these testing results to identify and implement any necessary modifications to administrative and technical safeguards, ensuring they address newly identified threats or vulnerabilities. Additionally, any material changes to the College’s operations, business arrangements, or IT infrastructure will prompt the ISM and VPIT/CIO to reassess and adjust security measures, ensuring alignment with the College’s risk management goals and compliance with GLBA standards. This continuous improvement process includes tracking adjustments and remediations through the Information Security Risk Register, with periodic reviews to maintain a security posture responsive to evolving risks.

7.8 Element 8: Incident Response Plan: The College maintains a comprehensive Incident Response Plan (IRP) to ensure a prompt and effective response to any security event impacting the confidentiality, integrity, or availability of GLBA-regulated customer information. The IRP outlines clear goals, internal processes, and defined roles and responsibilities, including decision-making authority for key personnel involved in incident response. The IRP further includes guidelines for internal and external communications, information sharing, and requirements for remediating weaknesses identified in information systems and controls. All incident response activities are documented comprehensively, and a post-incident review is conducted to evaluate and update the IRP as necessary, ensuring continual improvement in incident response capabilities.

7.9 Element 9: Annual Reporting: The ISM shall provide the VPIT/CIO with a written annual Information Security & Compliance report. This report will include a comprehensive assessment of the College's overall status in complying with the GLBA requirements and material updates on risk assessments, risk management and control decisions, service provider arrangements, ongoing testing and monitoring results, any significant security events, and the College’s corresponding response efforts. The report will also include any recommendations for program improvements in light of emerging risks, material changes to operational practices, or regulatory changes.

7.9.1 Annual Leadership Advisory: The VPIT/CIO and/or their designated appointee, upon reviewing the report, will review and present a summary of key findings to the College’s Executive Leadership Team,and if needed, the Board of Trustees. This ensures that the College’s senior leadership is fully informed of the status and needs of the Information Security Program, supporting transparency and strategic alignment at the highest levels.

7.9.2 Continual Improvements: This Policy and the associated Plan shall be subject to periodic review, evaluation, and adjustment. The College shall update the Information Security Program based on the ISM’s annual assessment, results of ongoing testing and monitoring, risk assessment findings, and any material changes in operations or external circumstances that could impact the effectiveness of existing safeguards. Adjustments might be necessary or advisable due to changes in technology, increases or decreases in the sensitivity of the information that is covered by this Plan, and the assessment of internal or external threats to the security and integrity of the covered information, among other reasons. Continued administration of the development, implementation and maintenance of the Plan will be the responsibility of the VPIT/CIO, who may assign specific responsibility for implementation and administration as appropriate.

7.10 Element 10: Notification to the FTC: In compliance with 16 CFR 314.4(j), the College will promptly notify the Federal Trade Commission (FTC) if a security event materially affecting the confidentiality, integrity, or availability of GLBA-regulated customer information occurs. The ISM, in consultation with the VPIT/CIO and Legal Counsel, will determine the need for FTC notification based on the nature and scope of the event and applicable regulatory requirements

Further details on the College’s Information Security Program, policies, responsible personnel, and specific administrative and technical safeguards may be found in the Lake Forest College Information Security Policy.

TERMS:

Unit means a constituent business unit of the College, including without limitation undergraduate and graduate programs, as well as fund groups and organizations that are not legally separate from the College, Athletic and Recreational Funds and other associations of Lake Forest College, such as the Gates Foundation, the Gorter Family Foundation, etc.

Covered Data means (i) non-public personal financial information about a Customer and (ii) any list, description, or other grouping of Customers (and publicly available information pertaining to them) that is derived using any non-public personal financial information. Examples of Covered Data include bank and credit card account numbers, income and credit histories, tax returns and social security numbers and lists of public information such as names, addresses and telephone numbers derived in whole or in part from personally identifiable financial information (e.g., names of students with outstanding loans). Covered Data is subject to the protections of GLBA, even if the Customer ultimately is not awarded any financial aid or provided with a credit extension. Covered Data includes such information in any form, including paper and electronic records.

College means Lake Forest College.

Customer means any individual (student, parent, faculty, staff, or other third party with whom the College interacts) who receives a Financial Service from the College for personal, family or household reasons that results in a continuing relationship with the College.

Customer Information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the institution.

Financial Service includes offering or servicing student and employee loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, engaging in debt collection activities, and leasing real or personal property to individuals for their benefit.

Related Entities means the following types of entities and their subsidiaries, if legally separate from the College and unless otherwise indicated: auxiliary enterprise corporations, college associations, student services corporations, childcare centers, performing arts centers, and art galleries.

Service Provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to Covered Data information through its direct provision of services to the College.

RELATED POLICIES:

• Change Management Policy
• Information Security Policy
• Technology Procurement & Vendor Management Policy

Document Control: