a

Gramm-Leach-Bliley Act Information Security Program

Purpose

Gramm-Leach-Bliley Act (15 U.S. Code § 6801 et seq., hereinafter “GLBA”), along with agreements between the Institute and the United States Department of Education (Federal Student Aid Program Participation Agreement – PPA, and the Student Aid Internet Gateway Enrollment Agreement – SAIG), require the Institute to ensure the security, integrity, and confidentiality of covered information and data, which includes student financial aid records and Information. The Institute is in compliance with the privacy provision of GLBA by its compliance with the Family Education Right and Privacy Act (FERPA).

Policy

This Information Security Program ("Program") ensures that administrative, technical and physical safeguards are implemented by AATI to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle covered data and information in compliance with the FTC's Safeguards Rule (16 C.F.R. Part 314) promulgated under the GLBA. These safeguards are provided to:

  • Ensure the security and confidentiality of covered data and information.
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer

In compliance with GLBA and FTC final Safeguards Rule, the Institute shall appoint an Information Security Program Coordinator(s), conduct risk assessments of likely security and privacy risks, maintain a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.

The Chief Operating Officer, the Compliance Officer, the Financial Aid Officer, and the IT Officer are the cocoordinators of this Program. The Compliance Officer is responsible for maintaining a program for the periodic training and awareness related to the handling and protection of information covered by this Program, and oversee service providers and contractors. The IT Officer will assist the Compliance Officer with a periodic risk assessment that will identify likely security and privacy risk to the covered data, and provide a remediation plan for the identified risk. The IT Officer and the Compliance Officer will maintain the artifacts related to periodic risk assessment and remediation, and maintain training and awareness data provided to each department in addition to maintaining a log of said activities.

The Program Coordinators will evaluate this Program periodically to make appropriate adjustments.

Identification and Assessment of Risks to Customer Information The Program Coordinators shall periodically conduct and document risk analysis consisting of, but not limited to the following:

  • Asset Inventory –servers, desktops, and applications that contain covered data
  • Data criticality analysis
  • Threat assessments including but not limited to the following:
    • • Compromised system security as a result of system access by an unauthorized person
    • • Deliberate network-based attacks or malicious software upload
    • • Ransomware, rendering covered data unreadable or unusable
    • • Interception of covered data during transmission
    • • Loss of covered data integrity
    • • Lack of a clean desk policy
    • • Inadvertent data entry
    • • Physical loss of covered data in a disaster (floods, earthquakes, tornados, electrical storms, etc.)
    • • Inaccessibility of covered data due to environmental factors (long-term power failure, pollution, chemicals, and liquid leakage)
    • • Errors introduced into the system
    • • Corruption of data or systems
    • • Unauthorized access (intentional and unintentional) to electronic or hardcopy covered data and information by employees or others
    • • Unauthorized requests for covered data and information
    • • Unauthorized transfer of covered data and information through third parties
    • • Third party vendors who process covered data and information not appropriately safeguarding covered data
    • • Unsecure storage of covered data and information
    • • Failure to dispose of covered data and information in a secure manner
  • Design, implementation, and development of a risk mitigation strategy
  • Maintain a written record of risk assessments and remediation

Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, The IT Department will actively participate and monitor appropriate cybersecurity resources for identification of additional risks.

AATI’s IT Department works to monitor and maintain safeguards that are reasonable, and in light of current risk assessments, are sufficient to provide security and confidentiality to covered data and information maintained by the Institute. Additionally, the IT Department strives to maintain safeguards that reasonably protect against currently anticipated threats or hazards to the integrity of such information.

Employee Management and Training

AATI has addressed the physical security of covered data and information by limiting access to only those employees who have a rightful business reason to handle such information. All departments are responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.

Information Systems

Access to covered data and information via AATI computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. AATI has adopted comprehensive policies, standards, and guidelines relating to information security, which are incorporated by reference into this Information Security Program.

Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, AATI has discontinued the use of social security numbers as student identifiers in favor of Student ID numbers generated by our student information management database as a matter of policy. By necessity, student social security numbers will remain in the information systems; however, access to social security numbers is granted only in cases where there is an approved, documented business need.

Management of Security Incidents

AATI will maintain effective systems to prevent, detect, and respond to attacks, intrusions and other system failures. Such systems may include maintaining and implementing current anti-virus software; checking with software vendors and others to regularly obtain and install patches to correct software vulnerabilities; maintaining appropriate filtering or firewall technologies; alerting those with access to covered data of threats to security; imaging documents and shredding paper copies; backing up data regularly and storing back-up information offsite, as well as other reasonable measures to protect the integrity and safety of information systems.

Oversight of Service Providers

The Institute will select appropriate service providers that are given access to Protected Information in the normal course of business and will contract with them to provide adequate safeguards. The institution’s procedure of choosing a service provider that will have access to Protected Information includes consideration of such provider’s capability to maintain 4 appropriate safeguards for such Protected Information. Contracts with service providers shall include appropriate provisions, such as a stipulation that the Protected Information will be held in confidence and accessed only for the purpose(s) specified in the contract, and an assurance from the contract partner that the partner will protect the Protected Information it receives.

Scope

The GLBA Information Security Program should be observed by students, faculty, staff, and contractors/suppliers.

Copyright © 1999 - American Advanced Technicians Institute. All Rights Reserved.
| Privacy Policy | Terms of Use | Legal Notice a | Copyright Policies
Made with by Ponemus Group
a