| Policy Category | Policy Owner | Version Effective Date | Review Cycle | Last Reviewed | Policy Contact |
|---|---|---|---|---|---|
| X. Information Governance, Security & Technology | Chief Transformation Officer | June 11, 2025 | Every 5 years | June 11, 2025 | Info. Security |
- Purpose
The Gramm-Leach-Bliley Act (GLBA) and its implementing regulations as amended requires Financial Institutions to protect, to the extent reasonably possible, the Security, Privacy, and Confidentiality of Covered Information. Because UMGC engages in Financial Services, such as student financial aid, the Federal Trade Commission considers the University a Financial Institution for GLBA purposes. - Scope
This Policy applies to Covered Information provided by a student or other third party to the University, resulting from any service or transaction performed by the University for a student or other third party, or otherwise obtained by the University. - Definitions
Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary. - Policy Statements
- The University will designate one or more qualified individuals to be responsible for overseeing, implementing, and enforcing the UMGC Information Security Program ("IS Program") as it relates to GLBA.
- The IS Program will identify and assess internal and external risks to the Security, Confidentiality, and Integrity of Covered Information that could result in the unauthorized disclosure, misuse, alteration, destruction or any other compromise of such Information. The IS Program will provide guidance to appropriate personnel in central administration, academic departments, and other University departments in evaluating their current practices and procedures and assessing the sufficiency of any safeguards in place to control these risks.
- The IS Program will coordinate with appropriate personnel to design and implement safeguards, as needed, to minimize or mitigate the risks identified in assessments and shall develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. The IS Program will ensure that monitoring of the safeguards shall be performed on an ongoing basis and adjustments to the IS Program shall be made as needed.
- The IS Program will be responsible for ensuring that related security policies and operational procedures are documented, in use, and known to all affected parties.
- The IS Program shall work with the University’s Office of Procurement and Office of Legal Affairs in developing methods and procedures for selecting and retaining Third-Party Providers that are capable of maintaining appropriate safeguards for Covered Information. Contract language shall require Third-Party Providers to implement and maintain appropriate safeguards for those computing resources that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Covered Information.
- The IS Program will be responsible for establishing and maintaining an Incident response plan.
- The IS Program will report annually to the senior leadership of UMGC on the risk posed to UMGC by information technology, cybersecurity, and privacy to the institution.
- Enforcement
- Any employee, contractor, or other third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
- Any employee, contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to the University’s Information Technology Resources and may be subject to other penalties and disciplinary action, up to and including termination of employment or contract.
- Standards Referenced
- Most recent versions:
- USM IT Security Standards
- NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
- Cybersecurity Maturity Model Certification (CMMC)
- Most recent versions:
- Related Policies and References