The Catholic University of America


Resources for Information Assurance/Security


Forms; Toolkits and Checklists


Security and Privacy Issues, Dec. 1, 2010. Powerpoint by the Deputy Chief Information Officer, Federal Student Aid, U.S. Department of Education. Contains a University PII Checklist starting at slide 9 and continuing through slide 18.

CUA Red Flag Action Report Form
This document can be used to note actions taken in response to a red flag (suspicious pattern or practice that indicates the possible existence of identity theft). The form includes who was notified, offices consulted, dates.

CUA Gramm Leach Bliley Training Brochure

Web Pages/Blogs

Jackson Lewis Bring Your Own Device Issues Outline

Jackson Lewis Workplace Privacy, and Data Management and Security Report Blog

FTC Page on Gramm Leach Bliley Act


Overview of GLB Safeguarding

Five key sections to GLB safeguarding program


Designate an employee or employees to coordinate your information security program.

Who should be the designated employee?

This will depend on the school. It might be the CIO, the HIPAA privacy officer, the Registrar, the Bursar, or a combination of the above. If the designated employee is the Security Officer, consider appointing a second designee who is not part of the information security operation for purposes of checks/balances.


Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program, and regularly monitor and test the program.

First identify information and systems to be protected. What offices will be covered?

Suggest taking an organizational chart of the university and look at who has access to customer information or oversees contracts with service providers that have access to customer information. Registrar's Office, Financial Aid, Business Services, Admissions, Development, and Athletics are examples of offices that might be covered.


Eight factors or protecting customer information:

  • Access control
  • Physical security at locations where customer information is stored
  • Encryption of electronic customer information (especially in transit)
  • Implement a change management process for customer information system modifications
  • Dual control, segregation of duties and employee background checks1 for employees with access to customer information
  • Monitoring systems and procedures to detect any actual or attempted attacks or intrusions on customer information systems
  • Develop an incident response program for how to handle attempted and actual unauthorized access to customer information
  • Disaster recovery program for the protection against destruction of customer information due to physical hazards and technical failures


( These eight factors are not in the law. They came from a SANS document on compliance with GLB.)

Employee training and management

Training on security awareness should include supporting the information security program in general, as well as addressing the safeguarding of customer information. Training should cover anyone who has access to a system that has customer information, and also anyone who has access to paper copies of customer information. Train your employees not to confirm confidential information over the phone or by email, even if the other party provides it. Training might include attendance at industry conferences. Keep documentation of the training. Professors who have access to student information systems will need training, and GLB training for this group may be made a component of FERPA training.


Oversee service providers

· Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and

· Require your service providers by contract to implement and maintain such safeguards. Contracts entered into prior to June 24, 2002 are grandfathered in until May 24, 2004.

· Send form letters to third party business partners detailing GLB provisions and attach an amendment to contract where necessary.

· Ensure that as contracts come up for renewal, the privacy clause is included.


Evaluate and adjust your information security program

Some schools are considering audits by outside security firms.


In the university setting, confidentiality agreements may be considered rather than background checks for all employees.



 At the end of 2017, the Department of Education announced that it would be requiring insitutions of higher education to report any security breach of personally identifiable information. The Department is taking this position under Title IV Program Participation Agreements (which include Gramm-Leach-Bliley Act commitments) and Student Aid Internet Gateway agreements. A recorded session presented at the Federal Student Aid Conference in Nov-Dec. 2017 is online. The presenter is Tiina K.O. Rodrigue. (spelling not a typo) The power point can be found at item 37 in the program link

Shakespeare on Cyberliabilty, by Beth Cate, Associate University Counsel, Indiana University, published for the NACUA Annual Conference, Orlando, Florida, June 27, 2005 This is an excellent (and witty) overview of the main privacy laws affecting higher education, HIPAA, FERPA and GLB. The paper also includes a very thorough section on common law tort claims that might arise in connection with security and privacy breaches, as well as an overview of contractual security obligations and the duty to notify in the event of a security breach.

State Data Security Breach Notication laws (current 2017-by Mintz Levin)









updated 12-19-17