Gramm-Leach Bliley Act Security Plan

Representatives of various operational units at Austin Peay State University convened to discuss the objectives of the Gramm-Leach-Bliley Act (GLB) and its application to activities, services, or programs which use information such as Social Security Numbers or other Student Identification Numbers that could allow unauthorized access to a student or employee’s financial information. It is absolute in some departments and probable in others that information is maintained or shared internally and with third parties, thus having the potential for unauthorized access, breach of confidentiality, or at least weaknesses which should be addressed.

Campus entities identified as those which may house or provide a gateway to financial information are:

Accounting Services
Educational Opportunity Center
Financial Aid

Human Resources
Office of Information Technology
Business Department

Each of the identified units will be directed by the appropriate administrative authority to review and evaluate their current policies and procedures in regard to security of confidential information. Review and evaluation will include information stored and disposed of internally as hard copy and electronically. Third party access or transmission will also be addressed by having the unit identify all third parties including, but not limited to the review of existing contracts for language regarding the security of data, and routing of new contracts through the Contracts Office for inclusion of appropriate security language. It will also be determined if the electronic method of access or transmission is secure from unauthorized access.

During the course of University daily interaction, confidential information is often verbally communicated with students and other employees in a public venue. It is important that the risks of verbal transmission and open viewing of computer screens be reviewed and risks addressed appropriately. APSU’s employment of over 750 faculty and staff make it imperative that training programs be implemented as a safeguard. New staff, both administrative and academic, must receive training in regard to the sensitive information they will be expected to safeguard during the routine execution of their duties. Current staff, both administrative and academic, need refresher training on protection of information which is confidential. Once appropriate staff receive training, participation in on-going training and education will be required. The training sessions will be developed and provided by staff members charged with the responsibility of overseeing such information. To be effective it is imperative that the provost, deans, and other administrators mandate and strongly support attendance and participation in the training modules.

A thorough examination of the processes and procedures used to provide the expected level of service to over 9,000 students on a campus along with 750 staff and faculty will, no doubt, identify possible breaches of security of financial information of students or employees. It is expected that the revealed weaknesses will be called to the attention of unit supervisors and measures will be taken to incorporate appropriate security. Also, there may be practices identified as at risk but for which there is no feasible installation of higher level of security due to budgetary or physical constraints. In such cases, it is expected that these weaknesses will be noted with the appropriate administrators for future budget or physical considerations.

The APSU Gramm-Leach-Bliley Committee has designated Crystal Emmons, Electronic Communications Specialist as coordinator of the Information Security Plan. This plan will be placed on the APSU web site as a link under Information Technology. On an annual basis the coordinators will request a review of each specified department’s processes and procedures in addition to the identification of other departments which should be included in the Plan. Changes in technology, physical relocation, and organizational changes are inevitable.