Policies & Procedures

DEFINITIONS

1. Customer: An individual who has applied for and/or obtained a financial service or product from Longwood University intended for personal or household use. Students and students' parents may be classified as customers.
2. Covered Data: Any paper or electronic record containing nonpublic personal financial information about a customer that the University manages. Covered Data may be provided by students or others in order to obtain a financial product or service from the University.
3. Financial Service: Includes offering or servicing student and employee loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, and engaging in debt collection activities.
4. POLICY OWNER

The Vice President for Administration & Finance oversees this policy, and Longwood University Information Technology Services and Longwood University Financial Operations are responsible for implementation and proper procedures.

PURPOSE

The Gramm-Leach-Bliley Act (GLBA), administered by the Federal Trade Commission (FTC), requires colleges and universities that provide financial services to establish policies and procedures for the privacy and safeguarding of nonpublic personal financial information. Specifically, the GLBA Privacy of Consumer Financial Information Rule (16 CFR § 313) and the GLBA Safeguards Rule mandates that Longwood University establish appropriate administrative, technical, and physical safeguards (16 CFR § 314); which are applicable to academic units, offices, or departments that collect, store, or process Covered Data. This policy is designed to address the steps to protect customer nonpublic personal financial information.

POLICY

It shall be the policy of Longwood University to manage customers' nonpublic financial information as confidential records. Longwood University provides appropriate procedures to protect such customer financial information against reasonable threats and hazards and unauthorized access or use of such records that could result in substantial harm or inconvenience to customers.

1. Responsible Positions:
   1. The Vice President of Administration and Finance is the GLBA Privacy Officer responsible for overseeing the implementation of the University GLBA Program including GLBA departmental risk assessments and GLBA security training. The GLBA Privacy Officer may designate other representatives of the University to oversee and coordinate additional elements of the program.
   2. The Chief Information Officer is the GLBA Information Technology Officer responsible for ensuring the overall security of electronic systems and infrastructure for the University, including the Information Technology Services (ITS) risk assessment, data security, threat detection, as well as monitoring and controlling system activities.
   3. The Information Security Officer (ISO) is the qualified individual responsible for overseeing, implementing, and enforcing the University’s information security program.

COMPLIANCE CONTROLS

1. Risk Analysis: University departments that manage or have access to Covered Data must complete an annual written risk assessment that examines the reasonably foreseeable security risks of data impacted by availability, confidentiality, and integrity.
2. Securing Information:
   1. Department heads will appoint a trusted and knowledgeable employee to oversee their individual department’s safeguarding programs. These employees will serve on the GLBA Compliance Committee reporting to the GLBA Privacy Officer and the GLBA Information Technology Officer.
   2. Departments shall implement and review access controls annually.
   3. Departments shall keep an accurate inventory of systems, data, and personnel.
   4. Departments shall dispose of customer information securely in accordance with University and/or Commonwealth of Virginia requirements.
   5. Encrypt customer information on identified systems and in transit. If encryption is not feasible, compensating control must be in place and approved by the ISO.
   6. Multi-factor authentication shall be used for identified systems. If multi-factor authentication is not feasible, compensating control must be in place and approved by the ISO.
3. Training: Departments shall ensure that all new and existing University employees, including student workers who are involved in activities covered under the Act, receive the GLBA training. Documentation will be maintained as proof of the University's compliance with the training requirement under this policy and GLBA Safeguard Rule.
4. Monitoring and Detection: ITS shall regularly monitor information systems. Responsible departments will regularly assess their procedures and controls to safeguard Covered Data.
5. Program Failures: Departments must immediately report significant failures of their safeguarding program to the department manager and refer to departmental standards and procedures.
6. Reporting: The GLBA Privacy Officer or the GLBA Information Technology Officer shall report at least annually to the Board of Visitors in writing regarding the overall status of the program and any other material matters related to the information security program.
7. References: The following policies and addendum supplement and help to create a comprehensive information security plan. Referral and adherence to these documents is imperative to overall protection of customer information. The following documents are incorporated by reference into the plan.
   • Acceptable Use of Information Technology Resources and Systems
   • Data Classification
   • Incident Response
   • Password Management
   • Physical Access
   • Remote Access
   • Security Awareness and Training
   • Security Roles and Responsibilities
   • University Information Technology Security Program
   • Data Protection Addendum

Approved by the Board of Visitors, September 11, 2004.
Revised and approved by the Board of Visitors, June 9, 2023.
Revised and approved by the Board of Visitors, June 7, 2024.