Skip to main content
The University of Chicago
Inside UChicago
Main content

Gramm-Leach-Bliley Act (GLBA) at UChicago

In December 2021, the Federal Trade Commission (FTC) amended the Standards for Safeguarding Customer Information, a major part of the 1999 Gramm-Leach-Bliley Act (GLBA). Some of the changes for further protection of consumers' private and personal information at financial institutions became effective in January 2022, but most were delayed until June 9, 2023.

The following table provides the GLBA compliance objectives, the University of Chicago responses, and additional comments. Questions should be directed to ciso@uchicago.edu.

     Compliance  Documentation
 

Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).

The University's CISO oversees and implements the University's information security program and enforces its compliance with the assistance of the IT Services Information Security teams (Information Assurance, Security Operations, Identity and Access Management).

Information Security Policy 
 2 A

Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).

Under the direction of the University's CISO, the IT Services Information Assurance team works with other departments on campus to ensure that material threats to customer information are identified (ideally during the procurement phase, but also in an ongoing monitoring capacity), to prevent unauthorized disclosure, misuse, alteration, destruction and other compromises. The University conducts an annual security assessment of all departments that are based upon NIST Cybersecurity Framework. 

FY23 SFA Campus-Wide Report
Cf page 9 for Methodology (access available upon request).
 

 

B

Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:

 

 

 

 

 i. Implement and periodically review access controls.

IT Services Identity and Access Management provides a platform and tools to enable application and system owners to manage access on an opt-in basis. There is no hard requirement to leverage the Identity and Access Management tools or services for all access management. Application owners periodically review access controls.

CNetID Account Management Practices 

 

 

ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 

IT Services offers UChicago Technology Application Library (UTAL) to keep track of unit-managed software and data on an opt-in basis.  

To request details on information stored in UTAL, including application groupings, authentication types, data sensitivity indicators, and platforms, email utal-support@uchicago.edu

 

 

iii. Encrypt customer information on the institution’s system and when it’s in transit. 

The University's Information System Management Standards and End User Device Policy require all assets to be encrypted according to the Statement on Encryption and Cryptographic Hashing Standards at rest. The University's Information Systems Management Standards (#18) mandate the use of encrypted VPN when interacting with sensitive information from remote locations. 

Information Systems and Managed End User Device Standards (#18),
End-User Device Policy
Statement on Encryption and Cryptographic Hashing Standards
 

 

 

iv. Assess apps developed by the institution.

Vulnerability management is a requirement of the University's Information Systems Management Standards. A precise University Vulnerability Management Standard is in development.

Information Systems and Managed End User Device Standards (#8) 

 

 

v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system.

All systems holding sensitive information that require authentication via the University's CNetIDs are covered by two-factor authentication through Okta and Duo. Additionally, VPN and on-campus wireless access require authentication via CNetID as well. 

Information Systems and Managed End User Device Standards (#13).

University Policy 601 - Treatment of Confidential Information (refer to the Roles and Responsibilities section, Employee roles). 

 

 

vi. Dispose of customer information securely.

The University's Sanitization of Digital Storage Media guidelines mandate secure sanitization of all restricted or sensitive data, per Securely Erase Electronic Devices.

Decommissioned hardware is collected through the IT Services Recycling e-Waste program. All collected devices are sanitized according to best practice before handing them over to a contracted service provider for destruction.

The University's Document Management Policy (Policy 2708) specifies how long records are being kept before securely being deleted. 

1. Information Systems and Managed End User Device Standards (#24),
2. Securely Erase Electronic Devices, and
3. Policy 2708: Managing University Records
 

 

 

vii. Anticipate and evaluate changes to the information system or network.

All material changes to the University network and information systems have to be reviewed and approved by the Change Advisory Board (CAB) and, if relevant, the University's Technical Review Committee (TRC). 

Change Management Process (login required) 

 

 

viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.

The Security Operations and Identity and Access Management teams maintain several authentication and logging tools that evaluate inbound and outbound traffic to campus, as well as successful and failed authentications. Anomalies are automatically flagged for manual review, and if confirmed, incident protocols are followed.

1. Information Systems and Managed End User Device Standards (#10, 31, 32, 33, 42)
2. Incident response details are confidential and available upon request.
 

 

C

Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).

The institution's safeguard measures are constantly being evaluated and improved. Findings are discussed by the Information Security team and mitigating remediation are implemented as soon as possible upon detection. Additionally, there are independent penetration tests being facilitated annually.

1. Pen test response details are confidential and available upon request.
2.The University also uses Bitsight security performance monitoring to gain a third-party, objective view of campus security controls. 

 

 

 

IT units participate in an annual Security Framework Assessment (based on NIST Cybersecurity Framework) to allow a better understanding of the University's threat landscape and overall posture. Finding remediations are being discussed with units and checked the following year.

 

 

D

Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)).

The University's CISO implements and maintains the University's IT policies, and coordinates with Unit IT directors across campus to ensure they are enacted. 

Information Security Policy

 

Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).

All Information System Service Providers are required to go through a procurement process. Part of this process is a vetting of procurement and IT risks by the respective teams.

1. Policy of Procurement and Engagement of Services
2. Vendor review process details are confidential and available upon request. 

 

F

Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). 

The CISO's three teams (Information Assurance, Security Operations, and Identity and Access Management) provide an ongoing, comprehensive overview of the campus IT infrastructure, assisted by contact with other Unit IT.

Anything that has a significant impact on the institution's security program or poses a risk is being brought up and discussed. Remediations or mitigating measures are implemented as soon as reasonably possible. Processes are in place to make informed decisions on material changes to the University's operations and business arrangements before implementation, as far as the University's IT landscape is concerned. The University Information Security team also sits on the Change Advisory Board (CAB) as well as the Technical Review Committee (TRC) to review changes that are material to the delivery of IT to campus. 

1. 1. slides 14-18 in Group 3 Audit Committee Presentation
2. Overall Open Findings available upon request.
3. FY23 SFA Campus-Wide Report
(access available upon request)
4. New Information Technologies and Intellectual Property at the University 
5. New Information Technology review process details (e.g. AI/ML) are confidential and available upon request.