MIT is required by the Gramm-Leach-Bliley Act ("GLBA") and its implementing regulations at 16 CFR Part 314, to implement and maintain a comprehensive written Information Security Program ("ISP") and to appoint a coordinator for the program. The objectives of the MIT’s ISP are to
- Protect the security and confidentiality of covered personal financial information;
- Protect against any anticipated threats or hazards to the security or integrity of the information; and
- Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any person about whom such information is kept.
The ISP is in addition to existing MIT policies and procedures that address various aspects of information privacy and security, including but not limited to Institute Policy 11.2, Privacy of Personal Information and Institute Policy 13.2, Policy on the Use of Information Technology Resources.
MIT has designated the Vice President for Information Systems & Technology as its GLBA Coordinator. The GLBA Coordinator may designate other individuals to oversee and/or coordinate particular elements of the ISP.
"Covered information" means nonpublic personal information, including personal, household or family financial information about a faculty, student, staff or other third party who has a continuing relationship with MIT, where such information is obtained, directly from the individual or gathered by MIT, in connection with the provision of a financial service or product by MIT, and that is maintained by MIT or on MIT's behalf. Nonpublic personal information includes students' names, addresses, and social security numbers as well as students' and parents' financial information. Examples of such financial products or services include the TechCash feature of the MIT Card; the extension of credit for personal, family, or household loans and the servicing and collection of such loans, including student loans, faculty housing loans, and education loans for faculty and staff; financial or tax advice to prospective donors; and real estate or personal property leased for personal, family or household use (but not including dormitory rooms or parking spaces).
Elements of the ISP
1. Risk Identification and Assessment. MIT's ISP identifies and assesses both external and internal risks to the security, confidentiality, and integrity of Covered Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The GLBA Coordinator will provide guidance to appropriate personnel in the administration, DLCs, and other offices in evaluating their current practices and procedures and in assessing reasonably anticipated risks to Covered Information in their respective areas. The GLBA Coordinator will work with appropriate personnel to establish procedures for identifying and assessing risks in the following areas:
- Employee Training and Management. The GLBA Coordinator will coordinate with the appropriate personnel to evaluate the effectiveness of current employee training and management procedures relating to the access and use of Covered Information.
- Information Systems. The GLBA Coordinator will coordinate with the appropriate personnel to assess the risks to covered information associated with the Institute’s information systems, including network design as well as information processing, storage, transmission and security.
- Detecting, Preventing and Responding to Attacks and System Failures. The GLBA Coordinator will coordinate with the appropriate personnel to evaluate procedures for and methods of detecting, preventing and responding to attacks, intrusions or other system failures.
2. Designing and Implementing Safeguards. The GLBA Coordinator will coordinate with appropriate personnel to design and implement safeguards, as needed, to control the risks identified in assessments and will develop a plan to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
3. Overseeing Service Providers. The GLBA Coordinator, in conjunction with the appropriate offices, will assist in instituting methods for selecting and retaining service providers that are capable of maintaining appropriate safeguards for Covered Information. The GLBA Coordinator will work with the Office of the General Counsel to develop and incorporate standard, contractual provisions for service providers that will require providers to implement and maintain appropriate safeguards. These standards will apply to all existing and future contracts entered into with service providers to the extent required under GLBA.
4. Adjustments to Program. The GLBA Coordinator will evaluate and adjust the ISP as needed, based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to MIT’s operations or other circumstances that may have a material impact on the ISP.