The College was aware of the minimum safeguard elements required to be in the written program and has been drafting the plan and implementing the elements for quite some time; however, it is acknowledged that this undertaking is not complete. The College’s Gramm-Leach-Bliley Act Action Plan and current progress in response to the rule that went in effect on May 13, 2024 is included below. The plan includes several key elements, such as designating a qualified individual to oversee the security program, conducting risk assessments, implementing safeguards, and ensuring data encryption.
There has been significant progress in some areas, such as implementing access controls and conducting security awareness training. However, some tasks remain, including conducting a written risk assessment, implementing a formal data retention policy, and creating an incident response plan. The goal is to complete and list all safeguards in the new Information Security Plan before the end of fiscal year 2025. GRAMM-LEACH-BLILEY ACT ACTION PLAN
Section I – Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA), enacted on November 12, 1999, requiresinstitutions to protect privacy and security of non-public sensitive personal consumer information. An amendment to GLBA in 2021 on the Federal Trade Commission’s Standards for Safeguarding Customer Information, or the Safeguards Rule for short, was made to keep up with modern technology. This rule is in effect starting May 13, 2024.
Section II – Safeguards Rule Requirements
The Safeguards Rule Requires the following Elements to an Information Security Plan:
1. Designation of a qualified individual to implement and supervise the information securityprogram.
2. Conduct a Risk Assessment
3. Designing and implementation of safeguards to control risks identified in the risk assessment:
a) Implement and Review access controls
b) Identify your systems, information, and core processes, and maintain the information
c) Encrypt Consumer data at rest and in transit
d) Procedures on how the institutionmanages applications, in-house and/orthird- party.
e) Implementation of Multi-factor Authentication to customer information
f) Implement a Data Retention Policy
g) Implement a Change Management Policy to identify and address risks when modifying or adding new systems, processes, individuals/positions, or networks.
h) Documentation of how the institution logs and monitors authorized and unauthorized user activity
4. Routinely monitor and evaluate the effectiveness of safeguards
5. Information Security Awareness and User training program
a) Security Awareness Training for all employees
b) Specialized training for employees conducting the information security program
c) Verify and access effectiveness of training programs
6. Establish and monitor safeguards regarding service providers
7. RoutinereviewingandrevisionofyourInformationSecurityProgramincludingtraining, controls, policies, procedures, etc. to remain flexible against emerging threats.
8. Create a written Incident Response Plan
9. Require your Qualified Individual to report on the Information Security Plan, such as: risk assessment, risk management, service provider agreements, test results, security events and details on how personnel responded, and recommendations for change to the program.
Section III – Lewis and Clark Community College’s Action Plan and Progress
Lewis and Clark Community College has been actively implementing Safeguards to protect consumer information against emerging threats. The action plan below lists where the college’s progress current is at for each of the listed requirements above, respectively, and how the college plans to solve any incomplete requirements.
1. The Chief Data and Technology Officer position is the Qualified Individual.
a) Status: Complete
b) Plan: List the CDTO as the Qualified Individual in the new Information Security Plan
2. The college has not conducted a written Risk Assessment.
a) Status: Incomplete
b) Plan: The college has an active high-priority project to conduct a risk assessment to identify all potential risks to the institution to create a written, documented, assessment.
3. Designing and implementation of safeguards to control risks identified in the risk assessment:
a) The college currently implements access controls to prevent unauthorized access.
i) Status: Complete
ii) Plan: Document the access controls in the new Information Security Plan.
b) The college has a rudimentaryinventory system and is in the process of upgrading theirITinventory managementsystemtoapurchasedITAM(InformationSecurity Asset Management)system.
i) Status: Incomplete
ii) Plan: Finishimplementation of the chosen ITAMsystem and document how it will bemanaged.
c) The college has encryption implemented to critical systems containing consumer information at rest and has network encryption requirementsimplemented.
i) Status: Incomplete, implemented but not documented
ii) Plan: Written documentation in the form of a Policyor Document is required
d) Thecollegedoes notproducesoftware in-house. Thereis noformal written evaluation procedures on how third-party applications are assessed.
i) Status: Incomplete
ii) Plan: Towrite asection in the newInformation Security Planon how the college evaluates the security of a third-party application.
e) Thecollege has partiallyimplemented Multi-FactorAuthentication (MFA)totheir systems. All email systems and just employee AD FS logins require MFA currently.
i) Status: Incomplete
ii) Plan: Thereis currently alisted project for the implementation of MFA to Self- Service, and our Colleague system, and a plan to retire the Blazernet.lc.edu system. As an additional mitigation, Colleague (institutional consumer information) is currently only accessible on-campus.
f) The college does not have a formal written Data Retention Policy.
i) Status: Incomplete
ii) Plan:Tousetheinformationgatheredbythe previousDataRetentionPolicy Mover Teamin early 2023 to collaborate witha contractor to finish the policy before the next fiscal year.
g) The college does not have awritten Change Management Policy.
i) Status: Incomplete
ii) Plan: Toimplement a change management policy thatincludes identifying and addressing any potential riskswhenmodifying or adding new systems, processes, individuals/positions, or networks.
h) The college does monitor and track user logs such as all logins to campus systems, and the information security personnel routinelymonitors the logs to search for any suspicious activity, but the procedure is not written.
i) Status: Incomplete
ii) Plan: To write the procedure of how logs are monitored, user data is tracked and include it in the new Information Security Plan.
4. The college has a documented external penetration test for the previous fiscal year, a documented internal vulnerability assessment from the previous fiscal year, documented reoccurring simulated phishing campaigns to test the effectiveness of the awareness and user training campaigns, documented physical flash drive drop tests in employee-only locations to test the effectiveness of awareness and user training,
documented routine updates to all end-user systems to mitigate vulnerabilities, and the upcomingpurchaseof an ITAM thatincludes livevulnerability managementtomitigate vulnerabilities.
a) Status: Complete
b) Plan:ToincludetherequirementsoftestingeffectivenessonthenewInformation Security Plan
5. Thecollege currentlyhas implementedregularinformationsecurity awareness and user training for all employees of the college.
a) Thecollegeutilizesa third-partyapplication for awareness anduser training programs at least once per year or more.
i) Status: Complete
ii) Plan:Toincludeinformationregardingtheawarenessandusertraining campaigns in the new Information Security Plan.
b) The Information SecurityAnalyst has been providedat least yearly conferences to staycurrentwithnewdataand trendspresented. TheInformation Security Analyst also reads information security news and updates on a weekly basis to keep current with emerging threats and vulnerabilities.
i) Status: Complete
ii) Plan:ToincludeinformationregardingthespecialtraininginthenewInformation Security Plan.
c) The documented simulated phishing campaigns, flash drive drop tests, and the Security Awareness Proficiency Assessment (SAPA)providedat theendoftraining campaigns to all employees is used to create future trainings to provide effective content to increase employee knowledge of information security best practices.
i) Status: Complete
ii) Plan:Toincludeinformation regardinghowthe tests andassessment affectand change future campaigns in the new Information Security Plan.
6. The college currently has an enacted technology purchasing policy that allows for the InformationTechnology departmenttoreviewandevaluateanytechnologypurchaseor requisition first before agreeing to partner with another provider.
a) Status: Complete
b) Plan: Tooutline the purchasing policy in the new Information Security Plan
7. The college is currently creating a Routine Review Plan to document and keep trackof policies, procedures, documents, access controls, agreements, and training programs that are to be routinely reviewed and revised to ensure all Information Technology
documentation stays up to date.
a) Status: Incomplete
b) Plan: Tolist and outline the routine review plan in the New Information Security Plan once it is complete. It is currently in the process of being drafted and is on the college’s project list.
8. The college does not have a written Incident Response Plan.
a) Status: Incomplete
b) Plan: Tocollaborate with a contractor to create and complete the plan before the next fiscalyear.
9. The college’s Qualified Individual does not currently routinely report on the current Information SecurityPlan.
a) Status: Incomplete
b) Plan: Tolayoutin the InformationSecurityPlan forthe QualifiedIndividual to report to the Board of Trustees’at least yearly regardingrisk assessment, risk management, service provider agreements, test results, security events and details on how personnel responded, and recommendations for change to the information security program.
Section IV – Information Security Plan Schedule
All safeguards listed above are planned on completion and to be listed in the new InformationSecurity Planbefore the beginning of the new fiscal year starting on July 1st, 2025. The Information Security Plan and any newly created policies will be listed on the lc.edu website once completed. This action plan is to ensure that Lewis & Clark Community College becomes in compliance with GLBA to ensure the safety of consumer information. Person(s) Responsible: Ron Wall, Chief Data and Technology Officer
Timing for Implementation: Full Implementation expected by June 30, 2025