Skip to:

Safeguarding Nonpublic Financial Information : B-090

Policy/Guideline Area

Business and Finance Guidelines

Applicable Divisions

TCATs, Community Colleges, System Office


This guideline explains the procedure by which Tennessee Board of Regents institutions must develop a comprehensive written Information Security Program (the “Program”) as mandated by the Gramm-Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information Rule. An institution’s Program must include the components described below pursuant to which the institution intends to:

1. Protect the security and confidentiality of customers’ nonpublic financial information;

2. Protect against any anticipated threats or hazards to the security or integrity of such information; and

3. Protect against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.

The Program may consist of existing institutional policies and procedures that are incorporated by reference into the Program, including but not limited to policies such as computer/electronic records confidentiality policies, Family Educational Rights & Privacy Act policies, employee/personnel records confidentiality policies, etc.


  • Customer - person who has a continuing relationship with the institution for provision of financial services, such as financial aid.
  • Customer Information - any record containing nonpublic personal financial information about a Customer.  
  • Non-public financial information – any record not publicly available that an institution obtains about a customer in the process of offering a financial product or service, as well as such information provided to the institution by another source. Nonpublic financial information includes information that a person submits to apply for financial aid (e.g., tax returns and other financial information), that an institution collects from third parties relating to financial aid (e.g., FAFSA information), and that an institution creates based on customer information in its possession.
  • Security event – an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.


  1. Introduction
    1. TBR institutions are covered by GLBA because they offer and process financial aid applications, provide loans to students, and receive customer information from students and others in connection with those activities.
    2. Each institution must develop, implement, and maintain a written, comprehensive Information Security Program. The Program must contain administrative, technical, and physical safeguards appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.  The Program must apply to any paper or electronic record maintained by an institution that contains customer information about an individual or a third party who has a relationship with the institution.
    3. Because the TBR System Office handles significant customer information for Tennessee Colleges of Applied Technology through Shared Services, the System Office and the TCATs are considered a single institution for purposes of this policy. Customer information shall be kept confidential and safeguarded by the institution, its affiliates and service providers pursuant to the provisions of the Program and this Guideline.
  2. Requirements of an Information Security Program
    1. Program Coordinator
      1. Except for the TCATs, which will be served by the TBR System Office Program Coordinator, each institution must identify one qualified individual to serve as the Program Coordinator (“Coordinator”) who shall be responsible for overseeing and implementing the Program.  The Coordinator may obtain assistance from other sources, but ultimate responsibility for the Program remains with the Coordinator.
      2. The Coordinator’s development of the Program shall include, but not be limited to:
        1. Consulting with the appropriate offices to identify units and areas of the institution with access to customer information and maintaining a list of the same;
        2. Assisting the appropriate offices of the institution in identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and making certain that appropriate safeguards are designed and implemented in each office and throughout the institution to safeguard the protected data
        3. Working with the institution’s contract officer(s) to guarantee that all contracts with third party service providers that have access to and maintain customer information include a provision requiring that the service provider maintain appropriate safeguards for customer information; and
        4. Working with responsible institutional officers to develop and deliver adequate training and education for all employees with access to customer information.
    2. Security and Privacy Risk Assessments
      1. The Program shall identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of the safeguards in place to control those risks.
      2. Risk assessments should include consideration of risks in each office that has access to customer information.
      3. Risk assessments must be written and include, at a minimum, consideration of the risks in the following areas:
        1. Criteria for the evaluation and categorization of the identified security risks and threats;
        2. Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of existing controls in the context of identified risks and threats; and
        3. Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Program will address the risks.
      4. The institution must periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.  Such assessments must reassess the sufficiency of safeguards in place to control the risks.
    3. Information Security Personnel and Employee Training.
      1. Institutions must utilize qualified information security personnel, whether employed by the institution or through vendors, sufficient to manage information security risks and to assist in oversight of the Program.  Security personnel must be provided with security updates and training sufficient to address relevant security risks. Institutions must verify that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.
      2. The Coordinator must provide institutional employees with security awareness training that is updated as necessary to reflect risks identified by the risk assessment. This training may be developed and implemented in conjunction with vendors, the human resources office, and the Office of General Counsel. The training shall occur on a regular basis, as deemed appropriate by the Coordinator, and it shall include education on relevant policies and procedures and other safeguards in place or developed to protect customer information.
    4. Design and Implementation of Safeguards
      1. The Program must include safeguards to control the risks identified through the risk assessments, including by:
        1. Implementing and periodically reviewing access controls, including technical, and as appropriate, physical controls to authenticate and permit access only to authorized users, and to limit authorized users’ access only to customer information that they need to perform their duties and functions (or in the case of customers, to access their own information);
        2. Identifying and managing the data, personnel, devices, systems, and facilities that enable the institution to achieve operational purposes in accordance with their relative importance to operational objectives and risk strategy;
        3. Protecting by encryption all customer information held or transmitted by the institution both in transit over external networks and at rest. To the extent the Coordinator determines that encryption of customer information, either in transit or at rest, is infeasible, the Coordinator may approve a method to secure such customer information using effective alternative compensating controls;
        4. Adopting secure development practices for in-house developed applications used to transmit, access, or store customer information and procedures to evaluate, assess, or test the security of externally developed applications used to transmit, access, or store customer information;
        5. Implementing multi-factor authentication for any individual accessing any information system, unless the Coordinator has approved in writing the use of reasonably equivalent or more secure access controls;
        6. Developing, implementing, and maintaining procedures for the secure disposal of customer information.  These procedures must be periodically reviewed to minimize the unnecessary retention of data. Disposal must occur no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates unless:
          1. The information is required to be kept for a longer period in accordance with TBR Policy, Records Retention and Disposal of Records;
          2. The information is necessary for operational purposes; or
          3. Targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
        7. Adopting procedures for change management; and
        8. Implementing policies, procedures, and controls designed to monitor and log the activity of authorized users and to detect unauthorized access or use of, or tampering with, customer information by such users.
      2. The Program must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.
      3. For information systems, monitoring and testing must include continuous monitoring or periodic penetration testing and vulnerability assessments.  In the absence of effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the institution must conduct:
        1. Annual penetration testing of information systems based on relevant risks identified through risk assessments; and
        2. Vulnerability assessments, including any systemic scans or reviews of information systems designed to identify publicly known security vulnerabilities.  Such vulnerability assessments must be conducted at least every six months and whenever there are material changes to an institution’s operations, and when circumstances or events may have a material impact on the Program.
    5. Oversight of Service Providers and Contracts
      1. The institution must take reasonable steps to select and retain third party service providers that are capable of maintaining appropriate safeguards for the customer information to which they have access.  Service providers must be periodically assessed based on the risk they present and the continued adequacy of their safeguards.
      2. The institution must require, by contract, that current and potential service providers with access to customer information maintain sufficient procedures to detect and respond to security events.
      3. The institution must require, by contract, that all applicable third party service providers implement and maintain appropriate safeguards for customer information.
    6. Incident Response Plan
      1. The Program must include a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the institution’s control.
      2. To the extent the following requirements are not already required by the State of Tennessee’s incident response plan, the Coordinator shall ensure that the incident response plan addresses:
        1. The goals of the incident response plan;
        2. The internal processes for responding to a security event;
        3. The definition of clear roles, responsibilities, and levels of decision-making authority;
        4. External and internal communications and information sharing;
        5. Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
        6. Documentation and reporting of security events and related incident response activities; and
        7. The evaluation and revision as necessary of the incident response plan following a security event.
    7. Evaluation and Revision of Program
      1. The Coordinator must evaluate and adjust the Program in light of the results of testing and monitoring, any material changes to the institution’s operations, the results of risk assessments, and any other circumstances that may have a material impact on the Program.
      2. The Program must include a plan by which it will be evaluated on a regular basis and a method to revise the Program, as necessary, for continued effectiveness.
  3. Assessment of the Information Security Program
    1. The Coordinator, in conjunction with the appropriate administrators, shall assess the effectiveness of the Program annually.
    2. The Coordinator shall make certain that necessary revisions to the Program are made at the time of the annual review to address any changes in the institutional organization that may affect the implementation and effectiveness of the Program.
  4. Publication of the Information Security Program
    1. To promote uniform compliance with the Program by all personnel employed by the institution and to achieve the institution’s duty to safeguard the confidentiality of customer information, the institution shall, at a minimum, display and disseminate the Program in accordance with the institution’s standard distribution methods.
    2. The institution’s current Program shall be available upon request for review and copy at all times.
  5. Annual Reporting to the Board of Regents
    1. The System Office Coordinator shall provide a written report to the Board of Regents no less than annually. The report shall include the following information for the System Office and TCATs:
      1. The overall status of the Program and compliance with these guidelines; and
      2. Material matters related to the Program addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and responses thereto; and recommendations for changes to the Program.
    2. The System Office Coordinator’s report to the Board of Regents shall also include a report from Coordinator of each institution.  The System Office Coordinator shall prepare a form for institutional Coordinators to complete and return in time sufficient for inclusion in the report to the Board.



T.C.A. § 49-8-203; All state and federal statutes, codes, Acts, rules and regulations referenced in this guideline; 16 C.F.R. Part 314 .


November 5, 2003; Revision Approved at Presidents Meeting February 22, 2023.