Updates to the Gramm-Leach-Bliley Act (GLBA) went into effect on June 9th, 2023. The enhanced requirements strive to ensure the security of covered student information1 by protecting against anticipated cybersecurity threats or preventing unauthorized access. U.S.  Truck Driver Training School, Inc has added the necessary changes to their GLBA policy. The updated policy covers:  

  1. An individual who supervises and implements institution’s information security program 
  2.  Conducts a risk assessment 
  3. Designed and implemented safeguards to control identified risks 
  4. Regularly monitoring and test the effectiveness of our safeguards 
  5. Providing training to our staff 
  6. Monitoring our service providers 
  7. Keeping our information security program current 
  8. Created a written incident response plan 
  9. The qualified individual reports to the Board of Directors 

GLBA Information Security Program 

Type of Policy: GLBA 

Effective Date: June 1st, 2023 

Last Revised: August 8th, 2023

Contact Name: Samka Keranovic 

Contact Email: [email protected] 

Reason for Policy 

This Information Security Plan (“Plan”) describes safeguards implemented by U.S. Truck Driver Training School, Inc. (USTDTS) to protect covered data and information in compliance with the FTC’s Safeguards Rule promulgated under the Gramm Leach Bliley Act (GLBA). These safeguards are provided to:  

  • Ensure the security and confidentiality of covered data and information. 
  • Protect against anticipated threats or hazards to the security or integrity of such information; and 
  • Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any current students and potential students. 

This Information Security Program also identifies mechanisms to:  

  • Identify and assess the risks that may threaten covered data and information maintained by USTDTS
  • Develop written policies and procedures to manage and control these risks. 
  • Implement and review the program; and 
  • Adjust the program to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security. 

Policy Statement 

GLBA mandates that the Institute appoint an Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.  

Information Security Program Coordinator(s) 

The Vice President and Grit Tech have been appointed as the coordinators of this Program at USTDTS. They are responsible for assessing the risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to the institution. Grit Tech personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that all departments comply with the requirements of the security policies and practices delineated in this program.  

Identification and Assessment of Risks to Customer Information 

USTDTS recognizes that it is exposed to both internal and external risks, including but not limited to:  

  • Unauthorized access of covered data and information by someone other than the owner of the covered data and information 
  • Compromised system security as a result of system access by an unauthorized person 
  • Interception of data during transmission 
  • Loss of data integrity 
  • Physical loss of data in a disaster
  • Errors introduced into the system
  • Corruption of data or systems 
  • Unauthorized access of covered data and information by employees 
  • Unauthorized requests for covered data and information 
  • Unauthorized access through hardcopy files or reports 
  • Unauthorized transfer of covered data and information through third parties 

Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, USTDTS in partnership with Grit Tech will actively participate and monitor appropriate cybersecurity advisory groups for identification of risks.  

Current safeguards implemented, monitored, and maintained by USTDTS and Grit Tech are reasonable, and in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information maintained by the Institute. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.   

Employee Management and Training 

References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g., Bursar Office, Financial Aid) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts should help minimize risk and safeguard covered data and information.   

Physical Security 

USTDTS has addressed the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances, and transactional information are available only to USTDTS employees with an appropriate business need for such information. Furthermore, each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.  

Information Systems 

Access to covered data and information via USTDTS computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. The Institution has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to USTDTS information systems. These policies and procedures, listed in Section 3 below, are available upon request from the Vice President.  

Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, USTDTS has discontinued the use of social security numbers as student identifiers in favor of the ID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.  

Management of System Failures 

USTDTS Cyber Security has developed written plans and procedures to detect any actual or attempted attacks on USTDTS systems and has an Incident Response Plan which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information. This document is available upon request from the Vice President.  

Oversight of Service Providers 

GLBA requires the institution to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Security Program Coordinator(s) will identify service providers who have or will have access to covered data and will work with the leadership and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of covered data. 

Continuing Evaluation and Adjustment 

This Information Security Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Program Coordinator(s), who will assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Program Coordinator(s), in consultation with the leadership, will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.  

Policy Terms 

The Covered Data and Information  

For the purpose of this program includes student financial information (defined below) that is protected under the GLBA. In addition to this coverage, which is required under federal law, USTDTS chooses as a matter of policy to include in this definition any and all sensitive data, including credit card information and checking/banking account information received in the course of business by the institution, whether or not such information is covered by GLBA. The covered data and information include both paper and electronic records.  

GLBA’s terminology for customer data covered by the regulation, includes: 

  • Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 
  • Any information a student or other third party provides in order to obtain a financial service from USTDTS. 
  • Any information about a student or other third party resulting from any transaction with USTDTS involving a financial service. 
  • Any information otherwise obtained about a student or other third party in connection with providing a financial service to that person. 

Examples of nonpublic personal information include (but are not limited to): 

  • Social Security number 
  • Credit card number 
  • Account numbers 
  • Account balances 
  • Any financial transactions 
  • Tax return information 
  • Driver’s license number 
  • Date or location of birth 

USTDTS data retention policy indicates that USTDTS will dispose of all hard copies after 2 academic years but may delete covered data after our required retention requirements which are 7 years.  This bookends our data protection requirements.  USTDTS has implemented procedures to properly remove or redact the covered data after the retention period.

Pretext Calling

It occurs when an individual attempts to improperly obtain personal information of USTDTS students so as to be able to commit identity theft. It is accomplished by contacting the institution, posing as a student or someone authorized to have the student’s information, and through the use of trickery and deceit, convincing an employee of the Institute to release customer-identifying information.  

Student Financial Information

This is information that USTDTS has obtained from a student or customer in the process of offering a financial product or service, or such information provided to the institution by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.  


Related Policies, Standards and Guidelines 

USTDTS has adopted comprehensive policies, standards, and guidelines relating to information security, which are incorporated by reference into this Information Security Program. They include:   


Cyber Security Policy

Computing & Network Use Policy

Data Governance & Management Policy Credit Card Processing Policy

Password Protection Policy

A Privacy Policy shared with all students.

We can provide access to the policies to authorized individuals/organizations upon request.


Data Protection Safeguards 


Upon approval, this policy shall be published on the USTDTS website. The following offices and individualsshall be notified via email and/or in writing upon approval of the program and upon any subsequent revisions or amendments made to the original document:

  • President
  • Vice President
  • Grit Tech