Business Office’s Financial Information Security Plan
I.
Purpose:
The Federal Trade Commission (FTC) requires financial institutions to establish policies and procedures for safeguarding customer financial information by complying with the Gramm-Leach-Bliley Act (GLBA). The GLBA also includes specific requirements regarding the privacy of customer financial information. The FTC has ruled that being in compliance with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirement of the GLBA, but does not satisfy the safeguarding provisions. The Appendix to this plan includes the University’s Privacy of Student Records Statement for FERPA compliance. This procedure focuses on the safeguarding of customer information.
II.
Objectives:
1. Ensure the security and confidentiality of customer records and information
2. Protect against any anticipated threats to the security or integrity of such records
3. Protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer
III.
Risk
Assessment:
The following is a list of threats to customer financial information that will be mitigated through the implementation of this plan:
1. Unauthorized access to data through software applications
2. Unauthorized use of another user’s account and password
3. Unauthorized viewing of printed or computer displayed financial data
4. Improper storage of printed financial data
5. Unprotected documentation usable by intruders to access data
6. Improper destruction of printed material
IV.
Financial
Information Security Plan:
1. Electronic access to customer financial information is protected by usernames and passwords. The University has a security officer from each administrative department for the University’s integrated administrative software program. A security officer is the owner of the data for that department and is the person responsible for the safeguarding of that data. The Appendix includes forms used by security officers to grant and remove access to their data and a code of responsibility statement that all users must sign for access to administrative records.
2. The use of strong (hard to guess) passwords is required for access to the administrative software system as outlined in the AS400 User Manual along with the requirement of changing passwords every 90 days; see the Appendix for the excerpt from this manual on password specifications.
3. Passwords are not to be shared by other users. Students requiring access to customer financial information is given their own account and password with appropriate privileges assigned.
4. Access to financial customer information on the network for the Business Office area, i.e. word and excel documents, is safeguarded with access rights granted by the Comptroller to only the files relevant to that user for his/her work.
5. All users must log off their computer terminals when they are away from their work area.
6. Computer terminals used to display customer financial information are not to be left unattended with that information still displayed.
7. Placement of computer terminals is to be done in such a way as to prevent casual viewing by unauthorized personnel.
8. Access to the Business Office area is secured by only giving authorized individuals keys to the exterior door. A key request form must be completed by the employee and approved by the Comptroller before the Physical Plant Office gives a key to the individual. The Physical Plant Office keeps a list of authorized key holders on file. Lost or stolen keys are to be reported to the Comptroller and the Physical Plant Office.
9. Printed copies of customer financial information are to be handled only by authorized personnel and kept in areas with restricted access.
10. Printed copies of customer financial information are not to be left in the open on desks when desks are unattended for extended periods of time.
11. Printed
documentation that is older than a year is moved to a locked storage room in
the
12. Printed documentation that is current (less that a year) is kept in lockable file cabinets in the Business Office area and the exterior door to the Business Office is locked during non-business hours.
13. Printed copies of customer financial information are shredded when no longer needed.
14. Calls or requests for information are referred to responsible individuals who have received information security program training.
15. Fraudulent
attempts to obtain information will be reported to the
16. Disciplinary measures, up to and including termination, may be imposed for breaches of this plan.
V.
Training
of Staff:
1. Training for new staff will include an explanation of the purpose of the GBLA and a copy of this plan. Each staff member will sign that he/she has received a copy of this plan and that he/she understands his/her responsibilities under this plan. This statement will be filed in the Comptroller’s Office. In addition, all other applicable forms, as mentioned above, must be signed before access is granted to customer financial data.
2. Existing staff will receive the same training as new staff and be reminded each year in their personal evaluation with their supervisor of their responsibilities under the GLBA.
3. Students will undergo the same training as the staff from their supervisor and reminded of their obligations whey they stop working for the Business Office. Each supervisor will get a signed statement by the student that he/she received a copy of the plan and that he/she understands his/her responsibilities under the plan. The signed statement will be kept by the Comptroller.
VI.
References:
1. National Association of College and University Business Officers Advisory Report 2003-01 Colleges and Universities Subject to New FTC Rules Safeguard-ing Customer Information
2. Federal Register, 16 CFR Part 314, Standards for Safeguarding Customer Information
3. AS400 User Manual
4. http://www.ftc.gov/privacy/glbact/ website
VII.
Appendix:
1. Business Office Safeguarding of Financial Records Compliance Statement
2. Shenandoah University’s Privacy of Student Records Statement
3. Excerpt from AS400 User Manual on Passwords: H:\dept\as400doc\general\procedures\AS400 User Manual
4. Institutional Computing System Code of Responsibility Form
5. Institutional Computing System Account Setup Form
6. Institutional Computing System Account Removal Form
7. Institutional Computing System AS400 Group Creation/Change Form