North Dakota University System
TwitterFacebook
A-Z Index
Access. Innovation. Excellence.
Colleges & Universities Academics & Activities State Board of Higher Education North Dakota University System News Reports & Information
Students
Policymakers
Business & Industry
Employees
Media
Home
Employees
Printer Friendly Page You are here
NDUS Home  |  Employees  |  Policies and Procedures  |  NDUS Procedures


NDUS Procedures



 << return 

SUBJECT: 1900s: Miscellaneous EFFECTIVE: May 23, 2003
Section: 1912.1 Information Security Procedures

  1. This procedure is intended to comply with provisions of The Financial Services Modernization Act of 1999 (also known as Gramm Leach Bliley, or GLB). This procedure applies to the NDUS office. In addition, this procedure shall serve as the GLB plan for each NDUS institution, until the institution adopts an institution GLB plan. The NDUS office and each institution shall appoint an Information Security Policy Coordinator (or Coordinators). Each institution shall adopt an appropriate GLB plan.

  2. Definitions.

    1. "Coordinator" means the designated Information Security Policy Coordinator.

    2. "Covered data and information" means student financial information and any other financial information required to be protected under GLB and includes both paper and electronic records.

    3. "Student financial information" means information obtained from a student in the process of offering a financial product or service, or such information provided by another financial institution. Offering a financial product or service includes offering student loans, receiving income tax information from a student or student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR 225.28. Student financial information includes addresses, phone numbers bank and credit card account numbers, income and credit histories, and social security numbers.

  3. The designated NDUS Information Security Policy Coordinator, is the NDUS Chief Information Officer.

  4. There are both internal and external risks that may threaten covered data and information, including (but not limited to):

    1. Unauthorized access of covered data and information by someone other than the owner of the covered data and information,

    2. Compromised system security as a result of system access by an unauthorized person,

    3. Interception of data during transmission,

    4. Loss of data integrity,

    5. Physical loss of data in a disaster,

    6. Errors introduced into the system,

    7. Corruption of data or systems,

    8. Unauthorized access of covered data and information by employees,

    9. Unauthorized requests for covered data and information,

    10. Unauthorized access through hardcopy files or reports, and

    11. Unauthorized transfer of covered data and information through third parties.

    This may not be a complete list of the risks associated with the protection of covered data and information. Since technology growth is not static, new risks are created regularly. Accordingly, HECN will actively participate and monitor advisory groups such as the Educause Security Institute, the Internet2 Security Working Group and SANS for identification of new risks. The Coordinator shall review procedures, keep current on potential threats to the network and its data, and conduct regular risk assessments, including those categories listed in GLB.

    The NDUS believes current safeguards are reasonable and, in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information. Additionally, these safeguards protect against currently anticipated threats or hazards to the integrity of such information.

  5. The Coordinator shall develop and administer a training and education program for all employees who have access to covered data, including information technology employees who have general access to data, custodians of data, and employees who use or have access to data as part of their job duties. References of new employees shall be checked. The training and education program shall include appropriate training during orientation for new employees, including training in the proper use of computer information and passwords, proper training on the importance of confidentiality of student records, student financial information, and other types of covered data and information. Training also includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, including "pretext calling," and how to properly dispose of documents that contain covered data and information. Each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information shall coordinate with legal counsel on an annual basis for the coordination and review of additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information security.

  6. Physical security is addressed by limiting access to covered data and information only to those persons who have a business reason to know such information. Documents containing covered data and information shall be kept in file cabinets, rooms or vaults that are locked at night or other times when not attended. Only authorized employees shall have access to combinations and keys. Paper documents containing covered data shall be shredded at time of disposal.

  7. Access to covered data and information via computer information systems shall be limited to those employees who have a business reason to know such information. Each employee shall be assigned a user name and password in compliance with a password procedure. Databases containing personal covered data and information, including, but not limited to, accounts, balances, and transactional information, shall be available only to employees in appropriate departments and positions.

    NDUS shall take reasonable and appropriate steps consistent with current technological developments to make sure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. All servers must be registered in order to verify that the system meets necessary security requirements. These requirements include maintaining the operating system and applications, including application of appropriate patches and updates in a timely fashion. An intrusion detection system and reporting procedures shall be maintained to detect and stop certain external threats. When commercially reasonable, encryption technology shall be utilized for both storage and transmission. All covered data and information shall be maintained on servers that are behind the "firewall." All firewall software and hardware shall be kept current.

  8. It is the policy of the NDUS to enter into contracts involving covered data and information only with those providers who maintain appropriate safeguards. Assurances with GLB compliance shall be included in all future contracts. Existing contracts shall be reviewed to ensure compliance not later than May 2004. Contracts with service providers involving covered data or information shall include:

    1. an explicit acknowledgment that the contract allows the contract partner access to confidential information,

    2. a specific definition of the confidential information being provided,

    3. a stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract,

    4. a guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract,

    5. a guarantee from the contract partner that it will protect the confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers' confidential information,

    6. a provision allowing for the return or destruction of all confidential information received by the contract partner upon completion of the contract,

    7. a stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract,

    8. a stipulation that any violation of the contract's protective conditions amounts to a material breach of contract and entitles NDUS to immediately terminate the contract without penalty,

    9. a provision allowing auditing of the contract partners' compliance with the contract safeguard requirements, and

    10. a provision ensuring that the contract's protective requirements shall survive any termination agreement.

  9. The Coordinator shall make or recommend adjustments to this plan as required and conduct an annual evaluation to assure ongoing compliance. The plan shall be evaluated and adjusted in light of relevant circumstances, including changes in the business arrangements or operations, or as a result of testing and monitoring the safeguards. Periodic auditing and an annual risk assessment are required.

History:
Chancellor approved May 23, 2003. This procedure was on the June 2003 Cabinet Agenda for their information.
Bismarck State CollegeDakota College at BottineauDickinson State UniversityLake Region State CollegeMayville State UniversityMinot State UniversityNorth Dakota State College of ScienceNorth Dakota State UniversityUniversity of North DakotaValley City State UniversityWilliston State College
Contact Us  |   Privacy Policy  |   Disclaimer  |   Accessibility  |   Security Policy