Financial Information Security Program

Financial Information Security Program
Gramm-Leach-Bliley Act

This document summarizes the comprehensive written financial information security program at Auburn University at Montgomery (AUM) mandated by the Federal Trade Commission's (FTC) Safeguarding Rule under the Gramm-Leach-Bliley Act (GLBA).

The Federal Trade Commission requires that "financial institutions," which includes most institutions for higher education, establish policies and procedures for safeguarding customer financial information. The GLBA also includes specific requirements regarding the privacy of customer financial information. The FTC has determined that educational institutions that comply with the Family Educational Rights and Privacy Act (FERPA) satisfy the privacy requirement of the GLBA.

AUM is entrusted with customer financial information and is continuing to develop ways to address cybersecurity threats and to strengthen its cybersecurity infrastructure.

Program Objectives

  • Protect the security and confidentiality of covered records and information.
  • Protect AUM’s IT systems and information assets from unauthorized access, alteration, disclosure or destruction.
  • Ensure the privacy of faculty, staff, and student information and that of other university customers or associates.
  • Protect against anticipated threats or hazards to the security of covered records.
  • Identify and assess the risks in each relevant area and evaluate the effectiveness of the current safeguards for controlling those risks.
  • Determine the levels of information security appropriate to protect information systems.
  • Evaluate, test and monitor the program and make changes as necessary.

Financial Information Security Program Components

  1. Access to AUM’s information systems is limited to authorized personnel. For example, managers request access to the various modules in Banner through a standardized approval workflow. All managers/supervisors are required to review Banner access of their staff members on an annual basis. Internal policies are in place to provide access to IT servers and systems only to authorized staff. In addition, AUM utilizes both physical and virtual LAN segmentations. Each of these segments have IP subnet boundaries establishing isolation of critical and sensitive data, out of reach of any Public, Guest, or Student network.
  2. AUM employees receive various levels of training depending on their job functions, including HR employment laws or FERPA training. In addition, AUM mandates every employee complete a cyber-security awareness training. University employees handling financial information that falls within the realm of the Payment Card Industry (PCI) are required to perform such training annually.
  3. AUM utilizes log capture applications, rules, and programs. Such rules include tracking of last changes and history of student information within Banner; login failures on servers; system alerts; and account creation, modification, or deletion. In addition, AUM developed procedures for periodic reviews of such logs. A backup plan is in place to safeguard customer information against unauthorized changes or destruction.
  4. AUM developed a standard image for computers that is reviewed periodically to include updates, patches and other recommended changes. Servers are configured based on their need, and unnecessary services are disabled to increase security. In addition, each information system is equipped with appropriate anti-virus software, and systems are updated with patches, new releases, etc., as appropriate. AUM utilizes automated software to inventory all information systems, including computers, servers or network equipment.
  5. AUM’s information systems are controlled by centralized system access controls. All users must be positively identified prior to being able to use AUM computers or communication system resources. Positive identification involves a username and password. AUM sets a stringent password protection policy requiring users to select strong passwords that may not be shared or stored electronically. Network equipment such as switches, routers, or firewalls can only be accessed by certain IP addresses managed by an access control list.
  6. AUM actively monitors its networks and systems utilizing various security controls and appliances, such as intrusion detection and prevention systems, virus scans, and standard log review procedures. AUM responds to any incidents and communicates incident details with appropriate AUM personnel.
  7. AUM personal computers are configured to connect to AUM’s central update repository server. For example, Microsoft updates, when released, are reviewed by a technician before being released to the AUM community. Other applications are configured to receive automated updates and patches from the individual application vendor. AUM monitors vendor communications regarding software updates and tests, such updates before release. If IT equipment is disposed or changes user, AUM either uses DOD methodologies for erasing electronic media storage or physically destroys the media itself.
  8. Printed financial documentation and information from customers (including, but not limited to, credit card information, social security information, including social security numbers and bank information) must be kept secured at all times. This type of information cannot be left in full view of unauthorized individuals. Records with customer financial information are located in a number of areas, including, but not limited to, filing cabinets, folders, information from emails, information from phone calls whether verbal or written, binders, cash drawers, credit card machines, information in computer documents. Customer financial information, regardless of where the information is housed or how it is kept, is confidential and is not available to anyone except those who are authorized. AUM utilizes internal procedures and complies with policies developed by Auburn University to protect customer financial information including the Computer Access to Student Records policy.
  9. Prior to employment, AUM completes background checks as well as reference checks. Depending on the employee’s job responsibilities, additional signoffs for confidentiality may be required. System access is granted through an approval process to ensure that only authorized personnel have access.
  10. AUM’s information systems are located in an unadvertised datacenter. Physical protection methods used include code entry, lock and key, security cameras and an alarm system (both monitored by campus police). In addition, AUM enforces policies and procedures in regard to datacenter access to include third-party vendor access. A log is maintained for visitors who must be accompanied by authorized IT staff.
  11. AUM continually assesses risks and defines appropriate mitigation strategies. For example, risk assessments of customer PCI information are performed annually by a certified third party. Once any risks are identified, steps are taken to appropriately remediate the threat.
    The following is a list of potential threats to customer financial information that the Program is intended to mitigate:
    • Improper destruction of printed material that contains customer financial information
    • Improper storage of printed customer financial data information
    • Unauthorized alteration or destruction of customer information
    • Unauthorized viewing of printed or computer displayed customer information
    • Unauthorized use of a user's account and password
    • Unauthorized access to customer information or disclosure of information
  12. AUM has implemented methods and standards to protect its networks and Information systems. These methods and standards are in line with University policies and industry standards and include plans to be proactive in handling security concerns. Security controls are periodically reviewed, and necessary action is taken to mitigate security risks. Such reviews include reviews of endpoint security measures, firewall configurations, and patch deployment. In addition, AUM periodically reviews its cyber-security training program to ensure that its employees are educated and properly equipped to identify and report potential IT threats.
  13. AUM utilizes Microsoft Exchange email as its primary means of communication with students as well as faculty and staff.Email is monitored for unwanted intrusions such as spam, viruses and malware.Automated tools are in place to monitor, block, and quarantine these offenses and to protect communications from various threats including phishing or denials of service attacks. AUM also established and published mechanisms to address any phishing attempts or spamming of end users.
  14. AUM continually reviews its information security program in different areas to include reviews of endpoint security measures, review of existing and potential firewalls, and current business process. Changes affecting IT systems, such as new equipment, or changes in business operations requiring changes in the IT environment are reviewed and evaluated prior to implementation.
  15. AUM established a standardized process for acquiring service providers. Vendors utilizing or providing IT solutions are reviewed by ITS and other university departments to ensure that any security concerns are discussed and addressed prior to integration. Such processes also include a risk evaluation on the service provider to determine the extent of the Certificate of Insurance (COI). AUM also requires certain service providers to provide Cybersecurity insurance as part of their COI.
  16. Individuals who deliberately violate AUM policies may be subject to disciplinary actions to include, but not limited to, contract termination, remedial actions in accordance with AUM human resource policies and procedures, judicial compliance and enforcement of the Student Discipline Code, or other civil and criminal liabilities.

Designation of Representative:

AUM’s Chief Information Officer is designated as the Program Officer who is responsible for coordinating and overseeing the Program. The Program Officer may designate other representatives of the Institution to oversee and coordinate particular elements of the Program. Questions regarding implementation or interpretation of the Program should be directed to the Program Officer or his or her designee(s).

Definitions:

Customer Information – records containing non-public personal information about a customer, whether in paper, electronic, or another form that is handled or maintained by or on behalf of AUM or its affiliates.

Information Security Program – The administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

Service Provider – Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its direct provision of service to AUM.

Non-public Personal Information – Personally identifiable financial information and any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.