|CMP 110: Information Security Plan for Northern Arizona University|
To document the University Information Security Plan as required by the FTC for the administrative, technical, and physical safeguarding of customer information.
University policy, NACUBO Advisory Report 2003-01, Federal Trade Commission, Regulation of Commercial Practices.
Financial institutions, including colleges and universities, must meet a general standard in order to comply with the requirements of the Gramm-Leach-Bliely Act "to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards" appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of any customer information at issue. The information security program developed should be flexible, designed to address the needs of the individual institution.
The final rules indicate that the objectives of the information security program should be;
to ensure the security and confidentiality of customer information;
to guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
I. The designated group for the coordination and execution of the Information Security Plan is the Information Security Committee of Northern Arizona University. All correspondence and inquiries should be directed to the Committee.
II. The following have been identified as relevant areas to be considered when assessing the risks to customer information (this list is meant to be as inclusive as possible but the policy is applicable to all university departments and their affiliates which collect financial information from their customers whether listed below or not):
Academic Departments (which collect
financial data during payment of fees for affiliated programs)
III. The Information Security Committee will coordinate with various University Offices to maintain the information security program. The Information Security Committee will provide guidance in complying with all privacy regulations. Each relevant area is responsible to secure customer information in accordance with all privacy guidelines. A written security policy that details the information security policies and processes will be maintained by each relevant area and will be made available to the Information Security Committee or Internal Auditor's office upon request. Such a policy would include procedures to physically and electronically protect both hard copy and electronic data. In addition, ITS will maintain and provide access to policies and procedures that protect against any anticipated threats to the security or integrity of electronic customer information and that guard against the unauthorized use of such information for the information systems they operate.
IV. The University's Contracting and Purchasing Services will be responsible for selecting which service providers will be given access to customer information in the normal course of business. All contracts with such service providers shall require that the service provider implement and maintain adequate safeguards for customer information. Contracts with service providers shall include the following provisions:
V. The Human
Resources Office will be responsible for a component to all
new employee training sessions which covers employee responsibilities to
protect personal financial data. This training can be added to the
existing training given on FERPA.
VI. This information security plan shall be evaluated and adjusted in light of relevant circumstances, including changes in the University's business arrangements or operations, or as a result of testing and monitoring the safeguards. Periodic auditing of each relevant area's compliance shall be done per the internal auditing schedule. Annual risk assessment will be done through the Internal Auditor's Office. Evaluation of risk of new or changed business arrangements will be done through the legal counsel's office.
NACUBO - Complying with Domestic Security Legislation
FTC Regulations on Commercial Practices
FERPA Web Site at NAU
FTC Gramm-Leach-Bliley Act web site
NAU Home Page | Comptroller's Office Home Page | Back to Table of Contents
Back to Top