107 - Customer Financial Record Safeguards

Title

University of North Carolina at Chapel Hill Finance Policy 107 - Customer Financial Record Safeguards

Introduction

Purpose

This program was created in order to protect customer information and comply with the safeguard provisions of the Gramm-Leach-Bliley Act (15 USC, Subchapter 1, sec. 6801-6809) and the rules promulgated thereunder by the Federal Trade Commission.

Objectives

  • Ensure the security and confidentiality of customer records and information.
  • Protect against anticipated threats to the security and/or integrity of such customer records and information.
  • Guard against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
  • Comply with the Gramm-Leach-Bliley Act and the rules promulgated thereunder by the Federal Trade Commission.

Higher education institutions that are in compliance with the Family Educational Rights and Privacy Act (FERPA) (20 USC, Chapter 31, 1232g), while exempt from some aspects of the Gramm-Leach-Bliley Act, are not exempt from the safeguarding regulations. The final rules on Safeguarding Customer Information do not exempt educational institutions [67 Fed. Reg. 36484 (May 23, 2002)]. Therefore, such institutions must adopt an information security program by May 23, 2003.

Policy

Policy Statement

This program primarily applies to customer financial records related to student loan programs administered by the University of North Carolina at Chapel Hill ("UNC-Chapel Hill" or "University").

I. Program Coordination

Designated representatives from the University Cashier's Office (UCO) and the Office of Scholarships and Student Aid (OSSA) (the "Coordinators") coordinate the Information Security Program (the "Program"). The Program includes input from other UNC-Chapel Hill departments, including the Office of University Counsel (OUC) and Information Technology Services (ITS).

The Coordinators provide and sponsor training and guidance in complying with safeguards regulations. The Office of the University Registrar provides training and guidance in complying with FERPA. The training is online on the University Registrar's website.

Considerations

In order to protect customer information and data, and to comply with relevant federal laws, the Internal Auditor's office and OUC propose certain practices regarding the University's maintenance and safeguard of customer financial information. These practices affect the University areas that interact with such data.

Each University department is responsible for securing customer information in accordance with all privacy guidelines. Additionally, a written security policy and procedure document that details the information security policies and processes is maintained by each relevant area and will be made available to the Coordinators or Internal Auditor's office upon request.

Annual Review

The Program Coordinators maintain an annual review checklist to facilitate efficient and effective review of this program. Some specific elements of the program have been identified in this document as items to be addressed annually and will be part of the checklist.

II. Safeguards for Securing Customer Information

Each relevant area adheres to the following plan directives:

A. Employee Management & Training

Employees have access to customer information in order to perform their job duties. This includes permanent and temporary employees and work-study students, whose job duties require them to access customer information or work in a location where there is access to customer information.

1. Hiring Employees

The University exercises great care to select well-qualified employees. Hiring supervisors review applications, carry out interviews and check references before making their final selection. The Office of Human Resources then performs background checks for every selected applicant before an offer of employment is made.

2. Work-Study Students

Students eligible to participate in the Federal Work-Study program view online job descriptions posted by hiring supervisors. Supervisors are required to complete an online orientation session before gaining access to the website. Confidentiality and safeguarding of information is reviewed during the supervisors' orientation as well as the student orientation prior to the first day of work. After the student interview and hiring process is complete, the supervisor provides the student with an interoffice orientation agreement as detailed in the orientation session. The agreement states the confidentiality requirement.

3. Permanent Employees & Temporary Employees

Before receiving access to Connect Carolina, all employees must complete FERPA training and accept the ConnectCarolina Terms of Use. The Office of the University Registrar conducts FERPA training. Detailed information about our FERPA training can be obtained online on the University Registrar's website.

4. Safeguards Training Documentation

All employees can access guidance articulated in "Maintaining the Security, Confidentiality & Integrity of Customer Information." The supervisor reviews the guidance with the employee, before the employee begins work.

5. Ongoing Training

Periodically, employees will take part in FERPA and Safeguards training, as a refresher (Item to be on the annual review checklist). The OSSA FERPA annual review document is located on the OSSA and UCO intranets, respectively.

6. Access to Customer Information

Only employees whose job duties require them to access customer information are allowed to have access.

7. Disciplinary Measures for Breaches

Breaches of information security will result in disciplinary action up to and including dismissal, depending upon the nature and severity of the breach. All accidental breaches should be reported to one or both of the program coordinators, as well as to Internal Audit or OUC, and rectified as soon as possible. Employees and work-study students are encouraged to report any suspected intentional and/or malicious breaches to one or both of the Program Coordinators, Internal Audit, or OUC. Please also see the UNC-Chapel Hill Information Security Incident Management Standard for additional information.

B. Information Systems

The security of customer information must be maintained throughout its life cycle from creation to disposal.

1. Paper Storage Systems

Access safeguards are outlined in the document "Maintaining the Security, Confidentiality & Integrity of Customer Information."

Additional Safeguards: Storage and work areas are monitored by video cameras. Executed promissory notes are stored in fireproof file cabinets.

Customer files are stored so as to minimize damage in the case of flooding.

2. Computer Information Systems

ITS provides centralized network security services and maintains and provides access to policies and procedures that protect against anticipated threats to the security or integrity of electronic customer information and that guard against the unauthorized use of such information. Those policies, procedures, and guidelines are located on the UNC-Chapel Hill ITS website.

Both OSSA and UCO primary administrative systems are maintained by ITS. Access to these systems require acceptance of the ConnectCarolina Terms of Use.

ITS cannot provide security guarantees for systems they do not maintain.

3. Customer Information Disposal

The University provides for confidential disposal of documents through its Office of Waste Reduction and Recycling. Obsolete confidential documents are placed in recycling containers in secure areas and marked confidential before being transferred to the recycling center.

In addition, the University contracts with an outside agency to perform the same service in the Vance/Pettigrew buildings and SASB for the UCO. This outside contractor provides secure recycling containers.

University departments are responsible for following the standards for media disposal described in the UNC-Chapel Hill Information Security Controls Standard.

The University archives customer transaction information as necessary, and in accordance with the policies established by the University Archives and Records Service. See the UNC-Chapel Hill Records Management Policy.

Customer information is disposed of in accordance with this Section II.B.3 when no longer serves a business purpose.

C. Managing System Failures

1. Written Contingency Plans

See Business Continuity Planning documents prepared by the University with the assistance of Kroll Consulting, in 2003.

See also the UNC-Chapel Hill Emergency Management Policy.

2. Centralized Protection from E-Invasion

Appropriate University Information Technology units maintain security patches that resolve software vulnerabilities and provide anti-virus software. The University operates on a flat network. The University employs intrusion detection systems and network traffic filtering at the border between the University and the Internet. Additionally the University network is constantly monitored for network anomalies. Sensitive Workstation Control Standards are located online in the University's Information Security Controls Standard.

3. System Back-ups

System back-ups are addressed in the UNC policies referenced in the previous section. Departments are responsible for backup of the computing systems that they maintain.

4. Security Breaches

In addition to the disciplinary actions required above, in the event that information security is compromised, a prompt reporting will be made to any customers that may have been impacted.

D. Service Providers

1. Contracts
  • The University will select appropriate service providers that are given access to customer information in the normal course of business and will contract with them to provide adequate safeguards. In the process of choosing a service provider that will have access to customer information, the evaluation process must include the ability of the service provider to safeguard customer information. Contracts with service providers must include the following provisions:
    • explicit acknowledgment that the contract allow the contract partner access to confidential information;
    • specific definition of the confidential information being provided;
    • stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
    • guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract;
    • guarantee from the contract partner that it will protect the confidential information it accesses according to commercially acceptable standards and no less rigorously than it protects its own customers' confidential information;
    • provision allowing for the return or destruction of all confidential information received by a contract partner upon completion or termination of the contract;
    • stipulation allowing the entry of injunctive relief without posting bond in order to prevent or remedy breach of the confidentiality obligations of the contract;
    • stipulation that any violation of the contract's protective conditions amounts to a material breach of contract and entitles UNC-Chapel Hill to immediately terminate the contract without penalty;
    • provision allowing auditing of the contract partners' compliance with the contract safeguard requirements; and
    • provision ensuring that the contract's protective requirements must survive any termination agreement.
  • All contracts with service providers must be reviewed and amended as necessary to ensure that external service providers agree to observe our high standards of information security. OUC must monitor this process. Contracts will not be approved with providers that cannot maintain appropriate safeguards, as enumerated above.
2. Relevant Current Contracts at UNC-Chapel Hill
  1. ECSI
  2. Shred It
  3. Williams & Fudge
  4. Radius
  5. Todd, Bremer and Lawson
  6. Nelnet
  7. eOscar
  8. Experian
  9. Equifax
  10. Flywire
3. Monitoring

This information security plan is evaluated and adjusted in light of relevant circumstances, including changes in the University's business arrangements or operations, or as a result of testing and monitoring the safeguards. Periodic auditing of each relevant area's compliance is completed per the internal auditing schedule. Annual risk assessment will be done through the Internal Auditor's office. Evaluation of the risk of new or changed business arrangements will be done by OUC.

The Program Coordinators will periodically consult with relevant offices and providers to ensure that they have complied with the information security requirements of the contract.

Exceptions

None.

Additional Information

Special Situations

None.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Policy Contacts
Subject Contact Telephone E-Mail
Designated Information Security
Program Coordinator		 Associate Provost &
Director of Scholarships and
Student Aid		 919-962-8396 aidinfo@unc.edu
Designated Information Security
Program Coordinator		 Cashier's Office 919-962-1368 deahn@unc.edu

Details

Article ID: 131365
Created
Thu 4/8/21 9:07 PM
Modified
Tue 2/28/23 3:06 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
09/13/2019 12:00 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
University Cashier
Last Review
Date on which the most recent document review was completed.
02/28/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
02/28/2023 12:00 AM
Next Review
Date on which the next document review is due.
02/19/2024 12:00 AM
Origination
Date on which the original version of this document was first made official.
05/23/2003 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Finance and Budget