Information Security Plan

Statement of Purpose

Federal Trade Commission (FTC) Regulation 16 CRT Part 314 requires financial institutions (including institution that participate in the processing of financial loans, such as colleges and universities) to have security plans and practices to protect the confidentiality and integrity of personal consumer information.  The plan must document the security systems and/or measures it has established to secure the nonpublic financial information of its customers.

The purpose of this document is to reaffirm the safeguards that have been established by the University to secure its administrative information systems, which store, transmit, retrieve, process and dispose of nonpublic financial, confidential, personally identifiable, trusted or otherwise protected information, against unauthorized use, intrusion or other security risks.  This document serves as the foundation of the University information security program as required by FTC Regulation 16 CRT Part 314.

1. Information Systems

Information Systems

Information systems consist of the software, hardware and communication networks that are used to process, store, transmit, retrieve and dispose of data.  Following are the administrative information systems that are used by the University for purposes relating to financial loan processing.  These and other similar systems used by the University are subject to the FTC safeguarding rule.

University Financial Systems

Student Information System
Financial Records System
Financial Aid System and EdeXpress

External Financial Aid Processing Systems

ED Connect
FAFSA On The Web
Luareatte Loan Servicer
Citibank
Key Bank
Fleet Bank
Teri Loan
Nellie Mae

Federal Government Sites and Facilities

COD Web Site
Enrollment and Financial Aid Data Clearing House Site
NSLDS Financial Aid Data Site
SAIG Reporting Site
FSA Information Site
US Dept of Education
Veterans Software Database
Monster FWS Database
IPADS Site

State of New Jersey Sites and Facilities

HESAA Site for Grants/Loans/Scholarships
NJASFAA and NASFAA
Common Database Site

Restricted Access

The following information systems contain data that may be nonpublic, financial, confidential, personally identifiable, trusted or otherwise protected.  Access to these systems is therefore restricted.   Authorization to access these systems or use the data stored in these systems is granted by a designated data custodian.

Banner Student Information Systems

System

Custodian

Undergraduate Admissions

Admissions Office

Graduate Admissions

School of Graduate Studies

Shared Data

Student Records Office

Records and Registration

Student Records Office

Financial Aid

Financial Aid Office

Student Receivables

Bursar’s Office

Academic Advising

Advising Office

 

Banner Human Resource Systems

System

Custodian

Payroll

Payroll Office

Labor Distribution

Office of the Dir. of Budget

Personnel Records 

Human Resources Office

Benefit Record

Human Resources Office

 

Banner Alumni and Development Systems

System

Custodian

Advancement Records

Alumni and Development

Alumni Records

Alumni and Development

 

Banner Finance Systems

System

Custodian

Financial Account

Office of the Dir. of Budget

Accounts Payable

Office of Accounts Payable

Purchasing

Purchasing Office

 

Computing Systems

System

Custodian

Email Systems

Information Technology Services

Library Management System 

Office of the Director of the Library

CBORD Board and Debit System

Bursar’s Office

Central Stores

Central Stores

Academic Facilities and Systems

Information Technology Services

Course Management Systems

Information Technology Services

Fixed Asset Inventory

Office of the Controller

Housing Management Systems

Office of Housing and Residential Life

Facilities Maintenance Systems

Office of Plant Management

 

2. Safeguarding Information Systems

Information System Safeguards

Following are the practices and security measures that have been established by the University to safeguard its administrative computing systems.

Information Systems Control

Nonpublic information (i.e., data that is confidential, personally identifiable, proprietary, trusted or otherwise protected information) obtained through University administrative software systems must be treated as confidential, and can only be used in connection with a person’s job responsibilities.

Information obtained through the University's computerized administrative systems is the property of Stockton University and shall not be disclosed to persons outside of the University unless authorized by the designated data custodian, or to persons within the university unless such information is needed in their job assignments.

The disclosure of nonpublic student information is specifically governed by the Family Education Rights and Privacy Act and cannot be released to a third party without the written consent of the student. The disclosure of nonpublic financial information is specifically governed by the FTC regulation.  

Requests to access the University’s administrative software systems for the purpose of viewing, update and processing of data must be approved by the person who serves as custodian of the system.   Users who have been granted access to systems must follow appropriate data control procedures to verify system integrity and accuracy of data.

To better address the elements and objectives of the Gramm-Leach-Bliley Act (GLBA) and FTC Regulation 16 CRT Part 314, internal plans/practices have been developed.

Data Control

Data control procedures are used to verify that the integrity of data files has not been compromised as a result of batch or on-line processing.

It is the responsibility of on-line users who maintain institutional data to develop data entry procedures that minimize data entry error.  Further, on-line users must develop appropriate data control procedures to assure accuracy and integrity of institutional data files.

It is the responsibility of any office conducting batch or on-line processing of institutional data files, particularly those which involve updating (i.e., changing, adding, or deleting) data, to establish and follow appropriate data control procedures.  Data control procedures must at a minimum:

  1. Verify the reliability and integrity of data using sound, well-defined verification methods such as, for example, hashing or sampling against previously arrived at manual calculations or results.
  1. Additionally, processes that update data in mass should be run first with a “no update” option or should be tested in non-production environments. 
  2. Provide thorough documentation regarding the procedures that employees must follow in processing data and verifying the correctness of processing.

Data Backup

University electronic documents and records (data) that are stored on systems managed by Information Technology Services are routinely copied to backup storage devices and AWS. Backups are made to safeguard data against storage equipment failure or accidental data loss and to provide reliable recovery of data. Safeguarded data are backed-up to devices other than the source device. Some systems are backed-up in real-time, effectively creating a duplicate version of data. The critical data that are duplicated in real-time are also copied daily to another storage device as an added precaution. Backups of critical data that may be needed for disaster recovery purposes are taken to an off-site storage facility. These backups are retained for a limited period of time, usually several weeks.

In addition to safeguarding data against equipment failure or accidental loss, it is important to preserve certain institutional data for possible future reference and use. Data archives are preserved snapshots of data at a point in time. It should be noted that restoring archived data can be an involved and time consuming process. Information system upgrades occur periodically. These upgrades do not always recognize earlier versions of the same system. Accordingly, the restoration of data may involve rebuilding an earlier version of a system or writing a program to extract the needed data.

Security

Appropriate safeguards must be taken to ensure the integrity and reliability of the University’s institutional data resources.   Offices maintaining institutional data on PCs are responsible for establishing and following appropriate data security practices.  All backup media containing confidential or sensitive data must be stored in a physically secured area or encrypted using a strong password or key.  The Division of Information Technology Services is responsible for safeguarding institutional data that resides on the University’s central computing facilities.   Systems containing confidential or sensitive information must require users to authenticate themselves using industry accepted account and password authentication methods. Access to systems and/or data is granted by the relevant data owner, and by proxy, any delegated data custodian. Security controls are evaluated and user access reviews are conducted by the information security team at the request of relevant data owners/custodians, and periodically as part of ongoing operational security initiatives.

Account Security

Faculty and staff may have access to administrative computing accounts, as needed, in accordance with their job responsibilities.  Computer accounts are requested in writing.   All users are required to abide by the University’s Standards Concerning the Acceptable Usage of Computing and Communication Facilities.   These standards, which are posted on the University’s web site, address the acceptable usage of computing facilities and the responsibility of account holders for data confidentiality.

In accordance with the University’s Standards Concerning the Acceptable Usage of Computing and Communication Facilities, only persons authorized by the Chief Information Officer may be granted computing accounts.  Access to and use of administrative computing facilities may be granted to appropriate personnel by the Chief Information Officer or by the recognized custodian of the data for which access is requested.

Account Practices:

  1. The use of group or shared accounts should be avoided.
  2. Passwords for administrative computer accounts are automatically expired every 180 days.
  3. Passwords for Oracle accounts are automatically expired every 90 days.
  4. Computer accounts that permit access to administrative or other protected data are reviewed and access de-provisioned whenever account holders resign their position, retire, or otherwise leave the University.

Network and System Security

Network systems must be designed to reasonably limit the risk of unauthorized access to administrative information systems.  Additionally, appropriate safeguards must be in place to monitor network security and respond to potential attempts to breach security.  Access restrictions are imposed on users who access the university’s computing facilities via the Internet.  Users with privileged computer accounts (system administration accounts) or accounts that permit direct update access to administrative information systems must use virtual desktop infrastructure (VDI) or a virtual private network (VPN) when accessing systems via the Internet.  Faculty or staff requiring access to systems via VPN or elevated VDI must request access through the Division of Information Technology Services.  Access cannot be provided where in the judgment of the Chief Information Officer such access may compromise system security.  The transmission of confidential or sensitive data over the internet to web-based applications or servers must utilize trusted communications protocols, such as TLS.

Administrative Applications Security

Banner, which is used to support the University’s administrative operations, provides for user account, online form, data element and data value security that is capable of restricting persons from updating or viewing of database elements selectively.   The Division of Information Technology Services administers security for the University’s administrative computing systems, excluding system level security associated with financial records and human resource systems, which are administered by the Office of Budget and the Office of Human Resources, respectively.

The Division of Information Technology Services maintains training, test and production (live) versions of administrative (Banner) software systems.   Users are issued individual accounts to production versions of these systems.   The use of shared accounts on production systems is not permitted.   Programmers and other authorized Division of Information Technology Services staff responsible for maintaining application software systems are granted online application access accounts to production, test, and training systems. Programmers and other authorized Division of Information Technology Services staff may be granted limited access to production system data that are used to configure and control system processes.  Division of Information Technology Services staff that are granted access to data must carefully observe security standards and practices.

Access to administrative system’s source code, executables, command files and data files is strictly controlled.  Users must be only permitted access to data through the online application system interface.  User access at the operating system level is not permitted unless it is unavoidable and necessary to perform assigned job duties.  User access at the database level is likewise prohibited. Programmers, operators or other technically qualified personnel assigned to a functional area may be given access to production, test and training files and programs at the operating systems or database level for the sole purpose of conducting their assigned duties. The custodian of the application system must be informed of any changes to production systems made by Information Technology Services staff.  Changes to source code, including patches supplied by the vendor, must be tested by end-users in a non-production environment and approved by the designated system custodian prior to being moved to a production system by Information Technology Services staff.

Integrity Assurance Controls

The following are examples of controls, which must be followed, to ensure application system integrity:

  1. Changes to Banner must be made first made on the test version prior to their transfer to production systems.
  2. Users must develop testing data and testing acceptance procedures.

Separation of Responsibility

The following practices, which assure separation of duty, must be observed:

  1. All official documents, such as transcripts or diplomas, must be stored, controlled and accounted for by the designated system custodian.
  2. All official documents must feature appropriate confidentiality warnings/statements.
  3. All runs involving negotiable paper must take place in a physically secured location during weekday shifts with at least two people present.
  4. Division of Information Technology Services personnel must not run update processes or change data on production systems unless specifically directed to do so by the appropriate data custodian.  Changes are coordinated between data custodians, information security, and banner application programming team.
  5. All production jobs must be requested by user offices and approved by data custodians.
  6. Changes to application systems may not occur without written user request and approval of data custodian.
  7. No user may authorize their own access (serve as the signatory on an access request form), with the exception of the Chief Information Officer or University President.

Physical Security

The University’s central computing resources are located in a centralized location on the main campus. Equipment and wiring which support the University’s communications networks are located throughout the campus in communications and wiring closets.  Access to these facilities is restricted to Division of Information Technology Services staff, facility management, and campus security personnel in the conduct of their assigned duties.

Use, Storage, and Disposal of Confidential Materials

Printed materials that contain confidential or sensitive information must be properly filed.  They must be stored in secured areas where access is limited to authorized personnel.  Personnel that are granted access to confidential or sensitive information must take measures to guard against casual viewing by others.  PC monitors must be shielded from public view. Care must be taken to prevent unauthorized persons from using the computer.   Authorized personnel must, for example, signoff administrative applications or conceal and password protect their computer displays when they are away from their work area.

  1. Printed copies of confidential or sensitive information must be handled by authorized personnel and kept in areas with restricted access.  Additionally, printed materials must not be left in the open on attended desks for extended periods of time.
  2. Materials and/or reports that contain confidential or sensitive information are to be disposed of in a manner that safeguards against unauthorized disclosure of information.
  3. When computers are relocated for use within the University, confidential data is removed.  The University periodically contracts for the destruction and removal of de-comissioned servers, hard disk drives, and other technology containing sensitive information.
  4. University issued laptops are configured to automatically encrypt data stored on the hard disk drive.

Payment Card Data Security

Offices processing credit and other payment cards through manual or automated means must fully comply with Payment Card Industry Data Security Standards. The automated processing of credit and other payment cards must be made through trusted, PCI-DSS and PA-DSS compliant, 3rd party payment processors. Cardholder data* must not be stored locally in an electronic format. Additionally, cardholder data must not be transmitted over non-secured channels. The transmission of cardholder data via email or other messaging applications is not permitted. Cardholder data may only be stored in hard copy and hard copy documents must be classified as confidential and physically secured. Further, the moving and transport of hard copy documents containing cardholder data must be authorized by management and transported securely in a manner that provides for tracking of data during transport. Media containing cardholder data must be properly destroyed when it is no longer needed for business or legal reasons.

Employees who have administrative responsibility for credit and other payment card processing may be granted access to 3rd party payment processing sites to oversee payment processing and view remotely stored cardholder data. The computers used to access 3rd party payment sites must not be equipped with a wireless interface, must automatically apply security and virus protection updates, must log security related events, must communicate using strong cryptography and security protocols (e.g. secure sockets), must be located in a protected local area subnet and be restricted by a firewall from unauthorized access.

  • According to PCI standards: “At a minimum, cardholder data contains the full PAN [Primary Account Number, or credit card number]. Cardholder data may also appear in the form of the full PAN plus any of the following: Cardholder name, Expiration date, Service Code.”

3. Safeguarding Personally Identifiable and Confidential Information

Safeguarding Personally Identifiable and Confidential Information

For the purposes set forth in this document, the University’s computing and communication facilities include all computing, video, data and telecommunication hardware and software systems owned, leased, or granted to the university.

Personally Identifiable Information

Personally Identifiable Information (PII) refers to any data that identifies or can be used to identify, contact, or locate the person to whom such information pertains. This includes data that is used in a way that is personally identifiable, including linking it with identifiable information from other sources, or from which other personally identifiable information can easily be derived, including, but not limited to, name, address, phone number, fax number, external email address, financial profiles, social security number, drivers license number and credit card information.

Administrative Data

Administrative data refers to any data that are collected, maintained and used on administrative information systems that support the operations of the University.

Confidential Data

Confidential data refers to any data pertaining to individuals or the University that is sensitive, private, or of a personal nature, or data that is protected under a confidentiality agreement, regulation, law, or University procedure.

Institutional Data

The use of the term “institutional data” hereafter within this document is meant to refer to all personally identifiable information, administrative data or confidential data residing or accessible through the University’s computing and communication facilities, or any facility, service or device (privately owned, leased, or granted) containing data created by the University or entrusted to the University.

Guidelines for Safeguarding Personally Identifiable and Confidential Information

Authorized use of and access to the University's computing and communication facilities is intended and permitted solely to support the legitimate educational, administrative and mission‐centered programs of the institution.  Authorization for the use of and/or access to the University’s computing and communication facilities is granted by the Chief Information Officer and the Director or supervisor of the organizational unit that is the recognized steward and custodian of the data for which access is requested.

Personally Identifiable Information

Access to administrative data may be granted to individuals for the purpose of enabling them to fulfill specific job duties or contracted services or in furtherance of legitimate university business.  Custodianship of data that is maintained on the University’s primary administrative information systems is detailed below.

Institutional Data

Anyone who has access to institutional data must act to properly safeguard such data against unauthorized or accidental disclosure to a third party.

Specific Guidelines

Following are specific guidelines for the proper protection of institutional data.  If you have any questions concerning data security, please contact Information Technology Services.

Secure Access and Storage of Institutional Data

Institutional data must be protected from unauthorized access or accidental disclosure.  Access to institutional data must, to the extent possible, be restricted using strong passwords (e.g., a password of greater than 8 characters, including special characters and numbers). Enterprise communication systems including email may contain privileged, sensitive, confidential, and/or personally identifiable information (PII). As such, the duplication and/or exfiltration of institutional data containing any of the aforementioned properties is strictly prohibited, and may result in the violation of federal regulations including FERPA and HIPAA.

Securing Institutional Data on Backup or Removable Storage Devices

Employees may for specific job related purposes and with the approval of the appropriate data custodian copy or create and store institutional data to a removable storage device, PC, mobile device, cloud‐based or remote facility.

Removable media and mobile devices containing institutional data should always be kept in a place that is safe from theft, unauthorized access or accidental disclosure.  Employees or other authorized personnel must take care to promptly remove institutional data that has been placed on desktop or portable computers, removable media, or cloud‐based or remote facilities when the data is no longer needed for the specific purpose.

Device Access Security

Desktop and mobile devices that contain or provide access to institutional data must be password protected against unauthorized access.  These computers and devices should be shut down when not in use for extended time-frames.  Additionally, they should, when possible, be configured to require password re‐authentication after no more than 20 minutes of inactivity.

Encrypting Institutional Data

Information Technology Services provides encrypted remote connectivity services (VPN/VDI) for authorized University personnel.  Institutionally issued laptops are configured to automatically encrypt their hard disk drive(s).  End users are typically not provided with administrative credentials.  Exceptions are reviewed and authorized by the Associate Director for Information Technology Services.

Secure Transmittal of Data

Institutional data may only be transmitted to or from an external site, including external email accounts for specific job related purposes.  Institutional data that are electronically transmitted to or from an external site, including an external email account, should be securely transmitted.  When transmitted via email, institutional data should be encrypted, password protected and sent as an attachment to the email message.  The password for the encrypted attachment must always be transmitted under separate cover or via telephone or voicemail.   Some employees may for specific job related purposes need to transmit institutional data to a third party (e.g., Financial Loan Processor, Bank, Credit Union, transfer institution).  Whenever institutional data is transmitted to a third party, it must be transmitted via a secure communication protocol, such as TLS or Secure FTP.    Contact Information Technology Services if you have questions concerning the secure transmittal of data. 

Securing Paper Files

Institutional data that is kept in hard copy form must also be secured and protected.   These data should be stored in a location that prevents unauthorized or accidental disclosure.

Effective Measures for Securing Institutional Data on Mobile Devices

Because of their portability, mobile devices are more susceptible to loss and theft.  Following are specific measures that should be observed to secure institutional data on mobile devices (privately or University owned) that contain institutional data.  If you need assistance with any of these measures, please contact Information Technology Services.

  • Physically secure your device.  Keep it with you or in a secured location.
  • Enable strong device pass-code protection features and select a pass-code or PIN that is difficult to guess.
  • Enable mobile device idle timeout (e.g., 5 minutes) and other device specific locking features, where possible.
  • If available, enable the feature that will erase data after 10 failed pass-code attempts.
  • Delete any institutional data from the device when no longer needed.
  • Enable whole device encryption, if your device is so equipped.  All institutionally issued Windows based laptops are automatically configured to encrypt the data on their hard disk drive(s).
  • Enable and configure device tracking features (e.g., Find My iPhone service).
  • Keep software up‐to‐date to protect against hacking attempts.
  • Minimize the number of apps on your device and only load apps or software on your device that come from a trusted source.

Reporting Lost or Stolen Devices or the Suspected Disclosure of Institutional Data

If you know or suspect that University property or a privately owned device containing institutional data has been lost or stolen, promptly contact the campus police department.   Additionally, if employed by Stockton, promptly notify your unit manager of the incident.  Information Technology Services cab attempt to remotely locate your device and wipe email (or other data if possible) from it.   Most mobile devices store passwords for apps.  To prevent unauthorized access to your data and accounts, contact the Information Technology Services Help Desk at 609-652-4309 and request a password reset as soon as possible.

4. Responding to Information System Security Threats

Information Security Threats

Following are measures that should be taken to protect against security threats.

Evaluate Suspected Security Breaches

Suspected security breaches must be reported to the University’s Chief Information Officer.  The information security team conducts investigations based on reported and detected incidents.  The Chief Information Officer leads the evaluation of suspected security breaches that may have disclosed protected information.  The Division of Information Technology Services will assist the officer in charge of risk management in the evaluation.

Notify Affected Persons

In cases where the University affirms that non-public information, as defined under FTC Regulation 16 CRT Part 314, has been disclosed to an unauthorized party, the University must promptly notify any effected person.

Conduct Periodic Security Review

On an annual basis the University’s network and administrative systems should be tested to determine whether they are meeting industry standards for access control and security.