Financial Data and System Security

Reliable financial information is essential to effectively manage the business of the University and protect its assets. A strong enterprise financial system management program is necessary to ensure the integrity of financial information. To maximize the value of the University's enterprise financial information, the University will:

• assign and clearly define responsibility and accountability for protecting the financial systems and its data against unauthorized use.
• enforce compliance with security and privacy laws, requirements, policies, procedures, standards, controls and security incident reporting and response.
• promote security measures that will maintain the integrity, confidentiality and availability of the data and systems.
• participate in a University-wide Security and Privacy Awareness Program.

Proper use of financial data and systems will be consistent with University mission, policies, and procedures. Inappropriate use, collusion and vandalism will be prosecuted by the University to the full extent that international, federal, state and local laws will allow.

Requests for policy exemptions must be made in writing to the Financial Security and Privacy Officer.

The purpose of this policy is to establish security and privacy access requirements and standards to ensure acceptable use of information technology resources and integrity of the University's enterprise financial data and systems. This policy is intended to ensure that:

• Authorized individuals are granted appropriate system access to perform their duties while minimizing the risk of the financial data or systems being compromised.
• Authorized individuals properly use the enterprise financial data and systems.
• Authorized individuals properly maintain privacy and confidentiality of financial data and systems.

• Reporting and Responding to Security Incidents

• Requesting Access to University Information (from Administrative Policy: Internal Access to University Information).

There are no forms for this policy.

Subject	Contact	Phone	Fax/Email
Primary Contact(s)	Darlene Anton	612-624-8394	d-anto@umn.edu
Returning Security Token	OIT Data Security 660 WBOB 1300 So. 2nd St. Minneapolis, MN 55454	1-HELP 612-301-4357	x-secur@umn.edu http://www1.umn.edu/datasec/security/index.htm http://mkey.umn.edu/
Access Request Form Two Factor Authentication Password Resets: Data Warehouse, Internet and Enterprise Systems OIT Security Policies, Standards and Procedures Reporting M Key violations	OIT Technology Helpline	1-HELP 612-301-4357	help@umn.edu
Access Request Form Financial systems and data questions Online Data Warehouse Data Dictionary	University Financial Helpline Financial Systems Support 295 WBOB 1300 So. 2nd St. Minneapolis, MN 55454	612-624-1617	612-625-9841 fsshelp@umn.edu http://www.fss.umn.edu/
Private financial data questions Security awareness program activities Security and privacy violation reporting Gramm-Leach-Bliley Act compliance Financial Data and Systems Security Policy	Financial Security and Privacy Office Financial Systems Support 295 WBOB 1300 So. 2nd St. Minneapolis, MN 55454	612-624-1617	fsshelp@umn.edu 612-625-9841 http://www.controller.umn.edu/controller_glba.htm
Financial system training Class Scheduling and Registration Online Resources	Training Services 299 WBOB 1300 So. 2nd St. Minneapolis, MN 55454	612-626-1373	trngsvcs@umn.edu 612-625-9841 http://www1.umn.edu/ohr/est/

Authorized User

An employee, consultant, volunteer or other individual who needs access to University information to perform an activity on behalf of the University. The individual may have access to public or private information.

Financial System User

Authorized user who has been granted access toenterprise financial data and systems.

Data Owner

Individual who is responsible for use and disposition of their respective data.

GLBA

The Gramm-Leach-Bliley Act (GLBA) is a Federal law which requires "financial institutions" to ensure the security and confidentiality of customer personal information. The University has adopted an Information Security Program for certain highly critical and private financial and related information.

Security Measures

Processes, software and or hardware used by system and network administrators to assure confidentiality, integrity and availability of computers, networks and data belongings to the University and users of University computer and network resources. Security measures include the ability to review files for potential or actual policy violations and responsibility for investigation of security related issues.

Security Incident

Any action that does not comply with security and privacy laws, contracts, measures, policies, safeguards, standards or procedures. Non-compliance can result in revocation of access privileges, disciplinary action, up to and including termination.

Policy Notes: Individual roles and responsibilities are defined below; however, the following responsibilities are shared by all:

• Know security and privacy responsibilities and participate in security and privacy awareness program activities.
• Report suspected security incidents to OIT Assurance and Security and the Financial Security and Privacy Officer. Respond to inquiries.
• Read, understand and comply with enterprise financial data and systems security and privacy policies, procedures, safeguards, guidelines and standards.
• Read, understand and comply with private data requirements, safeguards and standards.

Authorized Individuals

• Are in a position that not only requires compliance with data privacy and confidentiality security responsibilities but also honesty and integrity. Under Minnesota law, with certain enumerated exceptions data on employees is private and may only be shared or disclosed as provided by the law.
• Will refer all inquiries to their supervisor unless they have clear written authority from their supervisor as to what information they may provide. Minnesota Statutes, Sections 13.08 - 13.09 provide for civil liability and criminal penalties for unlawful disclosure or sharing of private data. Disclosing data includes any information obtained in connection with the individual 's employment in any manner different from the scope of the specified duties.
• Must not remove nonpublic information from the work premises except as is necessary to administer the individual's job with which they are working, and only with their supervisor's permission. Failure to follow these procedures will lead to disciplinary action, up to and including termination.
• Will take full advantage of data security and privacy training and resources made available.

Data and System Owners

• Ensure that the financial data and systems information security and privacy program is consistent with enterprise wide security and privacy strategies and University mission, policies and procedures.
• Ensure appropriate security and privacy resources and funding are in place to properly support the financial data and systems information security program.
• In conjunction with OIT and the University privacy and security community, provide data security and privacy training and resources to University staff and faculty.
• Ensure access to the financial data and systems is limited to those individuals with a University business need and access level is appropriate for the work to be performed.
• Develop consistent roles and responsibilities for Key Contacts and RRC Managers.
• Define consistent access roles for access to enterprise instances.
• Ensure that security and privacy measures and standards are implemented and enforced in a method consistent with University policies, procedures, standards and sound business practices.
• Establish measures to ensure reliability and integrity of the data and systems, these measures include methodologies, change management and operational continuity planning.
• Determine the sensitivity and criticality of the data based on University, legal definitions and contractual obligations.
• Review relevant security incident management reports.
• Ensure that a process is in place to retain or purge information according to University Records retention schedules.

Financial Security and Privacy Office

• Establish and manage information security and privacy program to include policies, procedures, safeguards, requirements and controls on behalf of business process owners\data owners and system owners.
• Provide services to Key Contacts and RRC Managers.
• Manage financial security awareness program. Work with University security and privacy community to incorporate security awareness into the University culture.
• Information Security coordinator for the University 's GLBA Program.
• Process and approve financial data and system access contracts for access to private data, high risk financial activities, and central access roles based on established policies, business procedures and processes.
• Oversee access roles of authorized users on an ongoing basis.
• Originate and approve change request for role based access to include justification of change, test results, appropriate documentation updates and business process/data owner approval.
• Investigate problems and alleged security incidents of policy and laws, take appropriate actions and report on outcomes.
• Refer security incidents to appropriate University offices such as the Office of the General Counsel, Office of Institutional Compliance, Internal Audit and the University Police Department for resolution or disciplinary action.

Office of Information Technology (OIT)

• Implement enterprise data and systems security and privacy program, policies, procedures, standards requirements and controls.
• Publish and maintain access request forms and procedures for enterprise applications.
• Build access roles in applications based on directives from the Data Custodians. Produce and maintain documentation and provide to Data Custodians.
• Provide Data Custodians with technical resources for proper oversight, maintenance and monitoring of access roles.
• Provide security incident reporting and response.
• In conjunction with the Data Custodians and the University privacy and security community, provide data security and privacy training and resources to University staff and faculty.
• Ensure OIT operational continuity plan is in compliance with University policy, standards and data owner's requirements.
• Work with University privacy community to incorporate security and privacy awareness into the University culture.

Chief Financial Officers, Financial Cluster Directors, RRC Managers

• Approve financial data and system access contracts for personnel access based on established policies, business procedures and processes.
• Periodically review and authorize access rights to determine continued business need of access roles at the level assigned for authorized users.
• Consult with and respond to questions from Financial Security and Privacy Officer on details of appropriate use of financial data and systems. Act as focal point in conducting investigations for information technology non-compliance. Take necessary actions based on investigation outcomes and Financial Security and Privacy Officer directives.
• Allocate resources to get the work done by aligning with access requirements.
• Enforce University security and privacy policies, procedures and access agreements.
• Ensure appropriate physical, administrative and technical safeguards are in place to protect private information.
• Enforce security and privacy awareness activities, ethical work environment and sound departmental security and privacy practices.

Associate Vice President and Controller

• Provide senior management level oversight and guidance around security and privacy management, integrity, confidentiality and availability of financial data and systems.
• Promote alignment of security and privacy initiatives with business priorities.
• Ensure compliance with enterprise and business unit security polices and standards.
• Receive reporting on security incident investigation outcomes.
• Incorporate security and privacy awareness into University culture.

Supervisors/Department Head

• Determine access requirements for personnel to perform assigned job responsibilities.
• Ensure training competencies are met for financial data and system access.
• Process and authorize financial data and system access contracts for personnel access based on established policies, business procedures and processes.
• Respond to questions of appropriate use of financial data and systems by their personnel. Evaluate security incident findings against personnel and take appropriate actions.
• Enforce security and privacy awareness activities, ethical work environment and sound departmental security practices.
• Ensure personnel complete University of Minnesota data security training and relevant courses.

Training Services

• Administer financial competency training program.
• Verify satisfaction of training competencies.
• Enforce access request standards and access agreements.
• Incorporate security responsibilities and private data standards into training courses and materials.

• Access Granting Standards
• Financial Data and Systems Owners

• Examples of Public, Private, and Confidential Information from Administrative Policy: Internal Access to University Information.

There is no FAQ for this policy.

• Administrative Policy: Acceptable Use of Information Technology Resources
• Administrative Policy: Accessing U-Wide Banking Services
• Administrative Policy: Developing a Plan for Operational Continuity
• Administrative Policy: Internal Access to University Information
• Administrative Policy: Public Access to University Information
• Administrative Policy: Reporting and Notifying Individuals of Security Breaches
• Administrative Policy: User Authentication for Access to University Computer Resources
• OIT Data Security
• Privacy and Data Security at the University of Minnesota

Federal Laws

• GLBA
• Computer Fraud and Abuse Act, 1996
• Statutes
  • Minnesota Government Data Practices Act, including Minn. Stat. § 13.055
  • Minnesota Statutes § 325E.61

Other Related Information

• Safe Computing: Identity Theft

Amended:

June 2008 - Policy completely revised to address the Enterprise Financial System rollout. Procedures and Appendices also updated to address EFS.

Amended:

April 2007 - Exclusions corrected. FSS Security Officer changed to Financial Security and Privacy Officer. Contacts, definitions and responsibilities section updated to reflect this.

Amended:

June 2005 - Updated Exclusions section and Financial Data and Systems Owners appendix to include references to Peoplesoft Financials.

Amended:

January 2004 - Added FFN Approvers Tutorial to Related Information.

Amended:

September 2002 - Requesting Access, Change of Department, Leave of Absence and Terminating Authorized User eliminated and superceded by Procedures in Policy 2.5.2 - Internal Access to University Information. Updated Contacts and responsibilities sections, and Financial Data and Systems Owners appendix.

Amended:

August 1998 - Policy and Procedures updated to reflect the implementation of an integrated access form (AR001), a Termination/Transfer/Leave of Absence (LOA) and Partial Delete Form (AR002) and the CUFS access contract. These forms have replaced the Financial Reports (FSS002) and CUFSRDB (FSS003) access contracts, the Mainframe Access Request Form (DS001), the IDEA Reporting Database Access Request (DS002), the Dataset Profile/RACF Group Request Form (B-D/S004), and the CUFS Access Contract and Instructions. Updated contacts and responsibilities sections.

Amended:

June 1998 - Defined "authorized individuals." Changed Policy reason to focus on access to systems by authorized individuals, rather than employees. Updated related information, appendices and procedures.

Effective:

January 1998

Supercedes:

Administrative Systems Security 1/93