Student Financial Data Security Program - Northern Michigan University

Details of the Student Financial Data Security Program, including the Incident Response Plan and risk assessment testing, will be available to personnel on an as-needed basis as determined by the CISO. The full detailed risk assessment test plan, risk assessment test results, incident response plan, and subsequent reports will not be made available to the public as they relate to the university’s ongoing security.  However, the requirements to be included are as follows:  

Risk Assessment Plan
NMU’s Risk Assessment is conducted under the guidance of the CISO. The CISO or designates will:  

1. Develop criteria for evaluation of the risk associated with student financial data;
2. Conduct a risk assessment of the confidentiality, integrity, and availability of student financial data, including the controls identified to mitigate foreseeable risks; and
3. Prepare a written assessment in response to the risks identified. The identified risks will be classified into those that will be accepted, and those that will be safeguarded with existing or enhanced technical and / or physical controls. 

Identification of Safeguards
NMU’s Student Financial Data Security Program identifies safeguards and controls to protect student financial data. At the direction of the CISO, the program includes, at a minimum, security practices to:  

1. Inventory the data, personnel, devices, systems, and facilities that fall under the security program. This includes identifying where student financial data is collected, stored, and transmitted;
2. Implement and assess access controls. Access controls may include technical and physical controls to authenticate and permit access to only authorized users; limiting user access to only the information needed to perform their duties; limit students to access only their own information; 
3. Protect by encryptions student financial information held or transmitted, or identify a mitigating control to protect held or transmitted student financial information;
4. Control practices for in-house developed applications used to store, access, or transmit student financial data. This will include procedures for evaluating and testing the security of in-house developed applications;
5. Implement multi-factor authentication for accessing any information system related to student financial data; exceptions must be specifically approved by the CISO.
6. Develop and maintain procedures for disposal of student financial information within two years after the data ceases to be necessary for business or regulatory purposes;
7. Govern procedures for change management;
8. Monitor and log the activity of users as necessary to detect unauthorized access or use of or tampering with student financial information.
9. Test or regularly monitor key controls, including actual and attempted attacks on or intrusions into NMU systems;
10. Continuously monitor to detect changes that may create vulnerabilities;
11. Conduct annual penetration tests of relevant systems;
12. Recommend and coordinate to ensure adequate user security awareness training;
13. Provide training to Information Technology personnel sufficient to address relevant security risks as well as review of the training received to ensure that it meets identified security threats;
14. Assess service providers to ensure that they, too, take reasonable steps to implement appropriate safeguards; and
15. Identify changes to the university’s business operations that could have a material impact on the security program.

Incident Response Plan
The Incident Response Plan, which is not specific to student financial data, must be in writing and available to those identified by the CISO. The written plan:  

1. States the goal of the plan, namely to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of data;
2. Describes the process for responding to a security event;
3. Defines the roles, responsibilities, and decision-making authority;
4. Describes the external and internal communication and information sharing;
5. Identifies requirements for remediation of any weaknesses in information systems and associated controls;
6. Identifies the documentation and reporting required post event; and
7. Describes the evaluation required post event.

Annual Report to the NMU Board of Trustees
The CISO will report at least annually to the Board of Trustees. The report will summarize the overall status of, and compliance with, the Student Financial Data Security Program. In addition, the report will include any material matters related to the program, addressing issues such as risk assessment, risk management, control decisions, service provider arrangement, results of testing, security events, and management’s responses to material events.