Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014) Comprehensive Information Security Program (Policy 04.72.11)
Purpose Temple University, as mandated by federal law, requires each academic or administrative unit ( organization ) that gathers, stores, maintains, transmits or otherwise handles personally identifiable information ( PII ) to have written guidelines and procedures for safeguarding such information. PII is any personally identifiable information that is collected about an individual in connection with providing a product or service, unless that information is otherwise publicly available. Examples of PII include Social Security number, date and location of birth, financial records, driver s license information, or any other information on an application for a student loan or in connection with establishment of a gift annuity. Pursuant to the University s Comprehensive Information Security Program ( CISP ), policy 04.72.11, each organization covered under the CISP is required to perform an assessment, at least annually, that evaluates the following: Risk of loss of PII Risk of unauthorized access to PII Safeguards in place to mitigate the risks of loss and unauthorized access. Safeguards This review serves as your organization s compliance and risk assessment, and documents your present practices to protect PII. The University Privacy Officer will evaluate your submission and will schedule a meeting to discuss your assessment. If you have questions related to the completion of this assessment, please contact the University Privacy Officer. While the guidelines and procedures listed in the CISP are considered a good baseline for compliance, they are not intended to be all-inclusive due to the differences in the nature of each organization s use of and access to PII. As such, each organization is required to critically evaluate business processes, identify risks, and establish reasonable safeguards to protect data under its care. Carefully planned and successfully implemented safeguards generally reduce the risk of loss or unauthorized access. The guidelines listed in the CISP for safeguarding PII are divided into three sections: 1. Administrative 2. Physical 3. Technical This assessment evaluates all three types of safeguards. 1
Updates and notes for Fiscal Year 2013/2014 1. Temple University s Classification and Handling of Protected Data policy assigns a level of sensitivity to data and determines the extent to which it needs to be controlled and secured. Please review this policy at http://www.temple.edu/cs/policies/p61_classification_and_handling_of_protected_data.pdf 2. If you submitted a risk assessment last year, you may refer to it but please complete and submit this year s version of the assessment as some questions have changed. Submission Instructions The deadline for submitting this assessment to the University Privacy Officer is June 30th, 2014. The University Privacy Officer is working under the guidance of the Management Audit Committee, and is required to provide a status of all submissions. Submissions received after the deadline may be indicated as late. All assessments are subject to review by the Management Audit Committee. Incomplete submissions will not be accepted; if you do not have an answer to a specific question, please respond appropriately (e.g. No response, Not considered, etc), or contact the University Privacy Officer for clarification as needed. Upon completion of this assessment please do the following: 1. Review it with your organization head, supervisor as well as cognizant vice president or provost. 2. Send the completed assessment via email or TUsafesend to the University Privacy Officer on or before the deadline. 3. Print your assessment; sign, and obtain necessary signatures, then forward it to the University Privacy Officer: Leonard Nelson The TECH Center, Room 408 1101 W. Montgomery Avenue Philadelphia PA 19122 E-Mail: leonard.nelson@temple.edu Direct Phone: 215 204-3192 Department Phone: 215 204-7077 2
Contact and Signature Sheet Covered Unit Contact Information Organization Name Organization Mailing Address Organization Phone Number Organization Fax number Privacy and Security Liaison (The person filling this assessment) Name Title TUid Position Control Number (PCN)* Direct Phone Number Email address * Position Control Number (PCN) can be obtained from University s Organizational Chart at http://toch.temple.edu Required Signatures Privacy and Security Liaison Date Cognizant Vice President/Provost Date (or designee) 3
I. General Regulatory and Policy Compliance Survey The following survey is designed to determine whether your organization is covered by more than one regulation. At minimum, please answer Yes or No. If you answer yes, please summarize the business need in one or two sentences. 1. FERPA Compliance 1 : Does your organization collect, store, process, transmit or otherwise handle student records? 2. GLBA Compliance 2 : Does your organization collect, store, process, transmit or otherwise handle nonpublic information in connection with an application for a student loan or in connection with establishment of a gift annuity? 3. HIPAA Compliance 3 : Does your organization collect unit store, process, transmit or otherwise handle patient health information? (Indicate No if your organization does not collect anything beyond routine student or employee sick notes). If yes, please indicate the name your HIPAA Compliance Officer. 4. Social Security Number Usage Policy 4 : Do individuals in your organization collect, store, process, transmit or otherwise handle Social Security Numbers? Please list any federal, state, local or other business requirements for using SSN. 5. PCI-DSS Compliance 5 : Does your organization store, process, transmit or otherwise handle credit card information? 1 FERPA, also referred to as the Buckley Amendment, was enacted in1974 and amended in 1990. The text of FERPA appears at 20 U.S.C. 1232g. Among other things, FERPA governs the privacy of student academic records. For more information see Temple University's Guidelines Pertaining to Confidentiality of Student Records (Policy Number 03.20.11) on the Temple University Policies and Procedures website. 2 The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act ( GLBA ), is a federal law that, among other things, regulates the security and confidentiality of customer nonpublic personal information possessed by financial institutions. For more information see Comprehensive Information Security Program (Policy Number 04.72.11) 3 The U.S. Department of Health and Human Services issued Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164 ( Privacy Rule ) to establish a set of national standards for the protection of certain health information. For more information, see The TUHS Personal Health Information Privacy Practices Notice may be found at http://www.templehealth.org/privacyhipaa.html 4 Pennsylvania State Senate Bill No. 712 was enacted in 2005 to establish notification requirements for entities that experience a data breach that results in the exposure of private information. The bill includes definitions of personal information and has stipulations for when and how notifications are to be made. Of significance is the protection of Social Security Numbers. For information on Temple s SSN policy, see Social Security Number Usage Policy (Policy Number 04.75.11) and the Social Security Number Usage Procedures (Policy Number 04.75.12) 5 The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. 4
6. Identity Theft Program (Red Flags Rule) Compliance 6 (a) Does your organization receive consumer reports (i.e. credit reports) from any consumer reporting agency (such as Experian, TransUnion or Equifax) regarding the student or employee population that it serves? (b) Does your organization maintain/update any type of account for the student/employee population that it serves? (Banner student records can be considered covered accounts - see footnote below for definitions relating to the Red Flags rule). (c) Does your organization update the contact information of students or employees on centrally managed systems (like Banner)? (d) Does your organization provide replacement OwlCard (Temple ID card) to students or employees? (e) During the course of normal business, does your organization verify the identity of an individual before providing a service? If yes, please indicate how identity is verified for in person visits, phone calls or other contact with individuals to whom services are provided. (f) Does your organization collect, store, process, transmit or otherwise handle student or employee photographs? 6 The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. For more information please see Identity Theft Prevention Program (Policy Number 05.20.01). Red Flags Definitions (extracted from the policy) are as follows: DEFINITIONS Defined terms in this Policy are intended to have the meaning ascribed to them by the FTC in the Red Flag Rules, as such Red Flag Rules may be amended from time to time, and shall be read consistently with the FTC s definitions. The following definitions have been modified according to the specific activities of the University covered by the Red Flag Rules. 1. Account means a continuing relationship established by a person with the University to obtain a product or service for personal, family, household or business purposes. Account includes: (a) An extension of credit, such as the right to make periodic payments to repay a student loan, or the purchase of property or services from the University involving a deferred payment; and (b) A deposit account. 2. Covered account means: (a) An account that the University offers or maintains, that involves or is designed to permit multiple payments or transactions, such as a student account or Diamond Dollars account; and (b) Any other account that the University offers or maintains for which there is a reasonably foreseeable risk to the account holder or to the safety and soundness of the University from identity theft, including financial, operational, compliance, reputation, or litigation risks. 3. Credit means rights granted by the University to defer payment of a debt; to incur debts and defer payment; or to purchase property or services from the University and defer payment therefor. 4. Identity theft means a fraud committed or attempted using the identifying information of another person without authority. 5. Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. 5
II. Access List of Personally Identifiable Information 7 On the table below, please check with an X in the column labeled PII, the type of PII that your organization collects, maintains accesses, transmits, or otherwise handles. Under Source or Report Name, indicate the source of your organization s access to PII (see Source Key below; add to it as needed). If PII is provided in a report, please indicate the report name. Briefly indicate your organizations business need for PII. If individuals in your organization obtain a particular type of PII from multiple sources, please add as many rows as necessary below the PII type. SOURCE KEY: BANNER; COGNOS; eprint; DDB = Department Database; SS = Spread Sheet; PF = Source is a paper based form; O=Other Type of PII PII Source Key or Report Name Business Reason/ Justification Social Security Number Date and Location of Birth Payment History Credit Card Numbers Driver s License/ Passport Number ACH/ Direct Deposit Numbers Financial Records/Information (please list; add rows as necessary) a. b. c. d. Other (please list; add rows as necessary) a. b. c. d. 7 PII excludes any information that you have a reasonable basis to believe is lawfully made available to the general public from: a) Federal, State, or local government public records b) Widely distributed media, e.g., telephone book, radio, television, web site that is available to the general public c) Disclosures to the general public that are required by Federal, State, or local law 6
III. List of Service Providers 8 that handle PII Complete the following table to catalog the name of each service provider under contract with your organization that receives, maintains, processes, or otherwise is permitted access to PII under Temple University s stewardship. Please indicate the general nature of service provided; indicate the contract start date; the contract end date (if available or applicable); whether a Service Provider Requirements statement was included in the contract (indicate with Yes or No ; and the last date the service provider conducted a risk review (Service Provider Safeguards) of Temple University customer information under their care. 1 2 3 4 5 6 7 8 9 10 11 Name of Service Provider General Nature of Service Provided Contract Start Contract End Service Provider Requirements Contract Included? Date of last Service Provider Safeguards Report received. 8 Service Provider is any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to Gramm-Leach-Bliley, Red Flags rule (please refer to other related policies for additional definitions). 7
IV. Individual Access to Sensitive and Confidential Information 9 Complete the following table to list the individuals with access to your organization s PII. Please include their full name; TUid; and Position Code Number ( PCN ). The TUId and PCN numbers will be used to compile a list of positions that have access to PII. Indicate the type of PII the employee has access to. If an employee has access to the listed types of PII, simply check the box with the letter X. Type of PII Key: SSN = Social Security Number; DOB = Date of Birth; FR = Financial Records; PH = Payment History; CCN = Credit Card Number; ACH = Automated Clearing House Number; DL = Driver s License/State ID 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Employees with access to PII Type of PII Access and Purpose TUid PCN 10 Name SSN DOB FR PH CCN DL ACH DL Purpose 9 Temple University s Classification and Handling of Protected Data assigns a level of sensitivity to data and determines the extent to which it needs to be controlled and secured. For more information, see Classification and Handling of Protected Data at http://www.temple.edu/cs/policies/p61_classification_and_handling_of_protected_data.pdf, the Data Classification Grid at http://www.temple.edu/cs/policies/p62_%20data_classification_grid.pdf and the Storage and Cloud Computing Approved Usage at http://www.temple.edu/cs/policies/p63_storage_and_cloud_approved_usage.pdf 10 The Position Control Number (PCN) can be obtained from University s Organizational Chart at http://toch.temple.edu 8
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 42 Employees with access to PII Type of PII Access and Purpose TUid PCN 11 Name SSN DOB FR PH CCN DL ACH DL Purpose Type of PII Key: SSN = Social Security Number; DOB = Date of Birth; FR = Financial Records; PH = Payment History; CCN = Credit Card Number; ACH = Automated Clearing House Number; DL = Driver s License/State ID 11 The Position Control Number (PCN) can be obtained from University s Organizational Chart at http://toch.temple.edu 9
V. Administrative Safeguards: 1. Describe the process followed to ensure the background of new employees with access to PII has been thoroughly checked. a. Reference check procedures b. Background checks 2. Describe the process for determining whether employees have a need-to-know for access to PII. a. How often is this audit conducted? 3. Have you denied access to PII as a result of this audit? If so, and the individual is presently employed in your organization, please list the Name, TUid, PCN, Denial Date and reason for denying access. DENIAL REASONS: Reevaluated Position; Disciplinary Action; Internal Audits finding; Business Process Redesign 1 2 3 TUid PCN Name Denial Date Reason 4. Describe the process for instructing and regularly reminding all organization employees of Temple University s legal requirement and obligation to safeguard PII. a. Frequency of notification b. Method of notification c. Posting of reminders about employee responsibility in areas with PII 5. Describe any other administrative safeguards in place to safeguard PII. a. Handling of organization requests for PII 10
6. Do you have a records retention policy? If so, please list indicate: a. Whether this is as a result of federal, state or local regulation (please list them); University policy; or business best practices. b. Indicate how long records are kept c. Indicate how archives are stored 7. Describe the process for handling breaches, both internal and external, to the security and confidentiality of PII. a. Documentation guidelines for recording the incident b. Indicate who is notified c. Indicate how and when the Privacy Officer is notified d. Indicate how discipline is imposed for breaches due to employee misconduct or negligence 8. Have you experienced a data breach within the past 2 fiscal years? If so please indicate when and who you contacted. 11
VI. Physical Safeguards: 1. If your organization has computers (workstations, laptops or servers) that contain PII, describe how they are physically protected from theft. a. Are the hard drives of workstations and laptops that contain PII encrypted? b. Are computers that contain PII physically protected with an anti-theft cable? c. Are servers containing PII placed in a secure location with approved physical protection? 2. Describe how paper records containing PII are stored and kept secure in the organization. a. If in a locked cabinet, indicate how access to the cabinet is controlled and monitored b. If in a locked room, indicate how access to the room is controlled and monitored c. Indicate type of file cabinet, e.g., fire proof, lockable with a unique key d. Indicate if you have any video surveillance covering the stored paper records e. Include protection from physical hazards, such as fire and flood 3. Describe the procedures for maintaining and testing secure areas. a. Alarm tests b. Video tests c. Other 4. Describe how access to PII is restricted to only those with a need-to-know. a. Locks are all keys accounted for? b. Alarm Codes does each employee have his/her own identifiable code? 5. Describe how PII contained on paper is disposed of. a. Document preparation for disposal b. Storage prior to disposal c. Security of storage area(s) d. Who oversees the security records disposal 12
6. Describe how PII contained on electronic medium, including computer hardware, is disposed of. a. Document preparation for disposal b. Storage prior to disposal c. Security of storage area(s) d. Indicate who oversees the security records disposal 7. Describe how information in use (e.g., on one s desk) is safeguarded. a. Indicate how internal and external mail is properly marked when it contains PII b. Indicate how documents on the printer and on the fax machine are safeguarded? c. Other 13
VII. Technical Safeguards: 1. List any organizational computer (server or desktop/laptop), that stores PII (irrespective of how long the PII is stored on it, and in what format). Please list the name, TUid and PCN of the primary person in charge or uses the computer, as well as the location (building, room number) of computer(s) that holds PII. Indicate the last time the system was evaluated for vulnerabilities by the Office of Information Security. Add additional rows as necessary. Indicate the system type (Desktop, Laptop, Server, Other). 1. 2. 3. 4. 5. 6. Employee in charge of the computer TUid PCN Name System Type Location of Computer Date of last Assessment 2. If you have desktop computers, servers and other systems that store or transmit PII, that do NOT participate in Temple s TUsecure program (that is, systems that do not use AccessNet for logon authentication), please describe whether: a. Auto logout and/or screen locks (such as password enabled screensavers) are enforced. b. A minimum password length is enforced. c. A schedule for changing passwords at least twice a year is maintained. 3. Describe how PII under the care of your organization is transported from one system to another electronically a. Indicate how electronically transmitted information is safeguarded? b. Does the PII data rest in a temporary location (file system, database, proxy cache, etc.) during the course of its transportation? How are those points of rest safeguarded? (Your application owner or system administrator should be able to answer these questions). 4. Indicate organization procedures for backing-up files containing PII. a. Indicate back-up schedule b. Indicate back-up storage type, e.g., TUcloud, File Server, CD, etc. c. Back-up security d. Describe how backup media is stored, and what safeguards are in place to secure them. 5. Describe your procedure for: a. Software patches 14
Indicate how the need for updates is monitored Indicate who is responsible for obtaining and installing patches b. Anti-virus software Indicate who is responsible for obtaining and installing anti-virus software Indicate whether automatic updates are used to update the anti-virus software 15