GLBA Information Security Plan

To comply with the Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act, or GLBA), 15 U.S.C. §6801, the Office of Information Security, with cooperation from several other NIU departments/units, has developed this Information Security Plan. It may be amended or revised in the future, as necessary. The Federal Student Aid office of the U.S. Department of Education has issued guidance clarifying that an institution that participates in Title IV agrees to also comply with the GLBA Safeguards Rule, and, for the purpose of compliance with GLBA, customer information is information obtained as a result of providing a financial service to a student (past or present)

This Plan describes Northern Illinois University’s safeguards to protect covered data and information. Covered data and information includes all nonpublic personally identifiable information collected by NIU and used to obtain or process financial activities (including, but not limited to, student financial assistance, debt collection, and safeguarding student/ monies).

These safeguards are provided to:

• Ensure the security and confidentiality of covered data and information.
• Protect against anticipated threats or hazards to the security or integrity of such information; and
• Protect against unauthorized access to or use of covered data and information.

These safeguards affect many areas of the University that receive, store, transmit, maintain and/or protect financial information, including but not limited to the Controller’s Office, Office of the Bursar, the Student Health Insurance, Student Financial Aid and Scholarship Office, Human Resources, Division of Information Technology, and Registration and Records. In addition to the above-identified functional units of the university, individuals who do not regularly engage in such activities related to financial information but may occasionally handle such information for purposes of data security or processing have been included within the safeguards.

To protect the privacy of covered data and information, Northern Illinois University strictly adheres to applicable law, including but not limited to the Family Educational Rights and Privacy Act of 1974, as amended, (FERPA) and the Illinois Freedom of Information Act (FOIA). Under federal regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of GLBA if they are in compliance with FERPA. As such, NIU will not disclose any non-public financial information about its current or former students/employees, except as required or permitted by law.

Consistent with the spirit of this Information Security Plan, all relevant offices of the University are encouraged to develop and implement any appropriate additional safeguarding measures that go beyond those outlined in this Plan, University policy, guidelines, and practices, and federal and/or state law to address specific needs of their department. Whenever such a new measure is developed, the Director of Privacy must be notified.

GLBA and the accompanying Safeguarding Rules of the Federal Trade Commission mandate that the University appoint Qualified Individual to oversee policies and procedures, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee third party service providers and contracts, and evaluate and adjust the Information Security Program periodically.

Individuals who are aware of any attempted or actual breach of this plan are required to report such an incident to the Division of Information Technology Service Desk at 815-753-8100 or it.niu.edu. The reporting party should state that they would like to report a GLBA incident and ask that the Office of Information Security (OIS) be notified. OIS will notify the University’s Qualified Individual and activate the incident repsonse plan.

The President of Northern Illinois University has assigned the Director of Privacy to execute responsibilities for coordinating and maintaining this Plan. The Director of Privacy, in conjunction with all relevant areas of the University, is responsible for identifying and assessing the reasonably foreseeable risks associated with unauthorized transfers of covered data and information and implementing procedures to minimize those risks to NIU.

All correspondence and inquiries regarding this Plan should be directed to the Director of Privacy. The Director of Privacy works closely with assigned staff in Information Technology Services, Risk Management, and Internal Audit as well as all relevant academic and administrative divisions, departments, and units throughout the University.

In addition, other University positions may be designated as Deputy Plan Coordinators. Deputy Plan Coordinators support the Director of Privacy concerning relevant aspects of the Plan and assist this person in:

• Identifying actual and/or reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered data and information;
• Evaluating the effectiveness of the current safeguards for controlling these risks;
• Implementing this Plan; and
• Regularly monitoring and testing this Plan.

The Director of Privacy shall report annually in writing to the University’s Chief Strategy Officer who shall forward such report to the Board of Trustees. The annual report shall include, at a minimum, relevant risk assessment and management decisions, GLBA service provider arrangements, results of yearly testing and recommendations, and significant changes in the information security program. The Director of Privacy shall also report in a timely manner and in writing, any interim incidents, breaches, or other significant issues in the same manner.

NIU recognizes that there are vulnerabilities and threats to university data and assets that result in risks to confidentiality, integrity, and availability of covered data. NIU looks to NIST 800-171 for guidance on security controls to mitigate these risks. As NIU regularly assesses these controls, we look for gaps and weaknesses that present such risks and evaluate the residual risk given other mitigating controls. 

Minimum Required Safeguards

NIU is committed to implementing the following controls to meet and exceed the minimum required safeguards as identified by 314.4(c)(1) through (8)

314.4(c)(1) - Implementing and periodically reviewing access controls.

Each business unit must be approved by the Student Financial Aid office to access and use student Financial Aid data. These business units that work with covered data are responsible for following the System Access and Security Policy. For those that do not self-manage access, they request the appropriate changes through the documented request approval process. In addition, we have implemented a mandatory annual review of the NIST 800-171 controls and review access at that time.

314.4(c)(2) - Identify and manage the data, personnel, devices, systems, and facilities.

The Office of Information Security (OIS) follows the guidance of the NIST Cybersecurity Framework, specifically the overarching processes to identify, protect, detect, respond, and recover. OIS, in partnership with the Director of Privacy and the Student Financial Aid Office, annually reviews the inventory of systems, data, personnel, systems and facilities of NIU business units approved to access covered data. This inventory is evaluated against the NIST 800-171 control guidance.

In addition, all NIU policies including the following must be adhered to:

• Information Security Policy
• Identity Protection Policy
• Encrypting Restricted Data
• Protecting Restricted Data
• Minimum Security Configurations
• Account and Password Guidelines
• Clean Desk Standards for NIU Private and Restricted Data
• Access Control Policy
• Data Center Access Policy
• Information Security Awareness Training
• Vulnerability and Patch Management Policy
• Surplus Electronic Data Processing Equipment with Hard Drives

314.4(c)(3) - Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest.

The Office of Information Security (OIS) together with the Division of Information Technology (DoIT) annually review the NIST 800-171 System Security Plans for systems that contain covered data. All systems and personnel are to follow the Encrypting Restricted Data policy.

314.4(c)(4) - Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information.

NIU has adopted the practice of implementing approved vendor supplied software as the best practice. All vendor supplied software is monitored for security advisories and reviewed for secure configuration as approved by the Architecture Review Board. For the small bit of application code that is developed inhouse, the development team follows and reviews security best practices as defined in their “Application Security Document”. This document describes security best practices around authentication, data protection, configuration, exception handling, input/output validation, event and exception logging, and preventing common web application security risks.

314.4(c)(5) - Implement multi-factor authentication for any individual accessing any information system unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Each year as part of the annual NIST 800-171 System Security Plan review, all systems identified as containing covered data will be verified as having NIU’s MFA solution in place.

314.4(c)(6) - Develop, implement, and maintain procedures for the secure disposal of customer information.

NIU DoIT complies with the State of Illinois law and implements DoD data wipe for storage that is to be reused, destroys storage media that is not functional or cannot be reused, or contracts with vendor for mass secure destruction or storage media. By policy restricted data is not allowed on removable media such as USB flash drives. Any data that may exist on paper is shredded through a confidential shredding service.

314.4(c)(7) - Adopt procedures for change management.

NIU DoIT has a rigorous and documented change management process.

314.4(c)(8) - Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.

NIU DoIT provides a central logging system (SIEM) for collection and analysis of system activity logs. We have additional security agents called Endpoint Detection and Response (EDR) that detect unauthorized use of credentials against systems. Business units have processes for validating the integrity of the data.

Testing Effectiveness of Safeguards and Vulnerability Management

NIU shall employ third-party vendors of sufficient expertise to test and provide assessments of the safeguards in place. At a minimum a confidential report from the third-party vendor shall include details of any vulnerability, risk scores for each and proposed remediation plans to strengthen security controls.

The Director of Privacy, in conjunction with the Department of Information Technology, the Ethics and Compliance Office and Human Resources staff, develops and coordinates training and education programs for all employees who have access to covered data and information. These employees typically fall into three categories:

• Professionals in information technology who have general access to all university covered data and information;
• Custodians of covered data and information; and
• Employees who access and use covered data and information as a part of their essential job duties.

However, department/unit directors/supervisors are responsible for ensuring compliance with information security practices within their respective departments/units.

When hiring new employees, NIU maintains common employment practices, including but not limited to checking references of new employees, conducting background checks on certain employees pursuant to the Illinois Campus Security Act, and asking certain employees to sign confidentiality agreements. Where applicable, new employees are also trained in the proper use of computer information and passwords in accordance with the university’s Information Security Awareness Training Policy.

The Office of Information Security provides periodic online training that covers the basics of the Gramm-Leach-Bliley Act and the Family Educational Rights and Privacy Act, respectively, as they relate to NIU faculty and staff. Prior to gaining access to certain information systems, employees are required to complete training on FERPA. This training is important for anyone having access to nonpublic, personal information, in electronic or paper form, associated with customers of NIU's financial services and products, or having access to computerized student records as well as folders containing student records relating to their academic history which are housed in departmental offices.

Each department responsible for maintaining covered data and information should be instructed to take steps to protect the information from destruction, loss, or damage due to environmental hazards, such as fire and water damage or technical failures. Further, each department responsible for maintaining covered data and information should coordinate with the Director of Privacy on an annual basis the coordination and review of additional privacy training appropriate to the department. These training efforts should help minimize risk and safeguard covered data and information.

GLBA requires that the University take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. When necessary, the University (through Procurement Services and Contract Management and/or the relevant business unit procuring the services, with the guidance of the Director of Privacy and other subject matter experts such as the Chief Information Security Officer) will contact  covered contractors and service providers requesting assurances of compliance with GLBA and any other applicable regulatory controls. The University will review guidelines for required controls ( i.e., SOC II, Type 2) to ensure proper implementation.

Contracts with third-party service providers and contractors may include the following provisions:

• An explicit acknowledgement that the contract allows the contract partner access to covered data and information.
• A specific definition or description of the covered data and information being provided.
• A stipulation that the covered data and information will be held in strict confidence and accessed only for the explicit business purpose of the contract.
• An assurance/guarantee from the contract partner that the partner will protect the covered data and information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information.
• A provision providing for the return or destruction of all covered data and information received by the contract provider upon completion or termination of the contract.
• An agreement/stipulation that any violation of the contract’s confidentiality/protective conditions may constitute a material breach of the contract and entitles NIU to immediately terminate the contract without penalty.
• A provision ensuring that the contract’s confidentiality requirements shall survive any termination agreement.
• A guarantee from the contract partner that it will ensure compliance with the protective conditions outlined in the contract.
• A stipulation allowing the entry of injunctive relief without posting bond to prevent or remedy breach of the confidentiality obligations of the contract; and
• A provision allowing auditing of the contract partners’ compliance with the contract safeguarding requirements.

GLBA mandates that this Information Security Plan be subject to periodic review and adjustment. This Plan should be re-evaluated annually, at least, to assure ongoing compliance with existing and future laws and regulations. This statement in no way prevents review of this Plan on a more periodic basis or when new relevant information on constantly changing technology, the sensitivity of student/customer data and evolving risks mandate such action.

Continued administration of the coordination, execution, and maintenance of this Plan will be the responsibility of the designated Director of Privacy and any duly designated Deputy Plan Coordinators, who will assign specific responsibility for implementation and administration as appropriate. Coordinators or duly designated representative(s) will review the standards set forth in this Plan and recommend updates and revisions, as necessary.

Processes in other relevant offices, departments, or units of the University such as data access procedures and training programs should undergo regular review.

The University’s Department of Information Technology maintains a comprehensive Incident Response Plan approved by University leadership. Upon learning of any security event this plan will be implemented by the Chief Information Security Officer and University Privacy Officer or their designees along with representatives of the University Ethics and Compliance Office, Office of the General Counsel and Risk Management.

Covered data and information

For the purpose of this Information Security Plan includes non-public personal customer information and student financial information required to be protected under the Gramm-Leach-Bliley Act (GLBA). The covered data and information include both paper and electronic records. A customer is a type of consumer, namely, an individual who has an ongoing relationship with the institution that provides a financial product or service. Therefore, NIU’s main customers are typically students of NIU.

Student financial information

Information the university has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR § 225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both electronic and paper formats.

Financial institution

Defined as any institution that is significantly engaged in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities such as making Federal Perkins Loans, as well as under a Title IV Program Participant Agreement (PPA), Federal regulations and guidance consider them financial institutions for purposes of compliance with the Act.