Step 2.1: Risk Assessment Questions:GLBA and FERPA Supplement

[Jul 17, 2008 14:02] The feature in Xpressions that notifies a user by email when they receive a voice mail is currently not working. Siemens is aware of the problem and is working on it. This does not affect any other aspect of Xpressions.

These questions will help determine and evaluate threats to the resources identified through a mission impact analysis, as well as adherence to general secure computing practices.

Unit Name: ___________________    Sub-Unit Name: ___________________

Risk Assessment Questions: GLBA and FERPA Supplement

In addition to the issues covered in the general questions, additional GLBA and FERPA issues focus on the need for specific training of employees on GLBA and FERPA compliance, confidentially agreements and safeguards and the protection of paper-based data.

All questions in this supplement apply to both GLBA- and FERPA-protected data unless specifically labeled.
 

Yes

No

Documentation location or explanation for not following

A. Employee Training and Management

1. Do you train employees to take basic steps to maintain the security, confidentiality and integrity of customer financial information and/or student information (hereafter “protected data”)?

  • [FERPA] Knowing which student data may be released without permission and which may not
  • Locking rooms, file cabinets where records kept
  • Locking access to terminals with strong passwords
  • Changing passwords periodically
  • Maintaining password confidentially, including not posting them
  • Encrypting sensitive customer communication when transmitted or stored electronically
  • Referring requests for information only to other authorized individuals who have been trained

      

2. Do you obtain signed confidentiality agreements from all employees handling protected data?

      

3. Do your require security awareness training (e.g., Security 101) for all employees handling protected data?

      

4. Do you limit access to protected data to those who have a business reason to see it?

      

B. Information Systems

1. Do you store records in a secure area?

  • Paper records in a room, cabinet or container that is locked when unattended
  • Storage areas are protected from physical hazard like fire or flood
  • Store electronic data on a securely administered server located in a physically secured area, and limit local workstation storage as much as possible
  • Maintain and secure backups of protected data

      

2. Do you provide for secure data transmission?

  • Use SSL or other secure connection to encrypt protected data in transit
  • Caution customers and/or students against transmitting sensitive data by e-mail
  • If e-mail is used, secure the receiving account and encrypt transmission, if possible

      

3. Do you dispose of protected data in a secure manner?

  • Shred or recycle protected information securely
  • Erase or destroy all media (diskettes, CD-ROMs, hard drives) containing protected data

      

4. Do you use audit and oversight procedures to detect improper disclosure or theft of protected data?

      

C. Detecting, Preventing & Managing Systems Failures

1. Do you follow the best practices outlined in the main question set?

  • Timely installation of software patches
  • Automatic anti-virus checking and updating
  • Backup
  • Mission continuity planning

      

2. Do you use tools like passwords and other personal identifiers to authenticate the identity of customers and/or students seeking to transact business electronically?

      

3. [GLBA] Do you notify customers promptly if their non-public personal information is subject to loss, damage or unauthorized access?

      

4. [GLBA] Do you ensure that all financial services contracts contain boilerplate language confirming third-parties will maintain appropriate safeguards?

      

Prepared by:

Name:   __________________________
Signature:   _______________________
Title:   __________________________
Date:   __________________________

Approved by: Unit head

Name:__________________________
Signature:_______________________
Title:   __________________________
Date:   __________________________

 

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.