IT Financial Systems Data Protection Standard

Purpose and Applicability

This standard documents safeguards implemented to control the risks identified in recurring risk assessments related to protecting student financial information in PSU’s enterprise IT financial systems. This information falls under the highest classification in the Information Security Policy, and its unauthorized disclosure constitutes a critical risk for PSU and its students.

This standard applies to PSU enterprise IT systems that store, process, or transmit student financial information and to the university staff who use, manage, or host the systems.

Definitions

Term

Definition

BannerPSU’s enterprise resource planning system that processes and stores university administrative information
FAFSAFree Application for Federal Student Aid
GLBAGramm-Leach-Bliley Act
OAMOdin Account Manager - account management service offering for managing OIT computer accounts
OAROAM Access Requests - requests for access to certain PSU systems, including those providing access to student financial information, are made using the OAR feature within Odin Account Manager

Standards and Procedures

The following safeguards will be implemented as described for protecting student financial information and for mitigating identified risks:

Implement and periodically review access controls

Employee access to student financial information will be granted through automated account provisioning and deprovisioning and through a formal OAR request implemented in OAM. Daily Banner access reviews will be automatically conducted and reported to administrative staff who will review the reports daily.

Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted

Inventories of enterprise computing systems and third-party integrations used for financial information processing will be maintained and will be audited for accuracy at least annually.

Encrypt student financial information within our information systems and networks, both at rest and in transit 

Student financial information will be stored within our information systems encrypted at rest. Said information in transit through our networks will be encrypted using industry standard encryption protocols relevant for the mode of transmission.

Regularly assess the applications developed in-house that store, access, or transmit student financial information

An inventory of in-house applications will be maintained, and in-house application integrity will be assessed through ongoing activities which include monitoring of third-party libraries for known vulnerabilities, retention and monitoring of access logs consistent with the OIT Security Event Logging Standard, and performing periodic penetration testing.

Implement multi-factor authentication for anyone accessing student financial information within our information systems

All employees will be automatically enrolled in Duo two-factor authentication by the Identity and Access Management account claim process within OAM. Two-factor authentication is required for all employees for access to our enterprise information systems.

Dispose of student financial information securely, and periodically review our data retention policy to minimize unnecessary retention of said information

Student financial information may be securely removed according to the schedule specified in the Odin Account Standard. All information for individuals who sent their FAFSA information to PSU but who did not apply will be deleted annually.

Follow change management procedures, anticipating and evaluating changes to our information systems and networks

The OIT Change Control Standard will be followed for anticipating and evaluating changes to our information systems and networks.

Maintain a log of authorized users’ activities, and monitor for and detect unauthorized access of or tampering with student financial information

Authorized users’ activities will be logged and monitored in accordance with our OIT Security Event Logging Standard.

Related Policies, Procedures, and Information

Point of Contact

Contact the Information Security Team at help-security@pdx.edu for questions about this standard.

Approver
Chief Information Officer

Owner
Associate Chief Information Officer
Senior Director, Computing Infrastructure Services

Date
Originally Approved: June 2024