This standard documents safeguards implemented to control the risks identified in recurring risk assessments related to protecting student financial information in PSU’s enterprise IT financial systems. This information falls under the highest classification in the Information Security Policy, and its unauthorized disclosure constitutes a critical risk for PSU and its students.
This standard applies to PSU enterprise IT systems that store, process, or transmit student financial information and to the university staff who use, manage, or host the systems.
The following safeguards will be implemented as described for protecting student financial information and for mitigating identified risks:
Implement and periodically review access controls
Employee access to student financial information will be granted through automated account provisioning and deprovisioning and through a formal OAR request implemented in OAM. Daily Banner access reviews will be automatically conducted and reported to administrative staff who will review the reports daily.
Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
Inventories of enterprise computing systems and third-party integrations used for financial information processing will be maintained and will be audited for accuracy at least annually.
Encrypt student financial information within our information systems and networks, both at rest and in transit
Student financial information will be stored within our information systems encrypted at rest. Said information in transit through our networks will be encrypted using industry standard encryption protocols relevant for the mode of transmission.
Regularly assess the applications developed in-house that store, access, or transmit student financial information
An inventory of in-house applications will be maintained, and in-house application integrity will be assessed through ongoing activities which include monitoring of third-party libraries for known vulnerabilities, retention and monitoring of access logs consistent with the OIT Security Event Logging Standard, and performing periodic penetration testing.
Implement multi-factor authentication for anyone accessing student financial information within our information systems
All employees will be automatically enrolled in Duo two-factor authentication by the Identity and Access Management account claim process within OAM. Two-factor authentication is required for all employees for access to our enterprise information systems.
Dispose of student financial information securely, and periodically review our data retention policy to minimize unnecessary retention of said information
Student financial information may be securely removed according to the schedule specified in the Odin Account Standard. All information for individuals who sent their FAFSA information to PSU but who did not apply will be deleted annually.
Follow change management procedures, anticipating and evaluating changes to our information systems and networks
The OIT Change Control Standard will be followed for anticipating and evaluating changes to our information systems and networks.
Maintain a log of authorized users’ activities, and monitor for and detect unauthorized access of or tampering with student financial information
Authorized users’ activities will be logged and monitored in accordance with our OIT Security Event Logging Standard.
Related Policies, Procedures, and Information
Point of Contact
Contact the Information Security Team at help-security@pdx.edu for questions about this standard.