The purpose of the Gramm Leach Biliey (GLBA) Security Standard is to provide the data protection security necessary to comply with Shawnee State University’s GLBA Security Policy. These standards are mandatory requirements, and establish an effective baseline of appropriate system, administrative, and physical controls to apply to covered data.
1.2 Network traffic shall be limited to only those services and ports considered essential, unless exceptions to allow access to required services are requested and granted.
1.3 Networks that house devices with GLBA data shall be scanned for vulnerabilities at least semi-annually. Vulnerabilities detected shall be remediated in a timely manner.
1.4 Additional security detection tools should be considered in cases where a high degree of GLBA data exists.
2.1 Devices that process or store GLBA information shall be housed in a physically secure location, accessible to only those with a business purpose.
2.2 Security updates and patches shall be applied in a timely manner, or automatically when possible.
2.3 Computer system support must monitor for announced vulnerabilities in their hardware and software.
2.4 Computer anti-virus software shall be implemented, and updated in a timely manner, or automatically where appropriate.
2.5 Host based firewalls shall be implemented on systems storing and accessing GLBA data.
2.6 Services and applications should be the minimum necessary to accomplish the required business functions.
- Passwords shall be changed from the vendor defaults.
- Systems should be “hardened” to a recognized standard, where available.
2.7 Individual access to data shall be limited to only those needing access for business purposes.
2.8 The amount of GLBA information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions.
2.9 Where possible, secure (encrypted) transmission and storage shall be utilized, for all devices, including laptops and portable media, where appropriate. Devices processing or storing GLBA data shall log all significant security event information. Logs should be reviewed on a daily basis, and be retained for at least 90 days.
2.10 Devices processing or storing GLBA data shall log all significant security event information. Logs should be reviewed on a daily basis, and be retained for at least 90 days.
2.11 Files shall be backed up and tested on a regular schedule, and stored in a secured location both on and off-site.
2.12 Hardware, software and data destruction shall be securely disposed at the termination of business need.
3. User Accounts
3.1 A process shall be established to create and assign, maintain, and verify a unique system identifier (i.e. UserID) for each user.
3.2 Authentication to a system identifier shall be controlled by a mechanism implemented based upon the sensitivity of the data.
3.3 In cases where UserID and Password are used for authentication purposes, whether for interactive or file transfer purposes, the password must be encrypted.
4. Software Development
4.1 Internally developed software shall be based on secure coding guidelines, and reviewed for common coding vulnerabilities.
5. Policy and Procedure
5.1 Each department processing or storing GLBA data shall establish a security policy, and corresponding procedures to address the following.
- Computer Incident Response
- Computer Incident Reporting
5.2 Each department processing or storing GLBA information shall complete security awareness training on an annual basis.
5.3 Each external vendor processing or storing GLBA data will be required to meet the security requirements set forth in this standard.