IT04 UO ACH Security Policy

Transcription

1 IT04 UO ACH Security Policy Effective 1 July 2009 Last Revised Who Should Read This Policy Employees who have access to and, therefore, responsibility for safeguarding customer bank account and Automated Clearing House (ACH) information. Background & Purpose The Business Affairs Office (BAO) originates direct deposit files for employee payroll student reimbursements and vendor payments which are processed by the Oregon State Treasurer (OST) using the national ACH network. Bank information is collected from customers using paper forms and the university s secure web portal DuckWeb. Customer bank information is stored in the university s Banner enterprise system. Each day, ACH data is downloaded from Banner and transferred to OST. BAO processes returned check transactions using the OST STAN Online system. BAO has contracted with a third party vendor who originates direct debit files for student tuition and fee payments that are processed by the Oregon State Treasurer. Students provide their bank account information for tuition and fee payments to the third party vendor using its fully hosted and secure web page. NACHA, the Electronic Payments Association, has adopted security standards for ACH transactions that are similar to PCI standards for credit card processing. OST implemented an annual risk assessment process for all state agencies and universities. It is important that university employees and university contractors take appropriate measures to safeguard sensitive customer information, including bank account numbers. Failure to comply with NACHA rules may result in financial loss, fines, suspension of ACH processing privileges, and/or damage to the reputation of the university. This policy provides guidelines for the safeguarding of customer bank account and ACH information. Policy 1. The Director of Business Affairs is responsible for safeguarding customer bank account/ach information, the distribution of security policies and procedures, training, monitoring of system access and alerts, and incident response. 2. Employees with access to customer bank account/ach information must maintain the following standards: a) Protect Customer Bank Account/ACH Information Develop written operating procedures for your unit that conform with the following requirements. Page 1 of 5

2 Do not archive electronic files containing bank account information on the UO network without encryption and access control. Delete ACH source files from the UO network immediately after they are securely transferred to OST for processing. Do not send or receive bank account/ach information using . Use secure electronic file transfer methods such as secure file transfer protocol (SFTP) or a virtual private network (VPN). Strictly limit access to paper and electronic records (word processed documents, spreadsheets, imaged documents, etc.) containing bank account/ach information based on job function. Where practical, limit access to full time professional staff. Access to bank account/ach information must be authorized in writing by the employee s manager (for example using a system access form or position description). Physically secure paper records and electronic media containing bank account/ach information in locked cabinets or offices with adequate key control. Mark these records as Confidential. Strictly control the distribution of these records. Do not store electronic files (word processed documents, spreadsheets, imaged documents, etc.) on your network or PC unless secured using access control. Inventory paper records and electronic media containing bank account/ach information every six months to identify loss or theft of items. Securely dispose of paper and electronic records containing bank account/ach information when they are no longer required for business, legal or regulatory purposes and in accordance with the UO records retention policy. Paper records should be placed in confidential recycling. Electronic media should be destroyed beyond recovery. Ensure systems used to access ACH information have the latest operating system updates and anti-virus updates and definitions. If you access host systems containing ACH information using a wireless network connection, ensure that the network uses strong encryption for authentication and transmission. b) Employee Screening and Training Units must perform background checks on potential employees who will have access to customer bank account/ach information. See UO Policy Statement Criminal, Credit and Related Background Checks on Applicants for University Positions Units must train new employees who will have access to customer bank account/ach information so that they are aware of their responsibility for safeguarding this sensitive information. Employees with access to customer bank account/ach information must review this policy annually and when business practices change. c) Annual Risk Assessment BAO will conduct an annual ACH risk assessment. Page 2 of 5

3 d) Third Party Vendors The university holds third party contractors responsible for safeguarding any customer bank account and ACH information in their possession. Contracts with third parties should reflect this responsibility. In accordance with OST Cash Management Policy PO, third party vendors who wish to provide ACH transaction storage, processing, or transmission services must first be approved by the Oregon State Treasurer. To obtain approval vendors must complete the OST 3rd Party Vendor Prequalification Form, Oregon law requires that state funds be deposited directly into a recognized Oregon depository within 24 hours of receipt. 3. Incident Response Plan In the event of a breach in ACH Transaction data security take the following steps: The unit shall immediately contain and limit the exposure of ACH transaction data, alert the Director of Business Affairs, and conduct a thorough investigation of the suspected loss or theft of account information. Some of the key steps to keep in mind when dealing with a break include the following steps: Do not access or alter compromised systems (e.g. do not log on or change passwords; do not log in as ROOT). Do not turn off the compromised computer. Instead, isolate compromised systems from the network (e.g. unplug the network cable). Preserve logs and electronic evidence. Document all actions taken. Be on high alert and monitor all systems with ACH transaction data. Provide the Director of Business Affairs with a report containing account information at risk and the source and timeframe of the compromise. The Director of Business Affairs will alert all necessary parties in a timely manner and complete the attached Incident Report. The incident report must be completed as soon as possible once the breach has been discovered, and provided to the Office of the State Treasurer. OST will forward it to U.S. Bank. U.S. Bank and OST will determine if there is specific action required as a result of this breach and will notify the agency of any actions needed. NOTE: If an incident occurs during normal business hours (8:00AM to 5:00PM), notify the Office of the State Treasurer by using the number listed below. OST will then notify U.S. Bank, and coordinate all communication. If an incident occurs outside Page 3 of 5

4 of normal business hours, contact State of Oregon s U.S. Bank Relationship Manager directly by using the phone number listed below. Office of the State Treasurer (OST); (503) Notify the receptionist that you have experienced an ACH transaction data breach, and ask to speak with the ACH Coordinator on the Banking Team or a member of the Relationship Management Services team. State of Oregon s U.S. Bank Relationship Manager; (503) Notify the Relationship Manager that you have experienced a data breach involving ACH information. Identify that you are an Oregon State Agency and provide your Agency Name, Agency Number, and ACH Company ID. Authority The UO Vice President for Finance and Administration has authority for administering this policy and has delegated its implementation to the Director of Business Affairs. References NACHA Oregon State Treasury Cash Management Policy Oregon State Treasury 3 rd Party Vendor Prequalification Form OUS Policy Guideline for Electronic Commerce UO Records Retention Schedule UO Policy Statement Criminal, Credit and Related Background Checks on Applicants for University Positions Criminal, Credit and Related Background Checks on Applicants for University Positions Contact Business Affairs Page 4 of 5

5 Attachment A INCIDENT REPORT In the event of a possible ACH Transaction data compromise, complete the following information and send via fax to OST. Attention : Relationship Management Team Subject: ACH INCIDENT RESPONSE FAX #: Note: Do not send sensitive information via unencrypted Agency Name: Organizations involved in the breach: Date of Incident: What is the transaction date range associated with the compromised accounts? What ACH transaction data was compromised, e.g., did the data include consumers and/or corporate accounts? How many ACH transactions were involved? Was law enforcement notified, and if so, which department/agency? Who is performing the investigation regarding the incident? How did the compromise occur? What steps have been taken to remediate the risk/vulnerabilities? Please list the number and types of systems involved in the incident. Has all possible evidence been preserved? Actions Taken: Actions Pending: Contact Information: Page 5 of 5