menu icon
ULM logo text

Online | A-Z | Calendar | myULM

Information Security Program

aerial view of campus

Information Security Program

 

Introduction

The Information Security Program at the University of Louisiana Monroe is designed to protect the critical and sensitive customer information the University receives in the course of business and to comply with legal requirements, including the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission's (FTC) Safeguards Rule.

 

Information Security Program Coordinator

The Information Security Program Coordinator (“Coordinator”) is responsible for overseeing and enforcing ULM’s Information Security Program. The Coordinator is appointed and supervised by ULM’s VP for Information Services. The Coordinator will work closely with Information Technology, Controller’s Office, Registrar’s Office, Human Resources, Student Financial Services, Student Financial Aid, Internal Auditor, Institutional Research, and other offices that may use customer information. The Coordinator is required to report annually to the ULM President on the overall status of the Information Security Program.

 

Risk Identification and Assessment

The Coordinator will work with all relevant areas to carry out comprehensive risk assessments periodically in order to identify reasonably foreseeable external and internal risks to the security, confidentiality, and integrity of covered data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Risk assessments will include system-wide risks as well as risks unique to each area with covered data. As part of the process, the Coordinator will assess the sufficiency of safeguards in place to control these risks.

 

Information Safeguards and Monitoring

The Coordinator will verify that information safeguards are designed and implemented to control the risks identified in the risk assessments described above. Such safeguards and monitoring will include the following:

  1. Implement and periodically review access controls. ULM employs a role-based security access methodology that ensures each employee has the appropriate access to customer information for their work needs.
  2. Conduct a periodic inventory of data, and maintain an accurate list of all systems, devices, platforms, and personnel. Disaster recovery material must be backed up weekly on a USB device and stored at an off-site location. This includes a list of all servers, network topology, and student/employee contact information.
  3. Protect by encryption all customer information during transmission over external networks and while at rest. In situations where the encryption of customer information in transit over external networks or at rest is not feasible, the Coordinator shall implement alternative compensating controls to ensure data security.
  4. Assess internally developed applications that display some portions of customer financial information.
  5. Implement multi-factor authentication for any individual accessing any information system.
  6. Develop, implement, and maintain procedures for the secure disposal of customer information.
  7. Adopt procedures for change management. ULM's IT System Change Control Policy is designed to ensure that IT system changes are properly tested, reviewed, approved, implemented, and documented.
  8. Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.

 

Regular Testing and Monitoring

The Coordinator will regularly test the effectiveness of the safeguards' key controls, systems, and procedures by continuous monitoring and by periodic penetration testing and vulnerability assessments. Vulnerabilities will be tracked, prioritized, and remediated.

 

Employee Management and Training

The Coordinator will work with other offices to identify categories of employees or others who have access to covered data. The Coordinator will implement policies and procedures to ensure that personnel are able to enact our Information Security Program. Safeguards for security will include mandatory cybersecurity awareness training for all individuals who have authorized access to covered data and specialized training for staff in key positions.

 

Overseeing Service Providers

The Coordinator will work with other offices to ensure that reasonable steps are taken to: (a) select and retain service providers that are capable of maintaining appropriate safeguards for customer information and (b) require service providers by contract to implement and maintain such safeguards.

 

Program Maintenance

The Coordinator, working with other offices, will evaluate and adjust the Information Security Program in response to any material changes to operations or business arrangements; results of assessments, testing or monitoring; or any other circumstances which may reasonably have an impact on the Information Security Program. The Information Security Program will undergo review and adjustment at least once every fiscal year based on information gathered during risk assessments, emerging threats, and industry best practices.

 

Incident Response Plan

When a cyber-intrusion incident is detected, the Coordinator will activate the Incident Response Team to engage with members of the university community as well as with appropriate outside agencies, such as law enforcement. ULM's Security Incident Response Plan contains: (a) the goals of the plan; (b) the internal processes ULM will activate in response to a security event; (c) clear roles, responsibilities, and levels of decision-making authority; (d) communications and information sharing both inside and outside of ULM; (e) a process to fix any identified weaknesses in our systems and controls; (f) procedures for documenting and reporting security events and ULM’s response; and (g) a post mortem of what happened and a revision of our incident response plan and information security program based on what was learned.

 

Supporting Policies

The Information Security Program is supported by the ULM policies described below.

 

The Account Access Policy ensures that access to accounts with protected data remain appropriate to each employee’s current job role and employment status.
https://webservices.ulm.edu/policies/download-policy/241    

 

The Computing Systems Security Breach Policy details the actions to be taken upon compromise of electronic systems and accounts maintained by the University.
https://webservices.ulm.edu/policies/download-policy/245  

 

The Cybersecurity Awareness Training Policy requires cybersecurity awareness training for all employees and contractors who have access to the university’s information technology assets and customer data.
https://webservices.ulm.edu/policies/download-policy/793

 

The Data Center Access Policy monitors physical access to ULM’s primary data center.
https://webservices.ulm.edu/policies/download-policy/805  

 

The Data Sanitization Policy ensures that data are permanently destroyed when university-owned computer storage media are transferred or retired, in accordance with the State OTS Policy IT STD 1-17.
https://webservices.ulm.edu/policies/download-policy/807  

 

The Data Security Policy ensures that users who have been granted access to IT resources understand their responsibilities related to system security and confidentiality of information.
https://webservices.ulm.edu/policies/download-policy/799   

 

The Incident Response Plan describes the steps to be taken when a cyber-intrusion incident is detected.
https://www.ulm.edu/it/cybersecurity/documents/information-security-incident-response-plan.pdf  

 

The IT Disaster Recovery Plan (DRP) is regularly updated to cover a variety of threats such as natural disasters, fires, and security compromised systems. This plan is only circulated internally.

 

The IT System Change Control Policy is designed to ensure that IT system changes are properly tested, reviewed, approved, implemented, and documented. This control acts to prevent inappropriate changes from being made that could affect system stability and, therefore, business operations.
https://webservices.ulm.edu/policies/policy/249

 

The ULM FERPA Policy requires faculty, staff, and administrative officers at ULM to treat education records in a legally specified manner, outlines procedures for providing student access to such records, includes procedures for maintaining the privacy of student records, and provides institutional penalties for violation of its stipulations.
https://www.ulm.edu/registrar/documents/ferpa-2017.pdf   

 

The ULM Privacy Statement addresses the collection, use, and dissemination of personal information by the University.
https://www.ulm.edu/statement/privacy.html    

 

 

 

Students

Faculty & Staff

Alumni

ULM Foundation

Visit

 

 

Undergraduate

Graduate

Online Education

Employment Opportunities

Veterans

 

 

Title IX Sexual Misconduct
Power-Based Violence

Emergency Info

Student Handbook

Maps

Library

Public Records

Contact Us

Privacy

 

The University of Louisiana Monroe

700 University Avenue

Monroe, LA 71209

318.342.1000

 

SACS logoSACSCOC Accredited

University of Louisiana System

LA Board of Regents

facebook linkyou tube linksocial media link

© 2025 The University of Louisiana Monroe

©