The Controller's Office serves the entire University. Our organization is collectively responsible for supporting departments, colleges, and campuses in their financial operations. If you conduct the business, we've got the tools, systems, procedures, and policies to get the work done. Our goal is to make the business of the University efficient and cost-effective, so people can focus on teaching, research, and outreach.
Our departments perform a wide range of services focused on reducing costs and increasing efficiency. We are also responsible for supporting the University's enterprise financial systems. Processes, systems, and controls are designed so that the University has timely, accurate, and complete financial information for decision making.
Our most visible work products are the University's annual financial statements, reporting our financial health. The University's financial statements are available on this site, choose Annual Reports from the menu.
Special Projects or Initiatives
Enhancements to the financial system, business process updates or changes, and other efforts are managed using a standard project process. When major initiatives are underway, information about the effort will be distributed to the University community and posted on this website.
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requires the University of Minnesota to implement safeguards to insure the security and confidentiality of certain non-public customer information. The Safeguards Rule protects certain private information identifiable to individuals that is obtained when the University offers or delivers a financial product or service to them. The University must develop, implement, and maintain a comprehensive information security program containing administrative, technical and physical safeguards that are appropriate based upon the University's size, complexity and the nature of its activities. The following materials are provided for training and education purposes.
How does the University comply with the GLBA Safeguards Rule?
This document describes how the University complies with the GLBA Safeguards Rule. All units that handle or maintain covered data must follow the Information Security Program.
How do I know if my unit handles or maintains information that is protected under the GLBA Safeguards Rule? If so, what am I required to do under the University’s Information Security Program in relation to this data?
The following documents can help you determine if you handle or maintain customer information protected under the GLBA Safeguards Rule, and if so, what steps you must take to safeguard that data.
- GLBA Safeguards Rule Decision Tree
Use this chart to determine if your unit handles or maintains customer information that must be protected under the GLBA Safeguards Rule.
- GLBA Compliance Guidance and Certification Form
To be completed annually by colleges and administrative units that handle or maintain covered customer information. Submit to the Controller’s Office.
Understanding more about GLBA Safeguards Rule, additional information and examples
The following documents provide an overview of the GLBA Safeguards Rule regulation as well as examples of financial services or products and a reference guide of in-scope and out-of-scope activities.
- GLBA: Implementation of the Safeguards Rule
This document provides information regarding current and future exposure to and compliance with the law.
- GLBA Safeguards Rule: Examples of Financial Services or Products
Most University departments will not have exposure to the Safeguards Rule. However, units should review this list of activities that can subject a department or program to the law, and examples of customer information that must be protected.
- GLBA Safeguards Rule: Reference Guide
This chart provides examples of in-scope and out-of-scope at the University.
- Complying with the Safeguards Rule
Guidance document provided by the Federal Trade Commission.
Payment Card Industry Data Security Standard (PCI DSS)
University of Minnesota departments that accept payment cards (credit or debit cards) as a form of payment for goods and services are contractually obligated to follow the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The standard comprises 12 requirements that are organized in 6 related groups or “control objectives” to protect cardholder data wherever it resides - ensuring that sensitive payment card information is handled safely and a high information security standard is maintained. A copy of the PCI DSS can be found on the Payment Card Industry Security Standards Council (PCI SSC) website.
How does the University comply with the PCI DSS?
This document describes how the University complies with the PCI DSS. All units that handle or maintain customer's cardholder data must follow the Payment Card Program.
How do I know if my unit handles information that should be protected by the PCI DSS? If so, how do I comply with the PCI DSS?
If your department or unit wishes to accept payment cards (credit or debit) as a method of payment from your customers, you must meet University policy, state and federal laws, contractual obligations, and rules of the University's banks and financial institutions. This includes meeting compliance with the PCI DSS. Additional information can be found within the policies and procedures below.
I’d like to understand more about the PCI DSS. Where can I locate additional training, examples and resources?
Payment Card Account Forms & Documents
- UM 1609 Payment Card Account (PCA) form
- UM 1623 Employee Non-Disclosure Form
- UM 1624 Department Payment Card Manager Form
- UM 1634 Incident Response and Continuity Plan
- Cardholder Data Flow Charts (zip)
- Payment Card Inventory List (Template)
- Payment Card Manager Compliance Certification form (docx)
- Payment Card Operational Procedures (Template)
- Payment Card Terminal Disposal Form
- Payment Card Terminal Loan Program Application Form
- Payment Card Terminal Order Form
- Payment Card Terminal Inspection Log
Payment Card Account Resources
- Keep It Secure
- Understanding PCI DSS Compliance Brochure
- Safeguard Against Skimming
- Quick Reference Guide - PCI DSS Version 3.2.1
- PCI DSS Glossary of Terms and Definitions Version 3.2
- PCI DSS Version 3.2.1
- Terminal Review - 6Ss
SAQ and Compliance Documentation Guidance
Authorize.net Guidance Documentation
Identity Theft Prevention Program: Red Flags Rule
The Red Flags Rule (RFR) requires the University to implement a written identity theft prevention program designed to detect the warning signs (or "red flags") of identity theft in day-to-day operations. Each unit that handles covered accounts must develop reasonable policies and procedures to identify, detect, and respond to red flags in their area. The regulation includes additional responsibilities for users of consumer reports and units that issue credit or debit cards (including certain declining balance cards such as Gopher Gold). Read more about Fighting Fraud with the Red Flags Rule in this information provided by the Federal Trade Commission (FTC).
The Controller’s Office provides oversight for the University’s Identity Theft Prevention Program. The following materials are provided in support of this role.
How does the University comply with the Red Flags Rule?
- University’s Identity Theft Prevention Program
This document describes how the University complies with the Red Flags Rule. All units that handle covered accounts must comply with the guidelines described in this Program.
- RFR Certification of Compliance Form Annual completion required
Colleges and administrative units that must comply with one or more sections of the Red Flags Rule must annually complete and submit this form to the Controller’s Office.
How do I know if my unit handles accounts that are protected under the Red Flags Rule? If so, how do I comply with our Identity Theft Prevention Program?
- RFR Self-Identification Questionnaire
This four-question form helps you decide quickly if your area is in-scope.
- RFR Compliance Guidance
Use this document to determine which sections of the Red Flags Rule apply to your area and how to comply.
- RFR Department Identity Theft Prevention Plan
This document offers a starting point for in-scope units to identify processes and procedures that assure compliance. It is a good business practice to document processes and procedures employees are expected to follow. Units are encouraged to build on or reference existing practices.
- FTC Examples of 26 Red Flags
Guidance information provided by the Federal Trade Commission (FTC).
- Incident Log (Optional)
This optional template may help you track identity theft attempts or incidents in your area that could suggest a need for changes to your processes or procedures. Completion is not required.
The Controller's Office works closely with:
- Office of Human Resources
- Office of Information Technology
- Sponsored Projects Administration
- U Market Services
- Certified Approver Community of Practice
- Financial Management Advisory Committee (FinMAC)
- Financial Systems User Network (FSUN)
- Other University Finance units
- And all those with finance-related responsibilities or in finance positions across the University.