Financial Information Security
It is the policy of the University to comply, and to require its employees, student workers, volunteers, and other agents to comply, with all applicable federal, state, and local laws and regulations, as well as University policies and procedures, governing information security, confidentiality, and privacy. The Program incorporates, voluntarily and by reference, existing University or department policies and procedures that address the security and confidentiality of data encompassed by the definition of "covered data and information" below, and is in addition to any University or department policies and procedures required under other federal and state laws and regulations.
This policy applies to all employees of Washington and Lee University.
Non-public customer personal information means any personally identifiable financial information, not otherwise publicly available, that the University has obtained from a student, student parent or spouse, employee, alumnus, or other third party, in the process of offering a financial product or service, OR such information provided to the University by another financial institution, OR such information otherwise obtained by the University in connection with providing a financial product or service. Offering a financial product or service includes such activities as student loans, employee mortgage loans, employee educational grants, and other miscellaneous financial services as defined in 12 CFR Section 225.28. Examples of personally identifiable financial information include names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, tax returns, asset statements, and social security numbers, in both paper and electronic form.
Publicly available for the purpose of this Program means information that W&L has a reasonable basis to believe is lawfully available to the general public from government records, widely distributed media, or disclosures to the general public required under law. Examples of publicly available financial information include, but are not limited to, listings in telephone and online directories and financial information contained in recorded deeds of trust, judgments, or liens.
Covered data and information for the purpose of this Program includes non-public customer personal information required to be protected under the Gramm-Leach-Bliley Act (GLBA). In addition to this required coverage, W&L chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the University, whether or not such financial information is covered by GLBA. Covered data and information includes both paper and electronic records.
The Gramm-Leach-Bliley Act (GLBA), together with an implementing "Safeguards Rule" issued by the Federal Trade Commission, regulate the security and confidentiality of non-public customer personal information collected or maintained by or on behalf of financial institutions or their affiliates. To the extent that Washington and Lee University (W&L or the University) is classified as a financial institution under GLBA, by virtue of processing or servicing student or employee loans, or offering other financial products or services, W&L has established this Financial Information Security Program (Program) to assure compliance with GLBA's financial information security provisions and the Safeguards Rule. As required by the Safeguards Rule, the Program is designed to provide for the security and confidentiality of non-public customer personal information, protect against anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to a customer.
Elements of Program
1. Designation of the Information Security Program Coordinator and the Committee
In order to comply with GLBA, the Provost has designated an Information Security Program Coordinator (Coordinator) to be responsible for coordinating and overseeing the Program. The Coordinator is presently the University Registrar. The Provost has also designated an Information Security Program Committee (Committee) to work closely with the Coordinator in carrying out the elements of the Program, which is now an element of the University's broader Information Security Program. The Committee reports to the Provost and initially includes an administrator from each of the following offices and departments whose operations are likely to be most significantly impacted by this Program: Business Office, Development (law and undergraduate representatives), Financial Aid, Human Resources, Information Technology Services (law and undergraduate representatives), Student Affairs, Vice President for Finance and Administration / Treasurer, and the Coordinator. The Provost may add representatives from other offices and departments, as s/he deems appropriate. The Office of General Counsel will work closely with the Coordinator and the Committee and will serve as a resource on all elements of the Program.
2. Risk Identification and Assessment
Each University office or department handling covered data and information, as identified by the Coordinator and the Committee, will take steps to identify and assess internal and external risks to the security, confidentiality, and integrity of covered data and information that could result in the unauthorized access, disclosure, misuse, alteration, destruction or other compromise of such information.
The risk assessment should (at a minimum) include consideration of risks, and current safeguards to manage those risks, to covered data and information in each relevant aspect of University operations, including: employee, student worker, and volunteer training and management regarding access to and use of such information; information systems (including network and software design, as well as information processing, storage, transmission and disposal for both paper and electronic records); and detecting, preventing and responding to attacks, intrusions, or other system failures (including data processing and telephone communication), as well as contingency planning and business continuity.
The Coordinator and the Committee, with the assistance of the Office of General Counsel, will establish procedures for identifying and assessing risks in each relevant area of the University's operations outlined above. The Coordinator will delegate the risk identification and assessment to the appropriate individual(s) within each affected office or department, who will be that office's contact person with the Coordinator and the Committee.
3. Design, Implementation, and Monitoring of Safeguards
Each affected office or department will design, implement, and maintain such administrative, technical, and physical safeguards as are necessary to control the risks identified through risk assessment, and will regularly monitor the effectiveness of such safeguards. Each office should design and implement safeguards in accordance with the nature and scope of that office's activities and the sensitivity of the covered data and information at issue. The contact person for each such office must provide information regarding such safeguards to the Coordinator and the Committee.
The Coordinator and the Committee, with the assistance of the Office of General Counsel, will provide guidance on appropriate safeguards to all affected offices and departments, and will work with individual offices as requested or appropriate in the design, implementation, and documentation of safeguards.
4. Oversight of Service Providers and Contract Assurances
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for non-public customer personal information. In addition, W&L will, as a matter of policy, take reasonable steps to select and retain service providers who maintain appropriate safeguards for other covered data and information, whether or not required under GLBA. A "service provider" is any person or entity that receives, maintains, processes, or otherwise is permitted to access covered data and information through its provision of services directly to W&L. While contracts entered into prior to June 24, 2002 are grandfathered under GLBA until May 2004, the Office of General Counsel will develop standard, contractual provisions applicable to third-party service providers, which will require such providers to implement and maintain appropriate safeguards. All relevant future contracts between W&L and these service providers should contain these provisions. Any deviation from these standard provisions will require the prior approval of the Office of General Counsel.
5. Periodic Review and Adjustment of Program
GLBA requires that this Program be subject to periodic review and adjustment. The most frequent of these reviews will likely occur within Information Technology Services, whose operations involve constantly changing technology and constantly evolving risks. Processes in other relevant offices of the University should also be reviewed regularly, particularly as appropriate to any operational changes that may have a material impact on the Program. The Coordinator and the Committee will review the Program itself periodically to assure ongoing compliance with GLBA and the Federal Trade Commission Safeguards Rule, as well as consistency with other existing and future laws and regulations.
Original draft: May 15, 2003
Approved by Provost H. Thomas Williams, September 15, 2003
Revisions: October 12, 2003;
January 26, 2010 to update titles, reflect changes in practice, and note incorporation into broader Information Security Program.